cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1228
Views
0
Helpful
17
Replies
aheredia05
Beginner

Expressway 8.7.0 RMA Fails to Connect

Hello everyone, 

I'm strugling with RMA on a expressway series 8.7.0, We have CUCM & IMP 10.5.1, dns records: _cisco-uds pointing to Our CUCM, _cuplogin pointing to our IMP, signed Certificates by the same CA entity for all of them and they trust this entity.

On Inside Network it works fine, but when trying to connect from outside via expressway always  says wrong User or password.

Looking on the Exp Core's logs says it couldn't identify the user from UDS (Attached File).

I've try Exp 8.7.2 but happens the same, I rolled back.

We are using jabber to test the configurations.

What else can I do to resolv this issue?

Thanks for your Help.

17 REPLIES 17
Jaime Valencia
Hall of Fame Cisco Employee

Is this the same domain internally and externally??

What are you using for userID in CUCM??

In IM&P, are you using the default JID?? or DirectoryURI?

If your username in CUCM is jdoe, but your JID is john.doe@domain, have you tried using jdoe to login over MRA?

In the EXP-C logs you're going to find a URL, something like this:

https://x.x.x.x:8443/cucm-uds/clusterUser?username=someone

Copy that into a browser, if you don't get a positive reply from CUCM, that means it's unable to find what you're sending for username.

HTH

java

if this helps, please rate

Hello Jaime, thank you for your answer.

1.- Yes is the same domain internally and externally.

2.- This CUCM is not integrated with ldap, so the local base userID is used.

3.- yes, We're using default JID.

4.- I've just tried, the same result.

5.- that url with user without domain returned found (internally).

Thanks a lot for your help Jaime.

Jaime Valencia
Hall of Fame Cisco Employee

What do you mean without domain??

From the .txt I could see a domain there

You need to try EXACTLY the same your EXP-C is trying, if there's a domain there, you need to include that as well.

HTH

java

if this helps, please rate

With rcaero, It says found, 

with rcaero@domain.com, It says not found.

Jaime, I've found the next log:

https://cucm.domain.com:8443/cucm-uds/clusterUser?username=fmoreno

It returned found.

Thanks for your help.

Jaime, 

I've found something weird, 

The logs show the user gets authenticated, obtain the device list, services, server addresses, and sipEdgeServer.

But then the Jabber tries to authenticate to CUP private adress, the _cuplogin and _cisco-uds can not be resolve from outside.

I do not have idea what is happening.

Thanks a lot for your help Jaime.

Jaime Valencia
Hall of Fame Cisco Employee

I'd probably try a couple of things

A) give those expressways a reboot, and make sure you can see the connection to EXP-E up after they come up.

B) after the reboot, go to config -> UC -> UCM, select the servers, and hit refresh servers, repeat for IM&P and CUC.

Then try to login again.

HTH

java

if this helps, please rate

Hi Jaime, 

I did that, still the same.

Somebody configured the Exp's for B2B before RMA, 

May the rearch rules affect the RMA's performance?

Thanks for your help.

search rules attached.

Jaime Valencia
Hall of Fame Cisco Employee

OK, are there any warnings on either of your expressways??

Please make sure that there's no zone that is using port 5060, as it needs to be dedicated to the connection to CUCM, and cannot be used for anything else if you're using MRA.

HTH

java

if this helps, please rate

Hi, 

The only zone with port 5060 is the auto-created for CUCM, 

The CUCM has one trunk with port 5060 to Exp-Core for B2B.

The sip configuration on boths EXP's is:

tcp:5060

tls:5061

mtls:off

udp:off

ipv6:off

Thank you for your help.

Jaime Valencia
Hall of Fame Cisco Employee

Then that's your problem, you CANNOT use port 5060 from CUCM if you're going to configure anything else besides MRA, and if you do not have an alert on EXP-C, that means that your neighbor zone is not using port 5060, otherwise it would have told you, you were using the same port to the same destination in more than one zone.

That SIP trunk you use for B2B, CANNOT use port 5060, you need to change that.

Port 5060 has to be reserved for MRA registration on CUCM for EXP-C

HTH

java

if this helps, please rate

That is a great information,
I will try it in the night.
To change EXP-C's sip listening port is under Configuration->Protocols->SIP, Right?
Thanks a lot for your help.

Jaime Valencia
Hall of Fame Cisco Employee

No, you're not understanding, what you need to do, is change the port on CUCM for that SIP trunk to something else, and the neighbor zone for B2B has to match that port.

Port 5060 for communication between CUCM and EXP-C, is already used for MRA (and you cannot change that), any other SIP trunk you want to configure between them, has to use ports that are not already in use.

You don't need to change absolutely anything else.

HTH

java

if this helps, please rate

Got It, 

will try tonight.

I will post the results,

thanks again.

Content for Community-Ad