Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4300
Views
0
Helpful
7
Replies

Cisco Expressway SSH tunnel failure for UC traversal zone

ragz3000
Level 1
Level 1

‎02-03-2020 10:18 PM

uniSSH tunnel status is failed however the UC traversal zone is active.

Below is the error message on expressway c

 

2020-02-04T17:01:44.444+11:00

portforwarding: Level="ERROR" Detail="Client control socket open failed" forwarding="localhost:8191:localhost:8192" user="_pfwd" host="expresswaye01.xyz.com.au" id="d21dfe99-4713-11ea-8b7b-005056010a53" retcode="255" err="ssh_x509store_cb: subject='C=AU,ST=Victoria,L=Richmond,O=xyz pvt Ltd,CN=expresswaye01.xyz.com.au', error 20 at 0 depth lookup:unable to get local issuer certificate

ssh_verify_cert: verify error, code=20, msg='unable to get local issuer certificate'
" UTCTime="2020-02-04 06:01:44,443"

2020-02-04T17:01:44.443+11:00ssh: Event="sshd" Module="openssh" Level="INFO" Detail="ssh_dispatch_run_fatal: Connection to 10.30.136.29 port 2222: invalid certificate" UTCTime="2020-02-04 06:01:44"
2020-02-04T17:01:44.441+11:00ssh: Event="sshd" Module="openssh" Level="INFO" Detail="RSA+cert host key for IP address '10.30.136.29' not in list of known hosts." UTCTime="2020-02-04 06:01:44"
2020-02-04T17:01:44.328+11:00portforwarding: Level="WARN" Event="Alarm Raised" Id="35013" UUID="a19a462a-cf7e-4b6f-b333-33b2e502ec0b" Severity="warning" Detail="Unified Communications SSH tunnel failure: This system cannot communicate with one or more remote hosts: expresswaye01.xyz.com.au" UTCTime="2020-02-04 06:01:44,327"
Labels:
0 Helpful
7 Replies 7

Adam Pawlowski
VIP Alumni
VIP Alumni

‎02-04-2020 03:17 PM

It appears to be upset that it’s a locally issued cert or doesn’t have the CA certificate in trust
0 Helpful

ragz3000
Level 1
Level 1
In response to Adam Pawlowski

‎02-04-2020 03:26 PM

The secure traversal test results success under UC traversal zone.

The zone status itself is Active.

 

I generated CSR from exp-c and have this signed by internal CA.

Downloaded signed server certificate and uploaded it to exp-c.

Also I uploaded CA root into Trusted CA certificate in both exp-c and exp-e.

 

Any more pointers to check will be helpful, thanks.

0 Helpful

ssparkes
Level 1
Level 1
In response to ragz3000

‎04-23-2020 04:51 AM

Hi,  Im having the same issue.  Have you made any progress with this?

0 Helpful

rajaayman
Level 1
Level 1
In response to ssparkes

‎04-23-2020 06:53 AM

 

 

HI 

Just verify the CA confg as per the below link  nic video my Mr. Jamie

 

https://www.youtube.com/watch?v=FIqh3rSIUmA

 

and recreate certificate for both the server and check  and verfiy the FQDN created in local dns server  .

 

 

How to sign certificates with a Microsoft CA
How to sign certificates with a Microsoft CA
youtube.com/watch?v=FIqh3rSIUmA
Through this video, I'll show you how to configure a Microsoft CA, running over a Windows 2012 Std server, to sign the tomcat certificate from CUCM. I will assume you have already configured and installed the CA, if you need assistance on that topic, there's plenty of material on the web, you can
0 Helpful

ragz3000
Level 1
Level 1
In response to ssparkes

‎04-23-2020 03:44 PM

 

I have expressway-edge server certified by public CA. However I did not install those root certs onto the expressway-core server. Due to this exp-c was complaining about the certificate error. Once I uploaded the public root CAs on exp-c, issue resolved. hope this helps.

0 Helpful

Roger Kallberg
VIP
VIP
In response to ssparkes

‎04-23-2020 10:39 PM

Have a look at this excellent document. It covers pretty much all things about certificates in Expressway.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html



Response Signature


0 Helpful

Adam Pawlowski
VIP Alumni
VIP Alumni
In response to ragz3000

‎04-23-2020 01:03 PM

There's a note about using self signed certificates for things where I think you can't use them for everything in a MRA setup - I don't know off the top of my head where that point is.

You would have to look in the actual debug logging to see if it had a complaint about the certificate validation.
0 Helpful
Customers Also Viewed These Support Documents