Solved: Jabber client Mobile and Remote Access - Unable To Connect To The Server

marco_81 · ‎05-06-2017

Hi all,

i'm troubleshooting an issue with jabber for windows login when i try to connect to on-premises resources via Mobile and Remote Access. No issues with local login.

Reading document "jabber-mra-call_flow-detailed.pdf" i was able to collect logs for expC, expE and jabber (C:\Users\myuser\AppData\Local\Cisco\Unified Communications\Jabber\CSF\Logs), and i see all messages up to 10e. At this stage jabber gets jabber-config.xml file and EPAsoap service. Then between expC and expE, i see traversal zone SIP signalling messages on port tcp7001.

Jabber establishes connection to expE on port tcp5222, and communicates with tls and xmpp\xml with expE. On Jabber log file is then written:

OnLoginError: (data=0) LERR_JABBER_UNREACHABLE <16>, LoginErrortoErrorCode: 16 mapped to: UnableToConnectToTheServer

Anyway before the error line, jabber log file displays: Signing into Presence Server. Server: 172.20.151.7, login mode: ON_PREM, result: 0 .

Also tomcat cucm and im&p's logs confirm the user has been authenticated:

authenticateUserWithPassword: calling auth as dn search is successful for user mfina and the dn is CN=marco fina,CN=Users, dc="hidden for privacy",dc="hidden for privacy",dc=com (this is from tomcat cucm logs).

IMS login result is success for mfina| IMS result code:0 (this is from tomcat im&p logs).

I cannot find out the point where the process fails.

Deployment is based on a 3-port Firewall DMZ (with NAT reflection) using Single NIC on expE, static 1:1 NAT with public IP on expE. Public DNS SRV is collab-edge and it is resolved. On the internal DNS, SRV records for automatic cucm and cup discovery plus A records for every node, are working as expected. Referring to https://supportforums.cisco.com/discussion/13178966/vcs-expressway-nat-dns-confusion i configured the expE's record A in the internal DNS mapping hostname with it's natted public IP. Unified Communication traversal zones SIP reachability displayed as follows:

expC reach expE's public IP address on port 7001, and expE reach it's DMZ default gateway. Zone is active.

TLS Verify mode Off between expC and cucm (the registrar server) and cup server.

CUCM and CUP version 11.5.1, exp version 8.9.1.

any suggestions?

thanks

Alok Jaiswal · ‎05-08-2017

This are also info level logs. So not much luck.

Still i see something which looks problematic to me.

2017-05-08T10:07:35.018+02:00 portforwarding: Level="INFO" Event="Alarm Raised" Id="35013" UUID="a19a462a-cf7e-4b6f-b333-33b2e502ec0b" Severity="warning" Detail="Unified Communications SSH tunnel failure: This system cannot communicate with one or more remote hosts: expe.my_domain_com" UTCTime="2017-05-08 08:07:35,018"
2017-05-08T10:07:35.015+02:00 portforwarding: Level="ERROR" Detail="Client control socket open failed" forwarding="localhost:0:localhost:8443" user="_pfwd" host="expe.my_domain_com" id="34f480cc-42d5-4f28-84e7-944d6d7ba99a" retcode="255" err="Permission denied (publickey). " UTCTime="2017-05-08 08:07:35,015"

It looks some issue with the certificates. Is your SSH tunnel up on the Exp-C & E ?

Regards,

Alok

View solution in original post

Alok Jaiswal · ‎05-06-2017

If its on MRA why is it saying signing into presence server

Server: 172.20.151.7, login mode: ON_PREM, result: 0 .

do you have jabber prt ? is it possible to share it ? You can message it.

Regards,

Alok

marco_81 · ‎05-07-2017

Hi Alok,

i was able to gather all conf and logs file from jabber for windows, attached.

Let me know if they are ok or please give me the steps to retrieve necessary logs, i replaced - for privacy - the public ip address of expE and my domain (internal and external are the same domain). these are other duty information i think:

172.20.151.6 --> cucm private ip in my corporate (same for tftp)

172.20.151.7 --> im&p private ip in my corporate

i uploaded jabber-config.xml on my tftp generated by this tool (http://www.ciscojabber.io/).

On expC i configured: sip registration and provisioning on exp --> Off, sip registration and provisioning on cucm --> On, im and presence service On.

thanks for help.

Alok Jaiswal · ‎05-07-2017

Hi Marco,

I looked at the logs and i can see it goes to SASL mechanism which also explains that in the expressway logs you would be seeing EpasSOAP login request.

2017-05-07 10:50:25,307 INFO [0x000002ec] [rwerx\jwcpp\xmppsdk\XmppClient.cpp(1505)] [csf.jwcpp] [CXmppClient::logEscapedMessage] - @XmppSDK: #0, 193, Recv:<stream:stream xmlns="jabber:client" xml:lang="en-US.UTF-8" xmlns:stream="http://etherx.jabber.org/streams" from="my_domain_com" id="VBAovaLam-BojWOz56SWqw35" version="1.0" />
2017-05-07 10:50:25,370 DEBUG [0x00000fdc] [s\platform\utiltp\CmTransportTcp.cpp(93)] [csf.jwcpp] [CCmTransportTcp::OnInput] - @MMTP: Recv_i return nRecv: 118 transport: 056EA724
2017-05-07 10:50:25,370 INFO [0x000002ec] [rwerx\jwcpp\xmppsdk\XmppClient.cpp(1505)] [csf.jwcpp] [CXmppClient::logEscapedMessage] - @XmppSDK: #0, 138, Recv:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl" /></stream:features>
2017-05-07 10:50:25,370 ERROR [0x000002ec] [rwerx\jwcpp\xmppsdk\XmppClient.cpp(1558)] [csf.jwcpp] [CXmppClient::handleLog] - @XmppSDK: #0, The server doesn't offer any SASL authentication mechanism that we can support
2017-05-07 10:50:25,370 DEBUG [0x000002ec] [m\utiltp\CmTransportThreadProxy.cpp(413)] [csf.jwcpp] [CEventSendData::CEventSendData] - @MMTP: event_type=0, m_Tid=748,m_pOwnerThreadProxy = 055F4CC8, m_pMessageBlock = 52202C38 this=057AA358
2017-05-07 10:50:25,370 INFO [0x000002ec] [rwerx\jwcpp\xmppsdk\XmppClient.cpp(1552)] [csf.jwcpp] [CXmppClient::handleLog] - @XmppSDK: #0, 16, Send:</stream:stream>
2017-05-07 10:50:25,370 DEBUG [0x00000fdc] [m\utiltp\CmTransportThreadProxy.cpp(434)] [csf.jwcpp] [CEventSendData::OnEventFire] - @MMTP: event_type=0, m_Tid=748,m_pOwnerThreadProxy = 055F4CC8, m_pMessageBlock = 057AA448 this=057AA358
2017-05-07 10:50:25,370 DEBUG [0x000002ec] [rwerx\jwcpp\xmppsdk\XmppClient.cpp(1552)] [csf.jwcpp] [CXmppClient::handleLog] - @XmppSDK: #0, CTriClient::handleDisconnect 12

Without Expressway logs its a bit harder to comment why SASL is failing, can you share expressway logs ?

I would say try the below:

- Try refreshing the CUCM, IM&P node added on Exp-C

- Restarting the XCP service on IM&P node

- Rebooting the Exp-E & C node

Also make sure the hostname for Exp-E is configured properly on Exp-C under the UC traversal zone and must match to hostname presented to Jabber which is trying to login via internet.

Since the prt doesn't contains the domain, can't verify your srv records/certificates etc.

Regards,

Alok

marco_81 · ‎05-08-2017

Hi Alok,

i collected event and network logs from expC and expE, i changed public ip expE with string IP_Public_expE and the domain with my_domain_com. I tried login with user "mrossi" between 10:18 and 10:19 am.

I'm going to try the steps you mentioned, and i'll let you know. About certificates creation i created a CA openssll based following instruction found at (http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf), i signed expC and expE'CSR against CA, then i uploaded the rootCA into expC and expE trust store. Trying testing the traversal zone it says Success.

Thanks again for help.

regards

marco

Alok Jaiswal · ‎05-08-2017

This are also info level logs. So not much luck.

Still i see something which looks problematic to me.

2017-05-08T10:07:35.018+02:00 portforwarding: Level="INFO" Event="Alarm Raised" Id="35013" UUID="a19a462a-cf7e-4b6f-b333-33b2e502ec0b" Severity="warning" Detail="Unified Communications SSH tunnel failure: This system cannot communicate with one or more remote hosts: expe.my_domain_com" UTCTime="2017-05-08 08:07:35,018"
2017-05-08T10:07:35.015+02:00 portforwarding: Level="ERROR" Detail="Client control socket open failed" forwarding="localhost:0:localhost:8443" user="_pfwd" host="expe.my_domain_com" id="34f480cc-42d5-4f28-84e7-944d6d7ba99a" retcode="255" err="Permission denied (publickey). " UTCTime="2017-05-08 08:07:35,015"

It looks some issue with the certificates. Is your SSH tunnel up on the Exp-C & E ?

Regards,

Alok

marco_81 · ‎05-08-2017

Unified Communications SSH tunnels status displays Active (both on expC and expE), all

Network Log configuration are set to INFO, need to raise them?

regards.

marco_81 · ‎05-08-2017

These are certificates that are in field.

Alok Jaiswal · ‎05-08-2017

By default logs would be in debug mode. Please go to maintenance-->diagnostics-->diagnostic logs, start the logs on both the Exp-C & E and try to login. once fails then you can modify the domain and ip's and then you can probably attach it here again.

Also if you can enable the developer.xcp and developer.edgeconfigprovisioning to debug under the support log before the above that will give much more information to us about the process happening in background.

Regards,

Alok

marco_81 · ‎05-08-2017

I modified developer.xcp and developer.edgeconfigprovisioning to debug. I attach the logs, i tried to log with mrossi user (first time i was wrong with password, second login attempt with correct one).

regards

marco

marco_81 · ‎05-09-2017

First of all i want to say Many Thanks Alok for the issue resolution, and thank you for your availability, i've never received so pleasant support.

Let's comment the issue and resolution:

When i tried to login to jabber from the internet, i had the alert message: "Unable to connect to Server". From expC event log, we observed the message:

Level="INFO" Event="Alarm Lowered" Id="35014" UUID="eec2e63b-91f3-40b4-932b-4ab38586b220" Severity="warning" Detail="Unified Communications SSH tunnel notification failure: This system cannot communicate with one or more remote hosts: expe.my_domain_com"

But from expC and expE GUI we observed the ssh tunnel as Active, so we focused on expE's internal DNS entry. Here was the trouble Alok found, A record for expE was without reverse resolution. Now i have internal DNS entry for expE with record A (mapping fqdn with public ip), and the reverse record from public ip to fqdn.

Finally i was able to login to jabber with all services in place.

Please Alok correct if it is the right analisys and if i omitted something else.

I find this community excelent for problem sharing and resolution everytime, thank you so much.

Alok Jaiswal · ‎05-10-2017

That sums up pretty much Marco. Just one more addition to that after the login we still had phone registration issues, even though the certificates were right, but when the service request is sent to Exp-C from Exp-E, Exp-C ws sending 403 forbidden and in the Exp-C logs we saw it complains about an error "certificate was not active at this hour".

After we rebooted the Exp-C, the phone registration issue was also got resolved.

Regards,

Alok