Showing results for 
Search instead for 
Did you mean: 

Problems with MRA configuration

Hi everyone, in my company we are now deploying MRA, but I have some problems configuring the two expressway. In particular i get what you see in the attachments.


Can anyone help? Zones, search rules and domains are properly configured i guess.


Thanks a lot.

28 Replies 28

okay well thanks a lot... here the screen of the zones configuration.

The system communication from Expressway E to C is broken.

  • Check the firewall configuration is in place for all the ports from E to C.
  • I believe you have a single NIC deployment, I guessed since you are using public IP in the expressway (FQDN resolved to public IP of expressway) 
  • if you feel the firewall and rest of the configuration is good. Please take the diagnostic logs from both expressway E and expressway C. 
  • Either upload here or use the collaboration solution analyzer to check the possible errors. (URL: )



Thanks a lot.. i found something wrong with my certificates configuration ..I used OpenSSL and it says that the rootCA does not respect some constraints.. but i followed the cisco guideline.. so I don't understand very well.

The zone state on E is Failed. Check your configuration and communication between the C and E.


Also check that the certificates chain of trust is established between both nodes. What type of certificates do you use on the E and C? Self signed, internal CA or public CA signed.

Response Signature

Hi, I used certificates signed with a rootCA. In particular, the rootCA is made by using OpenSSL. The csr are generated by the expressways and then the csr has been signed by the rootCA using OpenSSL. I followed this guide, .

I would prefer going with dual NIC.


Example configuration

Expressway C




Internal  DNS Records

  • Certificate

    • Generate CSR, sign the certificate using Internal CA of domain
    • Upload CA root to trust
    • upload the Server certificate.






  • Generate CSR, sign the certificate using Internal CA of domain
  • Upload CA root certificate to trust
  • upload the Server server certificate.

Internal  DNS Records SRV service location:
priority = 6
weight = 30
port = 8443
svr hostname


Do the same with other nodes.


Expressway E




Public IP


Internal DNS


  • Create  subzone 
  • A record(Forward and reverse Lookup) in
  • Certificate

    • Generate CSR, sign the certificate using public CA (what ever your provider)
    • while generating CSR DNS filed should have entry
    • Upload public CA root to Expressway C and E trust 
    • Upload root CA of  to trust
    • upload the Server server certificate.

Public DNS Records


  • A record(Forward and reverse Lookup)  <<YOUR PUBLIC IP>>
  • SRV pointing to above IP/Hostname


when configure dual NIC, use your network design. and the above is just an example configuration.


Response Signature

Thanks a lot, i will give a shot to this configuration and I'll let you know.

Your need to look in to few more things related to your DNS and NIC design. 


Your external and internal domain, is it same.


Can you provide the details of DNS ( both internal and external) entries.


I never worked with single NIC, But AFAIK there is some firewall hair pining to be done for this work. 

Response Signature

Hi, the internal and external domain are not the same. In particular the internal is and the external is .


There is no much difference than @Nithin Eluvathingal mentioned when you have separate domains. 

Add both domains in the expressway Configuration >> Domain 


SRV records still remain the same if your users use the same URI format to login to jabber. But this comes later. first, you have to correct the all config up in the expressway. 


  1. Did you check everything mentioned by the community members @Nithin Eluvathingal  @Roger Kallberg in this thread?
  2. Did you create the unified communication traversal zone for MRA?
  3. If you suspect an issue with the certificates, use the traversal test tool to verify the issue with certificates or not. Maintenance >> Security>>Secure traversal test
  4.  ensure that you have NTP configured correctly on both expressway servers
  5. if you still think the config seems to be good, please upload the expressway diagnostic logs



Its unified Communication traversal.


Attached image are  from my lab expressway C and E for MRA version12.5

Response Signature

The image which you shared is UC configuration on expressway  and its not Zone. can you create a Unified communication traversal zone.



Response Signature


Please share the screenshot of 

  1. Configuration >> Unified Communications >>Unified CM Servers 
  2. Configuration >> Zone, you find the zone with type Unified Communication traversal zone created between expressway E and C. Take a screenshot of it. or provide the screenshot of the list of the zone. 

if you don't have one, please configure it.