cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13490
Views
9
Helpful
21
Replies

Help required for setup Expressway C & E

Hi

I am trying to setup MRA .

But its unsuccessful. and getting the error in the status > unified communication

I am not using any TLS and have not uploaded any certificate since i am not using a secure deployment.

any help in troubleshooting appreciated.

21 Replies 21

so that means your _collab-edge._tls.domain.com is working fine.

first, check 5222 port is open from external network 

use this site to check firewall ports http://www.yougetsignal.com/tools/open-ports/

Make sure your IMP is active in expressway-C.

Important Note: Define your internal as well as external domain in expressway-c and enable cucm and IMP registration for the public domain. it seems you are using the only internal domain in expressway-c no issues define external domain also inside the domains option.

if a still issue is there then delete IMP and CUCM servers and add again.

Make sure you are using Public CA or Open SSL because  certificate is mandatory to log in from outside:

Best practice is to use external public CA because open SSL will not help you to register your IP phone, Dx series, telepresence endpoints over the MRA.

Note: while signing CSR keep in mind expressway will not support wildcard certificate 

Hi  Sushant

I tired troubleshooting the issue today and this time i am getting the " cannot communicate with server error " from internet.

The error is not consistent last time when i checked it was giving username and password invalid error.

I am attaching a fresh log from express c,e and jabber PRT

If you want to resolve issue you need to troubleshoot step by step .

I can see in logs _collab-edge._tls.domain.com is not resolving from externally .

try below commands from your side.

1) SRV Records not working externally >

C:\Users\sushants>nslookup
Default Server: Cisco00447
Address: 192.168.1.1

> set type=srv
> _collab-edge._tls.sddclab.com
Server: Cisco00447
Address: 192.168.1.1

*** No Service location (SRV) records available for _collab-edge._tls.sddclab.com

2) No Public CA valid certificate installed in expressway-e check attached images 

check SRV records because traffic is not reaching expressway-e 

Hi Sushant

The domain you are looking is my internal domain

my external domain is uc.itp-inc.com

> _collab-edge._tls.uc.itp-inc.com
Server:  aes-static-102.47.22.125.airtel.in
Address:  125.22.47.102
Non-authoritative answer:
_collab-edge._tls.uc.itp-inc.com        SRV service location:
          priority       = 10
          weight         = 10
          port           = 8443
          svr hostname   = CL1-EXP-E-01.itp-inc.com
cl1-exp-e-01.itp-inc.com        internet address = 111.93.141.138
I don't have a public CA  service .I have my internal CA that I have used to sign the Expressway C & E CSR.
The tunnel between C & E is active
I have created both internal and external domain in the expressway

I can see ssh tunnel is up between c and e.

with internal CA it will not work.

either to have open SSL or public certificate from external CA.( my recommendation is public CA because later you cannot able to register 78XX,88XX,Dx70,80 over the MRA if you don't use public ca )

Note: while signing the certificate make sure you will purchase UC SAN certificate because wild card is not supported 

Hi sushant,

Great help here, i would like to share my scenario and wish for help on setting up MRA

- I have dual interface deployment. My internal and External domain is same.

Internal DNS records as:

A Records and PTR:

GGI-UCM-PUB10.10.10.121CM Pub
GGI-UCM-SUB10.10.11.121CM Sub
GGI-UCN-PUB10.10.10.122CUC Pub
GGI-UCN-PUB10.10.11.122CUC Sub
GGI-CIMP-PUB10.10.11.123IMP Pub
GGI-CIMP-SUB10.10.10.123IMP Sub
expc10.10.10.124Exp-C
expe10.10.10.125Exp-E

 

SRV Records      
_cisco-uds._tcp.ggi.localServiceProtocolPriorityWeightPort numberHost offering the service
 _cisco-uds_tcp008443GGI-UCM-PUB.domain.com
       
_cuplogin._tcp.ggi.localServiceProtocolPriorityWeightPort numberHost offering the service
 _cuplogin_tcp008443GGI-CIMP-PUB.domain.com

 

External DNS:

External DNS records
HostnameIPRecord Type    
expe.ggi-sa.comPublic IPA    
 SRV      
_collab-edge._tls.ggi-sa.comServiceProtocolPriorityWeightPort numberHost offering the service
 _collab-edge_tls008443expe.domain.com

 

- I added licenses for C and E, initial configuration.

- My topology as

Core -- 10.10.10.124 (Internal Subnet as CUCM)

Edge (NIC -2) -- Point to Internal segment -- 10.10.10.125 (Internal Subnet as CUCM)

Edge (NIC -1) -- Point to Public world-- 172.XX.0.104 (DMZ)

- NAT is configured on firewall where Public ip resolves to DMZ ip.

- Does this deployment required static route on E server, if so, plz tell how to configure.

- I can't ping DMZ ip from C server, should it be pingable?

- I can see Traversal zone is active if i provide IP as peer server. But giving FQDN ; fails with DNS lookup error.

- I also stuck on certificates part, i don't have internal CA, Can i generate both certificates for C and E from external CA, Please also must mention the SAN requirement for both certificates, with example if possbile.

- Regarding the NAT, it is configured on the firewall which resolves to the DMZ ip. I am confused about the NAT option which is enabled on E Lan:1 interface, does it required to enable in E server also.

- How to test NAT from internet that it is working properly or no. Because i don't have access to firewall and network team told me that NAT is configured.

- Some snaps are attached to help understand

 

 

Thanks in advance

Regrads,

 

 

Hi,

 

Since you core and Edge DMZ2 NIC is on same network, you don't need the route. You should be able to ping DMZ 2 ip part of 10.X.X.X network from core.

 

I would not utilize the ggi.local domain for sign into jabber and will use ggi-sa.com (doesn't matter whether jabber is internal or external) and modify the UDS SRV record to domain (ggi-sa.com). DNS administrator might come to you that they can't do this, but i would like to stick to this solution. Workaround would be to use "voiceservice domain" in jabber-config.xml file which means all the users must first signup internally and then they can login via MRA.

 

If the TZ is not coming up with FQDN, it might be because certificates not exchanged properly. Exp-C and Exp-E both must trust each other certificate and to do that you have to install root and any intermediate CA on the servers depending on how you generated it.

 

For e.g. If exp-C is signed by internal CA and Exp-E by an public external CA, then public CA (root and intermediate certs) must be uploaded on Exp-C and internal root/intermediate CA must be installed on Exp-E. This would be done under "trusted CA" section.

 

For the NAT firewall will have NAT configured but you also need to configure the NAT ip on the public facing NIC. Also default gateway on VCS-E will be of public facing NIC.

 

Regards,

Alok