The system communication from Expressway E to C is broken.

• Check the firewall configuration is in place for all the ports from E to C.
• I believe you have a single NIC deployment, I guessed since you are using public IP in the expressway (FQDN resolved to public IP of expressway) 
• if you feel the firewall and rest of the configuration is good. Please take the diagnostic logs from both expressway E and expressway C. 
• Either upload here or use the collaboration solution analyzer to check the possible errors. (URL: https://cway.cisco.com/csa )

Regards,

Thanks a lot.. i found something wrong with my certificates configuration ..I used OpenSSL and it says that the rootCA does not respect some constraints.. but i followed the cisco guideline.. so I don't understand very well.

The zone state on E is Failed. Check your configuration and communication between the C and E.

Also check that the certificates chain of trust is established between both nodes. What type of certificates do you use on the E and C? Self signed, internal CA or public CA signed.

Hi, I used certificates signed with a rootCA. In particular, the rootCA is made by using OpenSSL. The csr are generated by the expressways and then the csr has been signed by the rootCA using OpenSSL. I followed this guide, https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X12-5.pdf .

Thanks a lot, i will give a shot to this configuration and I'll let you know.

Your need to look in to few more things related to your DNS and NIC design. 

Your external and internal domain, is it same.

Can you provide the details of DNS ( both internal and external) entries.

I never worked with single NIC, But AFAIK there is some firewall hair pining to be done for this work. 

Hi, the internal and external domain are not the same. In particular the internal is internal.domain.it and the external is domain.it .

Hi, 

There is no much difference than @Nithin Eluvathingal mentioned when you have separate domains. 

Add both domains in the expressway Configuration >> Domain 

• internal.domain.it
• domain.it

SRV records still remain the same if your users use the same URI format to login to jabber. But this comes later. first, you have to correct the all config up in the expressway. 

1. Did you check everything mentioned by the community members @Nithin Eluvathingal  @Roger Kallberg in this thread?
2. Did you create the unified communication traversal zone for MRA?
3. If you suspect an issue with the certificates, use the traversal test tool to verify the issue with certificates or not. Maintenance >> Security>>Secure traversal test
4.  ensure that you have NTP configured correctly on both expressway servers
5. if you still think the config seems to be good, please upload the expressway diagnostic logs

Regards,

Its unified Communication traversal.

Attached image are  from my lab expressway C and E for MRA version12.5

For details on the zone look at this section in the configuration document https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_01000.html?referring_site=RE&pos=3&page=https://www.cisco.com/c/en/us/td/docs/voic...

It is quite well documented, recommend you to read the links provided by me and others in this post.

The image which you shared is UC configuration on expressway  and its not Zone. can you create a Unified communication traversal zone.

Hi, 

Please share the screenshot of 

1. Configuration >> Unified Communications >>Unified CM Servers 
2. Configuration >> Zone, you find the zone with type Unified Communication traversal zone created between expressway E and C. Take a screenshot of it. or provide the screenshot of the list of the zone. 

if you don't have one, please configure it. 

Regards,

Shalid