Re: MRA - TLS between ExpresswayC and CUCM

Sinisa Hreljac · ‎09-16-2022

Hello to all,

as with Expressway 14.2 (and 14.0.9) Cisco changed behaviour of Expressway TLS verifycation, so now is on by default.

CSCwc69661 : Bug Search Tool (cisco.com)

Troubleshoot Expressway Traffic Server Certificate Verification for MRA Services Introduced by CSCwc69661 - Cisco

It is stated that with workaround "xConfiguration EdgeConfigServer VerifyOriginServer: Off" it should still work even if there is no valid CA od CUCM certificate on Expressway.

With this, we have a two problems:

1. Our setup is that CUCM is not using DNS or domain name and have only self-signed certificates. That works OK for years with our Expway E/C pair for MRA. Now with update to 14.2, even if we implement mentioned workaround, IP phones cannot register. Jabbers can and they work OK. I've opened TAC for this as per documentation with workaround everything should work like in 14.0.8 version but it does not. Still no solution from TAC.

2. With "xConfiguration EdgeConfigServer VerifyOriginServer: On" I tried in LAB environment convert our CUCM system to using DNS and domain so we can use TLS check. After configuring it, CUCM restarted and regenerated self-signed certificates and now they contain FQDN of CUCM. I've imported that certificates to ExpWayC CA trust store and reconfigure ExpWayC to use FQDN for CUCM instead of IP addresses. In status everything looks OK, Expway is connected to CUCM. When trying to connect with Jabber, in Expressway logs I see that for GET request for /cucm-uds/clusterUser, /cucm-uds/servers, /cucm-uds/version request contains FQDN of CUCM and that looks OK. However, for /cucm-uds/user there are still IP adresses instead of FQDN. Because of that, TLS verification fails as IP address of CUCM is not contained in self-signed CUCM certificate do Jabber cannot register.

I'm not finding reason why GET request for user (http://ip_of_cucm:8443/cucm-uds/user/username@domain.com) is using IP address instead of fqdn.

I'm trying to find solution for 1. or 2. as for now it looks like we cannot make Expressway C upgrade to higher version than 14.0.8.

Roger Kallberg · ‎09-16-2022

Have you refreshed or possibly even removed and then added the CM and IMP systems back to your C after you did the change to have it use names? Also can you please share a screenshot of your CM System > Server page? These need to be in FQDN.

For your first question the long term solution is to use FQDNs for the names on all nodes and to get CA signed certificates. This can very well be an internal CA, many companies do use that for any internal facing certificates. For MRA the only certificate that is recommended to be a signed by a public CA is the one on the E as that is used by clients when they are outside of your corporate network premises.

Sinisa Hreljac · ‎09-16-2022

OK, for #2 I've missed to change IP address to FQDN on CM System > Servers. Thanks both of you for pointing to it!

However, we would prefer to make this works with #1 scenario. Thing is that our production CUCM cluster is complex multi-country and multi-company solution so putting DNS and domain on CUCM is not so easy to do without risk of failures on all other systems that we have. It is a 0-24h system with contact centers so every change that is applied globally is a big risk and makes some downtime. As per documentation, turning off "xConfiguration EdgeConfigServer VerifyOriginServer" should do the work, but there is obviously some problems with IP phones while Jabbers works OK.

Roger Kallberg · ‎09-16-2022

The de facto way to setup CM has for many years now been to use FQDN and signed certificates. Not following the recommendation given by Cisco will bring you issues without a doubt.

TechLvr · ‎09-16-2022

In CUCM, under UC Service, did you enter your CUCM by IP address of FQDN? It needs to be entered by FQDN.

Also, under System > Server, make sure CUCM is entered by FQDN.

Reset Jabber and try again.

Sinisa Hreljac · ‎09-16-2022

Excelent, I missed CM System > Server...didn't change it to FQDN. Now works with sollution #2. Thanks!

Sinisa Hreljac · ‎09-25-2022

I have an update about this issue.

In my LAB I have recreated our production system and made some testing. I converted everything to use FQDN, certificates, TLS...

However, I still came to same issue that IP phones cannot register, but I found exactly the moment when they start to fail. So, after upgrade Expressway C from 14.0.8 to 14.2 (no matter if CUCMs are using FQDNs or not) IP phones CAN register to MRA. Trigger when registration start to fail is when button "Save" is pressed on Configuration > Domains > <domain name> and Expressway C restarted. It is not necessary that anything is changed on domain configuration, it is enough to press Save button and restart Expressway. After this action, IP phones can not register to MRA. On Expressway C logs there are logs "No UCM or TFP server found". In same time, Cisco Jabber works fine and can register over MRA.

I have done many tests and different approach to upgrade Expressway C from 14.0.8 to 14.2, with or without CUCMs defined as FQDN, and always there is same behaviour as mentioned before.