03-21-2017 02:18 PM - edited 03-19-2019 12:14 PM
Hi
I am trying to setup MRA .
But its unsuccessful. and getting the error in the status > unified communication
I am not using any TLS and have not uploaded any certificate since i am not using a secure deployment.
any help in troubleshooting appreciated.
Solved! Go to Solution.
03-27-2017 08:41 AM
use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration
Advertise LAN 1 inside your Internal DNS Server for example:
external domain: abc.com
internal domain: xyz.com
External DNS Server:
SRV :
_collab-edge.-tls.abc.com--- pointing to vcse.abc.com
A:
vcse.abc.com--- pointing to public IP address
Internal DNS:
vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.
While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.
03-21-2017 02:46 PM
You do need to get certificates for MRA to work, they're the foundation of this.
That is completely separate from the fact you're not using mixed mode on CUCM, that only means you won't need a few steps and SAN entries in the EXP-C certificate.
You also need to read thoroughly the MRA configuration guide which outlines all the steps and requirements for MRA to work.
03-23-2017 03:13 PM
Thanks Jamie for the info .
I created a CA and uploaded the signed certificate to the expressway C and Expressway E.
I uploaded the root certificate to both of the server
tried creating a traversal zone using TLS but it is not coming up.
Getting the error in the logs field
tvcs: Event="External Server Communications Failure" Reason="Connect failed" Service="NeighbourGatekeeper" Dst-ip="Public IP of Exp-e" Dst-port="7001" Detail="name:FQDN of EXP E" Protocol="TCP" Level="1" UTCTime="2017-03-23 21:21:58,918"
03-23-2017 04:39 PM
Do you have dual NIC on EXP-E??
Or single NIC, and have you actually used the public IP??
Do you have all the proper ports open between both systems?
for MRA, you need to use the UC traversal zone, there is no TLS option there
03-23-2017 04:44 PM
03-23-2017 04:49 PM
OK, if you have dual NIC, use it, it will save a lot of headaches.
You need to point to NIC 1, the internal NIC.
Do you have proper DNS resolution?
You can get a packet capture on both servers, and confirm if you're actually receiving something on port 7001
03-23-2017 04:52 PM
only thing is i have my expressway c has domain set to internal domain DNS and the expressway e has domain set to external domain
03-25-2017 10:28 AM
if you are using dual nic or single nic deployment make sure LAN1 ( internal for example ) FQDN is reachable from expressway-C and the same thing applies for expressway-E. Expressway-E should able to reach expressway-c using his FQDN. Make sure 6001 and 7001 is open between expressway-c and e
Once you have proper reachability then you have to generate the CSR and signed from the CA.
Upload signed server certificate
Upload ROOT and intermediate certificate on expressway-C and E trusted authority.
you have the option in expressway to check the Certificate validation inside the communication traversal zone.
You can check below link for multidomain MRA deployment
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html
for any another issue in MRA deployment paste here
03-27-2017 01:53 AM
Thanks for the response.
I have all the port allowed so connectivity should be fine.
In my case my internal domain and external domain are different and I cannot create the external domain in the internal DNS sever since it will create issue with production server.
How can i do the deployment in this case.
Also which domain shall i create( Internal or external) in the expressway E ( Setting for DNS and Domain in exresswya E )
03-27-2017 08:41 AM
use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration
Advertise LAN 1 inside your Internal DNS Server for example:
external domain: abc.com
internal domain: xyz.com
External DNS Server:
SRV :
_collab-edge.-tls.abc.com--- pointing to vcse.abc.com
A:
vcse.abc.com--- pointing to public IP address
Internal DNS:
vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.
While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.
03-29-2017 04:08 AM
Hi
I have done the modification now my expressway c to e tunnel is up.
here is my setup
internal domain : internal.com
External domain : external.com
external DNS SRV point to CL1-exp-e-01.external.com
Internal DNS SRV point to CL1-exp-e-01.internal.com
I have created the certificate where i include both the experssway C and E (intebal and external both name ) in the SAN while generating CSR.
My problem is now i am trying to login from internal and its failing with error " cannot communicate with server"
I am attaching the jabber client logs .
I have replace the public ip with 111.11.11.11
03-29-2017 04:15 AM
Good to know your tunnel is up
you can rate the conversation if you feel it,s correct
now you are geeting cannot communicate to server error .
can you check external DNs are you able to resolve srv records
command prompt>type nslookup
check expressway fqdn is resolved or not
then type set type=srv
_collab-edge._tls.externaldomain.com
it should resolve with expressway fqdn
once all fqdn and srv is fine then check firewall ports from external
5061
5222
8443
03-30-2017 02:18 AM
Yes i am able to resolve the SRV record from public dns.Its a test environment so i opened all required port.
I am attaching the logs from jabber client
internal domain : internal.com
External domain : external.com
external DNS SRV point to CL1-exp-e-01.external.com
Internal DNS SRV point to CL1-exp-e-01.internal.com
I have replace the public ip with 111.11.11.11
03-30-2017 01:05 PM
please attached expressway-e-logs
click maintaince> logs> advanced logging > enable TCP dumb and start debugging
now
stop logging
download the logs
share logs file here
( are you using Dual
.
03-31-2017 03:24 PM
Hi Sushant
Now i am no more getting the cannot found server error from the internet .
But getting the Username and password are invalid in jabber while login from internet.
However same username and password is working when login from the within internal network.
The connectivity between the C & E seems to be good and the tunnel is also active
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Do you have dual NIC on EXP-E?? I tried with Dual and single Nic both but the issue is same
Or single NIC, and have you actually used the public IP?? I tried using the public ip as well but the issue is same
Do you have all the proper ports open between both systems? Yes I all all allow policy
for MRA, you need to use the UC traversal zone, there is no TLS option there: I have used the UC traversal zone and there is no option for TLS