09-02-2016 07:42 AM - edited 03-19-2019 11:33 AM
Hi all,
I've configured collaboration environment with the following components - CUCM, IM&P, Expressway Core and Expressway Edge. When I try to login via Jabber directly to IMP (inside corporate network), Jabber client logs in successfully. However, when I try with the same username via Mobile and Remote Access (Expressway), I get "wrong username and password" sort of message.
I collected traces on Expressway C and I can see several errors. What confuses me the most is the fact that the same username/password works fine when logging in from inside network. Here are some of the messages on Expressway C:
- HTTP Status 403 - Access to the requested resource has been denied
- Failed to authenticate user against server
- All attempts to authenticate user failed
CUCM/IMP version is 11.5, Expressways are 8.8.1.
Thanks!
Dragan
09-02-2016 08:27 AM
Do you use the same domain, and login, internally and externally???
09-05-2016 07:10 AM
Hi Jaime,
It's the same domain name for the clients externally and internally. In the meantime, I've noticed that the problem is also present from internal network when using SRV records, so I excluded Expressway server as possible cause.
Now I get "cannot communicate with the server" message in Jabber. I checked service profiles assigned to users, SRV records are fine also. Did you experience similar issue maybe?
Thanks, Dragan
09-05-2016 07:30 AM
What is the SRV domain name you are using as we can validate some things remotely? Does nslookup resolve it externally? Are all firewall ports opened properly?
09-05-2016 07:35 AM
Can you post what SRV records you have, internal and external?
09-05-2016 09:30 AM
Hi,
I've located problem in internal network, so I'm sending you SRV records from internal DNS:
Service | Protocol | Priority | Weight | Port | Target |
_cisco-uds._tcp.burren.pst | TCP | 10 | 10 | 8443 | cucm.internaldomain.com |
_cuplogin._tcp.burren.pst | TCP | 10 | 10 | 8443 | cup.internaldomain.com |
_cisco-phone-http._tcp.burren.pst | TCP | 10 | 10 | 8443 | cucm.internaldomain.com |
_cisco-phone-tftp._tcp.burren.pst | TCP | 10 | 10 | 69 | cucm.internaldomain.com |
_sips._tcp.burren.pst | TCP | 10 | 10 | 5061 | expc.internaldomain.com |
_sip._tcp.burren.pst | TCP | 10 | 10 | 5060 | expc.internaldomain.com |
_sip._udp.burren.pst | UDP | 10 | 10 | 5060 | expc.internaldomain.com |
I had to change real domain name because of customer, I hope you don't mind. Jabber definitely reaches CUCM server, as I can see many traces showing that, but then user is refused.
[csf.log] [csf::ucm90::HomeUdsHttpRequest::performHttpRequest] - Result of HTTP request - Result: SUCCESS, Response Code: 403.
[csf.config] [csf::ucm90::HomeUdsUtilities::convertHttpUtilsResult] - Home Uds query failed responseCode =[403]
[csf.log] [csf::ucm90::HomeUdsHttpRequest::performHttpRequest] - Result of UDS result conversion - UDS Result: HOME_UDS_QUERY_FAILED.
[csf.config] [csf::ucm90::HomeUds100Query::run] - Home Uds request unsuccessful.
[csf.config] [csf::ucm90::UdsProvider::doHomeUdsQuery] - Result from Home UDS query: HOME_UDS_QUERY_FAILED
[csf.config] [CSFUnified::BlacklistAddress::operator ==] - Blacklist URL match found for https://cucm.internaldomain.com:8443/cucm-uds/user/user001 with a reason of [Unable to connect to the Home UDS server during discovery: 4]
Thanks, Dragan
09-05-2016 10:40 AM
The idea for providing actual domain name was so that we can verify the resolution as well as to ensure proper firewall ports are opened on your firewalls.
From limited info you provided, did you check to ensure the user at question has "home cluster" properly checked on the end user management in CUCM?
09-06-2016 01:16 AM
Hi Chris,
There is no firewall between Jabber client and CUCM and IMP servers when Jabber is in internal network, I checked that. I also checked DNS resolution in detail for every record and by sniffing network traffic on Jabber client and looking at jabber log files. I checked name resolution on CUCM and IMP too.
Users have home cluster configured ("Enable User for Unified CM IM and Presence (Configure IM and Presence in the associated UC Service Profile" option) and service profile that is assigned to them has IMP servers properly configured. That' what makes me so confused :)
Regards, Dragan
09-06-2016 01:32 AM
Hi Dragan
Troubleshooting this for you without having access to Exp and/or Jabber logs is difficult.
My suggestion would be to log a call with TAC, I struggled with the SRV stuff on my first attempt and TAC helped me out quickly.
Thanks
09-06-2016 05:50 AM
I was not asking about internal firewall as you stated you are able to login internally just fine and the issue only pertains to connections across MRA, is this no longer accurate? If it is, then my firewall question was around proper ports being opened between your Expressway C and Expressway E LAN1 (assuming dual LAN deployment of Exp E) as well as Exp-E LAN2 and internet. Most issues I encounter with MRA deployment is around proper ports not being opened. This is what i was willing to check for you if you provided the domain name, otherwise you can attempt to ping every port that should be opened from external network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide