cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2309
Views
0
Helpful
16
Replies

MRA - No Media

Dean O'Meara
Level 1
Level 1

Hi,

Hoping someone can help.

I have recently setup the below in my lab

CUCM 11.5.1
IMP 11.5.1
Unity 11.5.1
Expressway-c: x8.8
Expressway-e: x8.8
Windows 2008 AD Server

All is working well internally and audio / video calls can take place successfully however if I attempt to login externally using MRA login works fine and phone services come up (presence is shown for internal users) but when I dial into someone internally the call signalling works as the device internally rings however when answered I get no media what so ever on both devices, I am able to IM internal users externally however.

The external caller stays connected regardless, however, the internal user disconnects after around 10 seconds (I am assuming this is because no media was detected)

The firewall that I am using is an ASA 5505 and when the call comes in I see no blocked packets, I have even opened up the rule to IP and attempted the call but I still get the same issue.

Brief explanation below of my MRA setup

Internet - ASA - Expressway-E - Expressway-C - UC Environment

As I am unable to give my Expressway-E a public address I have applied the Advanced Networking key and added my public address under the IPv4 static NAT address, I have also had to create a NAT rule on the ASA so this is then accessible publicly which I can verify as working as I am able to access the Expressway-E web interface externally and able to login.

Any suggestions as to what I should try next would be great.
Thanks all. 

16 Replies 16

carlnewton
Level 3
Level 3

Try switching off the SIP ALG on the ASA

Thanks Carl,

Looking at the configuration on the ASA SIP ALG is not enabled, under the Policy Map this is only enabled for DNS

policy-map type inspect dns preset_dns_map

I recall turning on SIP ALG as this was causing issues when working from home & joining VC Meetings.

Ah ok.

I had similar issues with one customer whereby the IPS inspection was causing issues

What I ended up doing in the end was a packet capture on the expressways (using the maintenance diagnostics system) and inspecting stuff there.

Check that the IP's in the SDP's are correct and also see where the media is going missing.  IF you see the expressway E sending it inbound but the Expressway C not receiving it, youve found your problem.

Also note that the IP's will be a bit confusing, from memory the Media from C to E will be sent to the external IP of the EXP-E, but the media from EXP-E to C will be send from its internal IP.

Suresh Hudda
VIP Alumni
VIP Alumni

Exc C' traversal client zone is pointing to Exp E' private IP address or public IP address ? It should point to Exp E' public address.

Suresh

Hey.

The Expressway has only one IP address which is private however I have put the public IP under IPv4 static NAT address.

I currently am using the DNS name for the traversal client zone from Exp-c to Exp-E which would be its internal address.

I will try changing this to my public address and see if this works.

Yes this seems to be a issue, you need to put FQDN of Exp E there and need to create A record in internal/enterprise DNS which will point to public IP address of Exp E.

Suresh

Thanks I have changed the A Record to point to the public address which has broken the traversal zone which is what I expected as anything on the private range will not be able to access the expressway on the public using the public address due to the NAT.

Any idea what command I can run on the ASA to allow access internally? essentially hair pinning the NAT?

You just need to make sure that the public address inbound from the outside is natted to the address of the expressway e private address. You are right it's hairpinning it but it should be no different to a regular inbound nat; as long as your expressway c is allowed to access the address your natting to then it should be fine

This might be what you need

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1150-cisco-asa-firewall-nat-reflection-loopback-hairpinning-configuration.html

Now you have to configure NAT reflection in firewall if it's not configured.

NAT reflection configuration on the ASA firewall is described in below document with example.

 

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118992-configure-nat-00.html

Suresh

Thanks.

All the documents seem to be referring to a 3 legged firewall however I am using two interfaces and given the Expressway-E is on a VM on the same host as the Expressway-C I cannot create another interface.

Do you have any idea how it can be done with two interfaces? Using the Outside port maybe?

Hi Dean,

What do you mean by interface ? is it network interface on server (vmnic port), if yes then yes you should use different interfaces for Exp C & E and IP addresses also should be in different subnets for Exp C & E and you have already enabled Static Nat for public IP address on Exp E.

Suresh

Rajkumar Yadav
Level 4
Level 4

Hi,

You are missing the port number 2777 and 2776, Have you opened this port between the Expressway C and E.

Regards,

Raaj

Hi,

No firewall between Expressway C & E

Internet - ASA - Expressway-E - Expressway-C - UC Environment