cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8695
Views
20
Helpful
33
Replies

you cannot login outside corporation network -jabber client

susim
Level 3
Level 3

Hi,

we are getting the below events on  expressway -e 

 

2021-02-10T14:26:14.648+03:00 traffic_server[7829]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="104.128.83.98" Dst-port="37247" UTCTime="2021-02-10 11:26:14,648"
2021-02-10T14:26:14.648+03:00 traffic_server[7829]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="domainname.com" Src-ip="104.128.83.98" Src-port="37247" UTCTime="2021-02-10 11:26:14,648"

 

on jabber getting the below error  

"you cannot login outside corporation 

cwa just rotating 

cwa.png

The device there is no change, the certificate is internal ,but it was working 

Thanks

 

33 Replies 33

What @Nithin Eluvathingal is asking you is if your A record for the E in the internal DNS is setup with the IP address of the internal network interface on the E? That’s what the C is communicating with, so that’s what it has to resolve.



Response Signature


Hi,

Yes ,  A record for E  is the internel IP of E 

Thanks 

Hi,

 

if you have configured everything as @Nithin Eluvathingal mentioned below reply. Please do a flush dns on the expressway c and perform reboot on both expressway servers 

 

regards 

Shalid 

Below should be the configuration since you are using the Dual Nic.

 

Internal DNS Enteries:-

 

  • SRV _cisco-uds to CUCM
  • A record's for CUCM,IM ,Expressway-C. 
  • Since you are using single domain, on domain.com internal create A record for expressway E resolving to expressway-E's internal NIC.

Certificates 

 

  • Generate CSR form expressway C and sign it using internal CA and upload both Root and server certificate.
  • Generate CSR from Expressway E and sign it using external CA and upload both root and server certificate.(mandatory:-  DNS entry on csr should have your domain.com)
  • Upload public Root CA on Expressway C and upload internal Root CA on Expressway E

 

Public DNS.

  • A record of expressway E to your Static IP
  • Srv Edge to above host name or static IP.

 

 



Response Signature


Hi , 

I tried to capture the   dns traffic , this is what I am getting . dnsvcse.JPG

The DNS server is responding that the A record is not found. This is where I would recommend you to start looking.



Response Signature


You said your domain is single domain , But  from the logs I see vcse.mycomany.com and your DC in mycomany.local. is this a single domain environment ? what's your expressway C and ipt serve domain and what is your outside domain ?

I recommend  you to read the design guide shared.

 

test.com (intenal) hosted internal 

 

test.com (external) hosted at ISP 



Response Signature


@Nithin Eluvathingal 

test.com  is a  zone in the test .local 

So if anyone tries to resolve vcse.mycompany.com.tl  from inside, it will resolve  local  IP ( that is 192.168.3.100)

so you can say  both outside and inside the domain is the same mycompany.com.tl

if anyone tries the same it will resolve public IP 

@Roger Kallberg 

here is the problem I mentioned in previous posts. 

1) I tested with dnsutility from Expressway-C , it can bring the IP address of  any FQDN (regardless internal and external except the Expressway-E 

2) I did " nslookup vcse.mycompany.com.tl" from multiple computers, all got replies from DC01( Which is the internal DNS server )

what I mean here there is no issue with the DNS

3) I did flushdns on  Expressway-C

Thanks 

 

 

 

 

Do the C use the same DNS server(s) as the computer where you have tested the name resolution from?



Response Signature


Whats the Domain name of Expressway C is this mycompany.local?

As @Roger Kallberg mentioned  on expressway C, is it using the same DNS as the PC you are able to resolve the Express-E ?

 



Response Signature


Hi,

@Nithin Eluvathingal 

vcsc.mycompany.com.tl this is the fqdn of expressway-C.

.local and forward lookup zone is a common deployment scenario in windows active directory deployment 

usually there will be a .local default zone  and forward lookup zone 

for example cnn.local and cnn.com  in same Domain name server  (in my case the IP is 192.168.100.10  ) 

so a user try to resolve  an fqdn, pc will send to  the same server 192.168.100.10

@Roger Kallberg 

Do the C use the same DNS server(s) as the computer where you have tested the name resolution from?

Yes

Thanks

 

 


@susim wrote:

@Roger Kallberg 

Do the C use the same DNS server(s) as the computer where you have tested the name resolution from?

Yes

Thanks


Then I have no more ideas. For sure something in you setup is at fault, as the packet capture shows that the name query for the FQDN of the E from the C is resulting in A record not found.
bild.png

I know you have written before that it's a A record, but are you 100% sure that you do not use a CNAME or Host record in the DNS and that the value you have put in the C and E for the traversal zone is the A record? Would you mind to take screenshots of these records, C and E, in DNS and also of the traversal zone configuration in both E and C and not masking the names? If you absolute want to mask it, would it be possible that you just change out the domain part so that the rest is visible and untouched?



Response Signature


Asper your reply your vcse.mycompany.com.tl  should resolve to  192.168.3.100 and your DC ip is 192.168.100.10 the screenshot you shared when expressway C trying to resolve vcse.mycompany.com.tl  has   192.168.3.100  And 192.168.100.10. 

 

So 192.168.3.100 is this expressway E or C ? have you configured proper entry  on DNS ? 

 

Do you have forward and reverse entry for vcse.mycompany.com.tl in your DC ?

 

 



Response Signature


Hi

@Nithin Eluvathingal 

 192.168.3.100  VCSC and  192.168.100.10 is the domain name server, 3.100 sending a query to resolve  vcse.mycompany.com.tl 

and 192.168.100.10 replying back that I don't know  vcse 

@Roger Kallberg 

it is not cname ,it is A record 

can I send you in private all the screenshot . 

Thanks

 

 

That would work for me. I’ll have a look at it once you send me the PM.



Response Signature