Solved: use both domains in

rupam_chakra1983 · ‎03-21-2017

Hi

I am trying to setup MRA .

But its unsuccessful. and getting the error in the status > unified communication

I am not using any TLS and have not uploaded any certificate since i am not using a secure deployment.

any help in troubleshooting appreciated.

Sushant Sharma · ‎03-27-2017

use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration

Advertise LAN 1 inside your Internal DNS Server for example:

external domain: abc.com

internal domain: xyz.com

External DNS Server:

SRV :

_collab-edge.-tls.abc.com--- pointing to vcse.abc.com

A:

vcse.abc.com--- pointing to public IP address

Internal DNS:

vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.

While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.

View solution in original post

Jaime Valencia · ‎03-21-2017

You do need to get certificates for MRA to work, they're the foundation of this.

That is completely separate from the fact you're not using mixed mode on CUCM, that only means you won't need a few steps and SAN entries in the EXP-C certificate.

You also need to read thoroughly the MRA configuration guide which outlines all the steps and requirements for MRA to work.

HTH

java

if this helps, please rate

rupam_chakra1983 · ‎03-23-2017

Thanks Jamie for the info .

I created a CA and uploaded the signed certificate to the expressway C and Expressway E.

I uploaded the root certificate to both of the server

tried creating a traversal zone using TLS but it is not coming up.

Getting the error in the logs field

tvcs: Event="External Server Communications Failure" Reason="Connect failed" Service="NeighbourGatekeeper" Dst-ip="Public IP of Exp-e" Dst-port="7001" Detail="name:FQDN of EXP E" Protocol="TCP" Level="1" UTCTime="2017-03-23 21:21:58,918"

Jaime Valencia · ‎03-23-2017

Do you have dual NIC on EXP-E??

Or single NIC, and have you actually used the public IP??

Do you have all the proper ports open between both systems?

for MRA, you need to use the UC traversal zone, there is no TLS option there

HTH

java

if this helps, please rate

rupam_chakra1983 · ‎03-23-2017

Do you have dual NIC on EXP-E?? I tried with Dual and single Nic both but the issue is same

Or single NIC, and have you actually used the public IP?? I tried using the public ip as well but the issue is same

Do you have all the proper ports open between both systems? Yes I all all allow policy

for MRA, you need to use the UC traversal zone, there is no TLS option there: I have used the UC traversal zone and there is no option for TLS

Jaime Valencia · ‎03-23-2017

OK, if you have dual NIC, use it, it will save a lot of headaches.

You need to point to NIC 1, the internal NIC.

Do you have proper DNS resolution?

You can get a packet capture on both servers, and confirm if you're actually receiving something on port 7001

HTH

java

if this helps, please rate

rupam_chakra1983 · ‎03-23-2017

only thing is i have my expressway c has domain set to internal domain DNS and the expressway e has domain set to external domain

Sushant Sharma · ‎03-25-2017

if you are using dual nic or single nic deployment make sure LAN1 ( internal for example ) FQDN is reachable from expressway-C and the same thing applies for expressway-E. Expressway-E should able to reach expressway-c using his FQDN. Make sure 6001 and 7001 is open between expressway-c and e

Once you have proper reachability then you have to generate the CSR and signed from the CA.

Upload signed server certificate

Upload ROOT and intermediate certificate on expressway-C and E trusted authority.

you have the option in expressway to check the Certificate validation inside the communication traversal zone.

You can check below link for multidomain MRA deployment

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html

for any another issue in MRA deployment paste here i will help you

rupam_chakra1983 · ‎03-27-2017

Thanks for the response.

I have all the port allowed so connectivity should be fine.

In my case my internal domain and external domain are different and I cannot create the external domain in the internal DNS sever since it will create issue with production server.

How can i do the deployment in this case.

Also which domain shall i create( Internal or external) in the expressway E ( Setting for DNS and Domain in exresswya E )

Sushant Sharma · ‎03-27-2017

use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration

Advertise LAN 1 inside your Internal DNS Server for example:

external domain: abc.com

internal domain: xyz.com

External DNS Server:

SRV :

_collab-edge.-tls.abc.com--- pointing to vcse.abc.com

A:

vcse.abc.com--- pointing to public IP address

Internal DNS:

vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.

While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.

rupam_chakra1983 · ‎03-29-2017

Hi

I have done the modification now my expressway c to e tunnel is up.

here is my setup

internal domain : internal.com

External domain : external.com

external DNS SRV point to CL1-exp-e-01.external.com

Internal DNS SRV point to CL1-exp-e-01.internal.com

I have created the certificate where i include both the experssway C and E (intebal and external both name ) in the SAN while generating CSR.

My problem is now i am trying to login from internal and its failing with error " cannot communicate with server"

I am attaching the jabber client logs .

I have replace the public ip with 111.11.11.11

Help required for setup Expressway C & E