Presence Inter-domain Federation with Lync

Jason Neurohr · ‎03-20-2013

Hi All,

I'm having an issue getting presence inter-domain federation working with lync. Viewing the trace for the "Cisco UP XCP SIP Federation Connection Manager" when I attempt to send a message from the presence client to a lync user I see the below. (also not receiving any presence information for the user)

Any help is greatly appreciated.

Presence Version: 8.6.3.10000-20

CUCM Version: 8.6.2.22900-9

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - <-- SIP/2.0 488 Not Acceptable Here

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - Via: SIP/2.0/TCP 10.2.0.205:5080;received=10.2.0.205;branch=z9hG4bK-514a4167-8a0f7bfc-27672377

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - From: <sip:jneurohr@domain.com>;tag=b466ac78-cd00020a-13d8-45026-514a4167-6933f999-514a4167

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - To: <sip:lync.user@lync.com>;epid=c08d7f8f34;tag=e6a7b13792

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - Call-ID: b2e63870-cd00020a-13d8-45026-514a4167-2f2bd24b-514a4167

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - CSeq: 1 INVITE

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - Record-Route: <sip:lync.user.fd1aaf18-85cf6835-2c7a04c9-db9ef89@10.2.0.205:5061;maddr=cups.domain.com;transport=tls;lr>

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - User-Agent: UCCAPI/4.0.7577.4356 OC/4.0.7577.4356 (Microsoft Lync 2010)

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - Ms-client-diagnostics: 52033; reason="Incoming conversations are blocked over federation link"

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - Content-Length: 0

10:08:23.645 |SIPStack.cpp:55: INFO - TRANSPORT - ms-asserted-verification-level: ms-source-verified-user=verified

Systems Integration · ‎03-21-2013

Hi,

Did you get a resolution this you issue? I having the exact same issue now

Thanks

Neil

Jason Neurohr · ‎03-21-2013

No not yet, Once I find a solution I'll be sure to post it, as I couldn't find any information on this particular problem.

Jason Neurohr · ‎03-21-2013

Additionaly I see the following:

10:10:43.671 |SIPStack.cpp:68: DEBUG - MSGBUILDER - ReportTcpCompleteMsgBuffer - pConn 0x0xb76f22d8: TCP message Rcvd, 10.2.0.205:5080<-10.2.0.205:5060, size=491

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - <-- SIP/2.0 403 Forbidden

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - From: <>jneurohr@domain.com>;tag=b500cd78-cd00020a-13d8-45026-514b9373-62d85957-514b9373

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - To: <>lync.user@lync.com>;tag=504E4CDE19BCAAFE664C5E43C9591D20

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - Call-ID: b3804470-cd00020a-13d8-45026-514b9373-44191229-514b9373

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - CSeq: 1 SUBSCRIBE

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - Via: SIP/2.0/TCP 10.2.0.205:5080;received=10.2.0.205;branch=z9hG4bK-514b9373-8f37fbb3-5283cb5d

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - Server: RTC/4.0

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - Content-Length: 0

10:10:43.671 |SIPStack.cpp:55: INFO - TRANSPORT - ms-asserted-verification-level: ms-source-verified-user=verified

Jason Neurohr · ‎03-24-2013

it appears to be caused by the licence limit on our ASA firewalls. As I built an entire lync lab so I would have total control over both the cups and lync environments to troubleshoot the issue, and this is the only fault I can see which could be causing the problem:

TLSP d9927ee0: Using trust point 'ASDM_TrustPoint2' with the Client, RT proxy d860e298

TLSP d9927ee0: Waiting for SSL handshake from Client outside:ip.ip.ip.ip/49215.

TLSP d9927ee0: --> Proxy Rx 140 bytes

TLSP d9927ee0: <== Proxy Tx 4096 bytes

TLSP d9927ee0: <== Proxy Tx 732 bytes

TLSP d9927ee0: --> Proxy Rx 1380 bytes

TLSP d9927ee0: --> Proxy Rx 603 bytes

TLSP d9927ee0: <== Proxy Tx 47 bytes

TLSP d9927ee0: Generating License syslog

TLSP d9927ee0: Failed to acquire a license

TLSP d9927ee0: new event: KILL_FLOW

neil.moran · ‎03-25-2013

Hi Jason,

This is Neil again under my own CCO, I had a problem with my ASA licesnse, I got the license for the number of TLS-Proxy instances increased from 2 to 52. This however did not fix the issue I was still getting the same error messages as you on the outbound SIP message coming back from the Lync Server.

On the inbound SIP messages I was getting "SIP/2.0 407 Authentication Required" on my CUPS Server. To fix this issue you have to set the "Default Cisco SIP Proxy TLS Listener - Peer Auth" from port from 5062 to 5061, you can't change this value to 5061 without changing the "Default Cisco SIP Proxy TLS Listener = Server Auth" to be 5062 or something else first. note you have to set Default Cisco SIP Proxy TLS Listener - Server Auth = 5063 or any unassigned port, then you can swap these around. This is found in CUPS Admin under System=>Application Listeners

Once you set Default Cisco SIP Proxy TLS Listener - Peer Auth = 5061. The Federation worked for me.

Regards

Neil

Jason Neurohr · ‎03-25-2013

Hi Neil,

Thanks for the follow up. I believe doing this is documented in the intradomain federation guide, but not mentioned in the interdomain federation guide. Can you paste in what you have configured on your ASA? As we have the NAT redirecting 5061 externally to 5062 internally as per the guide so would think making it 5061 and then changing the NAT wouldn't achieve anything?

Edit: tried this, this morning and it made no difference to what I was seeing. Would be handy to see what you have configured on the ASA

Jason Neurohr · ‎03-25-2013

I see this happening frequently on the ASA where the cups server initiates an outbound connection to the far end lync edge on port x, which the asa replaces with port y.

The far then lync then replies with a destination of port x instead of port y so the session just drops.