03-21-2017 02:18 PM - edited 03-19-2019 12:14 PM
Hi
I am trying to setup MRA .
But its unsuccessful. and getting the error in the status > unified communication
I am not using any TLS and have not uploaded any certificate since i am not using a secure deployment.
any help in troubleshooting appreciated.
Solved! Go to Solution.
03-31-2017 03:59 PM
so that means your _collab-edge._tls.domain.com is working fine.
first, check 5222 port is open from external network
use this site to check firewall ports http://www.yougetsignal.com/tools/open-ports/
Make sure your IMP is active in expressway-C.
Important Note: Define your internal as well as external domain in expressway-c and enable cucm and IMP registration for the public domain. it seems you are using the only internal domain in expressway-c no issues define external domain also inside the domains option.
if a still issue is there then delete IMP and CUCM servers and add again.
Make sure you are using Public CA or Open SSL because
Best practice is to use external public CA because open SSL will not help you to register your IP phone, Dx series, telepresence endpoints over the MRA.
Note: while signing CSR keep in mind expressway will not support wildcard certificate
04-03-2017 03:49 PM
Hi Sushant
I tired troubleshooting the issue today and this time i am getting the " cannot communicate with server error " from internet.
The error is not consistent last time when i checked it was giving username and password invalid error.
I am attaching a fresh log from express c,e and jabber PRT
04-03-2017 10:51 PM
If you want to resolve
I can see in logs _collab-edge._tls.domain.com is not resolving from
try below commands from your side.
1) SRV Records not working externally >
C:\Users\sushants>nslookup
Default Server: Cisco00447
Address: 192.168.1.1
> set type=srv
> _collab-edge._tls.sddclab.com
Server: Cisco00447
Address: 192.168.1.1
*** No Service location (SRV) records available for _collab-edge._tls.sddclab.com
2) No Public CA valid certificate installed in expressway-
check SRV records because traffic is not reaching expressway-e
04-04-2017 07:49 AM
Hi Sushant
The domain you are looking is my internal domain
my external domain is uc.itp-inc.com
04-04-2017 11:50 AM
I can see ssh tunnel is up between c and e.
with internal CA it will not work.
either to have open SSL or public certificate from external CA.( my recommendation is public CA because later you cannot able to register
Note: while signing the certificate make sure you will purchase UC SAN certificate because wild card is not supported
09-12-2017 05:59 AM
Hi sushant,
Great help here, i would like to share my scenario and wish for help on setting up MRA
- I have dual interface deployment. My internal and External domain is same.
Internal DNS records as:
A Records and PTR:
GGI-UCM-PUB | 10.10.10.121 | CM Pub |
GGI-UCM-SUB | 10.10.11.121 | CM Sub |
GGI-UCN-PUB | 10.10.10.122 | CUC Pub |
GGI-UCN-PUB | 10.10.11.122 | CUC Sub |
GGI-CIMP-PUB | 10.10.11.123 | IMP Pub |
GGI-CIMP-SUB | 10.10.10.123 | IMP Sub |
expc | 10.10.10.124 | Exp-C |
expe | 10.10.10.125 | Exp-E |
SRV Records | ||||||
_cisco-uds._tcp.ggi.local | Service | Protocol | Priority | Weight | Port number | Host offering the service |
_cisco-uds | _tcp | 0 | 0 | 8443 | GGI-UCM-PUB.domain.com | |
_cuplogin._tcp.ggi.local | Service | Protocol | Priority | Weight | Port number | Host offering the service |
_cuplogin | _tcp | 0 | 0 | 8443 | GGI-CIMP-PUB.domain.com |
External DNS:
External DNS records | ||||||
Hostname | IP | Record Type | ||||
expe.ggi-sa.com | Public IP | A | ||||
SRV | ||||||
_collab-edge._tls.ggi-sa.com | Service | Protocol | Priority | Weight | Port number | Host offering the service |
_collab-edge | _tls | 0 | 0 | 8443 | expe.domain.com |
- I added licenses for C and E, initial configuration.
- My topology as
Core -- 10.10.10.124 (Internal Subnet as CUCM)
Edge (NIC -2) -- Point to Internal segment -- 10.10.10.125 (Internal Subnet as CUCM)
Edge (NIC -1) -- Point to Public world-- 172.XX.0.104 (DMZ)
- NAT is configured on firewall where Public ip resolves to DMZ ip.
- Does this deployment required static route on E server, if so, plz tell how to configure.
- I can't ping DMZ ip from C server, should it be pingable?
- I can see Traversal zone is active if i provide IP as peer server. But giving FQDN ; fails with DNS lookup error.
- I also stuck on certificates part, i don't have internal CA, Can i generate both certificates for C and E from external CA, Please also must mention the SAN requirement for both certificates, with example if possbile.
- Regarding the NAT, it is configured on the firewall which resolves to the DMZ ip. I am confused about the NAT option which is enabled on E Lan:1 interface, does it required to enable in E server also.
- How to test NAT from internet that it is working properly or no. Because i don't have access to firewall and network team told me that NAT is configured.
- Some snaps are attached to help understand
Thanks in advance
Regrads,
09-13-2017 09:54 PM
Hi,
Since you core and Edge DMZ2 NIC is on same network, you don't need the route. You should be able to ping DMZ 2 ip part of 10.X.X.X network from core.
I would not utilize the ggi.local domain for sign into jabber and will use ggi-sa.com (doesn't matter whether jabber is internal or external) and modify the UDS SRV record to domain (ggi-sa.com). DNS administrator might come to you that they can't do this, but i would like to stick to this solution. Workaround would be to use "voiceservice domain" in jabber-config.xml file which means all the users must first signup internally and then they can login via MRA.
If the TZ is not coming up with FQDN, it might be because certificates not exchanged properly. Exp-C and Exp-E both must trust each other certificate and to do that you have to install root and any intermediate CA on the servers depending on how you generated it.
For e.g. If exp-C is signed by internal CA and Exp-E by an public external CA, then public CA (root and intermediate certs) must be uploaded on Exp-C and internal root/intermediate CA must be installed on Exp-E. This would be done under "trusted CA" section.
For the NAT firewall will have NAT configured but you also need to configure the NAT ip on the public facing NIC. Also default gateway on VCS-E will be of public facing NIC.
Regards,
Alok
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide