VCS-Control in production environment 10.100.100.33 /24 GW .1
VCS-Expressway in the DMZ.
Dual NIC option installed
LAN1 is our externally facing interface
192.168.100.33 /24 (DMZ IP address in DMZ A)
static nat mode ON
public IP 65.xx.xx.xx NAT'd to LAN1 IP Address
Static NAT address defined on this interface
set to 100/full (same on switchport)
LAN2 is our internal facing interface
192.168.200.33 /24 (DMZ IP address in DMZ B)
static nat mode OFF
Set to 100/full (same on swtichport)
I added the following route in the VCS-Expressway to allow VCS-Expressway to reach the VCS-Control
xCommand RouteAdd Address: "10.100.100.33" PrefixLength: 32 Gateway: "192.168.200.1" interface: "Lan2"
The VCS Control traversal zone is pointed to the LAN 2 IP Address of VCS-E. Both SIP and H323 are active.
We have 2 seperate DMZs in our environment and they both have a /24 subnet.
I configured each LAN interface on the Expressway to be in seperate subnets.
My question is that the 2 subnets on the VCS Expressway are seperated by a FW. Are there any appropriate rules I need to put in place on this firewall since LAN1 and LAN2 on the VCS-E straddle this FW?
I initially tried to place the LAN1 and LAN2 interface of VCS-E in a single subnet DMZ but was not succesfull in placing an outbound call.
I place a call from my EX90 registered to the VCS-Control and i see in the logs on the VCS Expressway that the call is being rejected.
Is there any other debugs i can run to figure out what is going on? Unfortunately i do not have access to the firewall so i cannot look at those logs.
When i use the DNS tool within the VCS-E i am able to resolve the Domain i am trying to call and see the SRV records.
Any thoughts would be appreciated.
couple of questions for you:
- Is there any NAT in between the VCS-C subnet and VCS-E LAN2 subnet?
- What is the default GW on VCS-E configured as? (It should be configured as 192.168.100.1)
The VCS-E will not require any routing whatsoever between the LAN1 and LAN2 subnets (192.168.100.0/24, 192.168.200.0/24).
Can you describe in more detail how you are seeing the VCS-E rejecting the outbound calls?
I assume you've created a DNS zone on the VCS-E and added an appropriate search rule for this zone?
There is no NAT configuration between the VCS-C and the LAN2 interface of VCS-E.
The Default GW on the VCS-E is 192.168.100.1
The only NAT enabled is to the LAN1 interface on the VCS-E and the public IP Address we have assigned to our A record for our VCS-E.
I have external DNS zone configured on VCS-E. I have verified the search rule with the "Check Pattern" tool. The external endpoint i am trying to call can recieves calls from other companies.
I see in the debug logs that the pattern is matching the external DNS zone and trying to resolve but i get a hostname could not resolve error as seen below.
(I scrubbed the output as i didn't want to post the SIP URI of the person i am trying to dial. His EX90 unit is set to auto answer.)
Detail="Considering search rule 'DNS Zone Search Rule' towards target 'External_DNS_Zone' at priority '150' with alias 'email@example.com'"
Detail="Sending DNS Query for someone.com"
Module="network.dns" Level="DEBUG": Detail="Could not resolve hostname"
Module="network.dns" Level="DEBUG": Detail="Sending DNS Query for _sips._tcp.someone.com"
Module="network.dns" Level="DEBUG": Detail="Resolved hostname to: ['IPv4''TCP''64.XX.XX.XXX:5061'] (A/AAAA) Number of relevant records retrieved: 1"
Module="network.dns" Level="DEBUG": Detail="Sending DNS Query for _sip._tcp.someone.com"
Module="network.dns" Level="DEBUG": Detail="Resolved hostname to: ['IPv4''TCP''64.XXX.XX.XXX:5060'] (A/AAAA) Number of relevant records retrieved: 1"
Module="network.dns" Level="DEBUG": Detail="Sending DNS Query for _sip._udp.someone.com"
you should see in the diagnostic log (With network log level set to 'DEBUG') that the VCS-E is attempting to connect to 64.XX.XX.XXX on TCP port 5061 (Search for "TCP connecting" or for the IP address itself.)
My guess is that this connection attempt fails, and that this is what's causing the call to fail.
You were correct. I do see in the diag log the tcp connection is failing. Does this type of error indicate a FW issue? I will ask our FW admin to check the rules while i make a test call.
Module="network.tcp" Level="DEBUG":Src-ip="192.x.x.x" Src-port="25003" Dst-ip="64.x.x.x" Dst-port="5061" Detail="TCP Connecting"
Module="network.tcp" Level="ERROR": Src-ip="192.x.x.x" Src-port="25003" Dst-ip="64.x.x.x" Dst-port="5061" Detail="TCP Connection Failed"