cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
2
Helpful
7
Replies

MTLS does not take effect

sallysa124
Level 1
Level 1

My expressway version is X12.6.1,Mutual TLS mode is on, both the CA certificate and the server certificate have been imported, then 

configured an dns zone with TLS verify mode is on ,also have TLS verify subject name,

When I initiated the call, I found that the DNS first queried an SRV record containing port number 5062, but the expressway continued to query the A record and finally initiated a connection to port 5060 on the other end, instead of using port 5062

2 Accepted Solutions

Accepted Solutions

Every possible issue is there in your screenshots^^

Why is the SRV record resolved to an IP address? SRV records are resolved to A-Records (FQDN). And then the corrisponding A-Record is resolved to an IP address

bwinter_0-1713254259416.png

You cannot even establish a secure connection on port 5061. The TLS negotiation is cancelled (see your second screenshot).

and your last screenshot provides you with why:

bwinter_1-1713254389619.png

 

View solution in original post

If you problem could be resolved, I would appreciate an "accepted solution"

View solution in original post

7 Replies 7

b.winter
VIP
VIP

You should update your Expressway. X12.6.1 is a veeery old version.
About your problem: Why should the Expressway not query the A record? How else should the Expressway find the IP address?
Maybe port 5062 is not enabled on the other side, or doesn't support mTLS? Maybe you should check the other side first, instead of looking for an issue in Exp.

other side mtls is enable and 5062 is listening,expressway check connectivity is ok

sallysa124_0-1713171609701.png

 

 

Have you checked the network logs? Have you checked the pcap trace?
Without any logs, it could be anything.

Looking at the log and packet capture, we can see that the connected port is 5061 and the connection failed. Shouldn't we connect to port 5062?
 
 
 
sallysa124_0-1713235067932.png

 

sallysa124_1-1713235116175.png
sallysa124_3-1713235248855.png

 

 

 

sallysa124_2-1713235177685.png

 

 
 
 
 
 
 
 

Every possible issue is there in your screenshots^^

Why is the SRV record resolved to an IP address? SRV records are resolved to A-Records (FQDN). And then the corrisponding A-Record is resolved to an IP address

bwinter_0-1713254259416.png

You cannot even establish a secure connection on port 5061. The TLS negotiation is cancelled (see your second screenshot).

and your last screenshot provides you with why:

bwinter_1-1713254389619.png

 

Thank you , my problem is solved. The reason is that the IP address is directly filled in the SRV record.

If you problem could be resolved, I would appreciate an "accepted solution"