02-10-2021 03:44 AM
Hi,
we are getting the below events on expressway -e
2021-02-10T14:26:14.648+03:00 traffic_server[7829]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="104.128.83.98" Dst-port="37247" UTCTime="2021-02-10 11:26:14,648"
2021-02-10T14:26:14.648+03:00 traffic_server[7829]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="domainname.com" Src-ip="104.128.83.98" Src-port="37247" UTCTime="2021-02-10 11:26:14,648"
on jabber getting the below error
"you cannot login outside corporation
cwa just rotating
The device there is no change, the certificate is internal ,but it was working
Thanks
Solved! Go to Solution.
02-12-2021 09:46 AM - edited 02-13-2021 03:21 AM
The DNS server is responding that the A record is not found. This is where I would recommend you to start looking.
02-13-2021 04:24 AM - edited 02-13-2021 04:25 AM
Have you look on your above reply,"So if anyone tries to resolve vcse.mycompany.com.tl from inside, it will resolve local IP ( that is 192.168.3.100)"
you need to look in to the DNS entry,
Make sure that name's and IP address's are proper on Internal DNS. if there is any mistakes, change it and flush DNS on expressway C.
02-10-2021 06:33 AM
Can you check all SRV record are configured properly and also check the srv from CSA tool.
Take logs from both E and C and run it on CSA tool. This will give more information.
02-10-2021 07:32 AM
Hi,
Srv records are fine .
From inside everything working fine
I will check the logs from c and e
Thanks
02-10-2021 07:43 AM
02-10-2021 09:37 AM - edited 02-10-2021 11:03 AM
Looks like your configuration for connection zone between C and E is not correct. Please look through your configuration and verify that configuration is as per the deployment guide.
02-10-2021 10:44 AM
Can you check your Zones between E and C and make sure its UP.
02-10-2021 01:09 PM
02-10-2021 01:43 PM - edited 02-10-2021 10:41 PM
Not sure if I understand what you mean that it’s not a problem with your zone configuration as both pictures shows failed errors?
Please review the configuration guide for MRA and make sure you have correctly configured all things in both C and E. As the connection between these is dependent on name resolution it’s imperative that DNS configuration, with the proper records is present, is correct. One common issue is also certificates, the C and E uses PKI chain of trust to form the connection. If the C do not have the certificate(s) for the CA that signed the certificate for the E in its trust store and the reverse for E to C it will not form the trunk between these.
02-10-2021 08:17 PM
From the pictures shared, it looks like your configurations for zones are not correct. Also i see DNS resolution error. Not sure what you configured on C and E , and also whats your DNS configurations.
I would recommend you to go through the below guide and correct your configurations.
02-11-2021 01:42 AM
02-11-2021 01:59 AM - edited 02-11-2021 02:10 AM
You need to check your internal DNS entries.
02-11-2021 02:37 AM
Hi,
Here is my domain setup
i can resolve expressway E's fqdn from any other machine except from 'C'
test.com (intenal) hosted internal
test.com (external) hosted at ISP
in internal dns server , there is A records for both E and C
in internal other than A records , there are SRV records _cisco-uds (pointed to cucm ) and _cuplogin (Jabber from inside it is working and from outside also was working .suddenly it stopped from outside )
Attached the csa report , Expressway c is trying to resolve the records from the dnscache
Thanks
02-11-2021 03:33 AM
Hi ,
it is dual nic
Thanks
02-11-2021 04:10 AM - edited 02-11-2021 04:11 AM
_cuplogin is no more required. Flush DNS on expressway C and E. since you said it was working before Make sure all your certificates are valid too.
Whats you internal DNS entry for expressway E, is this resolve to your Exp-E internal NIC ?
Also Run SRV checker on CSA tool.
02-11-2021 08:24 AM
Hi,
Certificates are valid , SRV records are resolution is ok from both outside and inside
I am really confused why EXP-C is not getting the ip address of EXP-E from dns server
but it can resolve any other fqdn public host and private host
Whats you internal DNS entry for expressway E, is this resolve to your Exp-E internal NIC ?
it is just A record
I am not using any certificate from EXTERNAL CA
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide