Hi,
we are getting the below events on expressway -e
2021-02-10T14:26:14.648+03:00 traffic_server[7829]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="104.128.83.98" Dst-port="37247" UTCTime="2021-02-10 11:26:14,648"
2021-02-10T14:26:14.648+03:00 traffic_server[7829]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="domainname.com" Src-ip="104.128.83.98" Src-port="37247" UTCTime="2021-02-10 11:26:14,648"
on jabber getting the below error
"you cannot login outside corporation
cwa just rotating
The device there is no change, the certificate is internal ,but it was working
Thanks
What @Nithin Eluvathingal is asking you is if your A record for the E in the internal DNS is setup with the IP address of the internal network interface on the E? That’s what the C is communicating with, so that’s what it has to resolve.
Below should be the configuration since you are using the Dual Nic.
Internal DNS Enteries:-
- SRV _cisco-uds to CUCM
- A record's for CUCM,IM ,Expressway-C.
- Since you are using single domain, on domain.com internal create A record for expressway E resolving to expressway-E's internal NIC.
Certificates
- Generate CSR form expressway C and sign it using internal CA and upload both Root and server certificate.
- Generate CSR from Expressway E and sign it using external CA and upload both root and server certificate.(mandatory:- DNS entry on csr should have your domain.com)
- Upload public Root CA on Expressway C and upload internal Root CA on Expressway E
Public DNS.
- A record of expressway E to your Static IP
- Srv Edge to above host name or static IP.
The DNS server is responding that the A record is not found. This is where I would recommend you to start looking.
You said your domain is single domain , But from the logs I see vcse.mycomany.com and your DC in mycomany.local. is this a single domain environment ? what's your expressway C and ipt serve domain and what is your outside domain ?
I recommend you to read the design guide shared.
test.com (intenal) hosted internal
test.com (external) hosted at ISP
Do the C use the same DNS server(s) as the computer where you have tested the name resolution from?
Whats the Domain name of Expressway C is this mycompany.local?
As @Roger Kallberg mentioned on expressway C, is it using the same DNS as the PC you are able to resolve the Express-E ?
@susim wrote:
Do the C use the same DNS server(s) as the computer where you have tested the name resolution from?
Yes
Thanks
Then I have no more ideas. For sure something in you setup is at fault, as the packet capture shows that the name query for the FQDN of the E from the C is resulting in A record not found.
I know you have written before that it's a A record, but are you 100% sure that you do not use a CNAME or Host record in the DNS and that the value you have put in the C and E for the traversal zone is the A record? Would you mind to take screenshots of these records, C and E, in DNS and also of the traversal zone configuration in both E and C and not masking the names? If you absolute want to mask it, would it be possible that you just change out the domain part so that the rest is visible and untouched?
Asper your reply your vcse.mycompany.com.tl should resolve to 192.168.3.100 and your DC ip is 192.168.100.10 the screenshot you shared when expressway C trying to resolve vcse.mycompany.com.tl has 192.168.3.100 And 192.168.100.10.
So 192.168.3.100 is this expressway E or C ? have you configured proper entry on DNS ?
Do you have forward and reverse entry for vcse.mycompany.com.tl in your DC ?
