cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

932
Views
10
Helpful
28
Replies

Problems with MRA configuration

Hi everyone, in my company we are now deploying MRA, but I have some problems configuring the two expressway. In particular i get what you see in the attachments.

 

Can anyone help? Zones, search rules and domains are properly configured i guess.

 

Thanks a lot.

28 REPLIES 28

okay well thanks a lot... here the screen of the zones configuration.

The system communication from Expressway E to C is broken.

  • Check the firewall configuration is in place for all the ports from E to C.
  • I believe you have a single NIC deployment, I guessed since you are using public IP in the expressway (FQDN resolved to public IP of expressway) 
  • if you feel the firewall and rest of the configuration is good. Please take the diagnostic logs from both expressway E and expressway C. 
  • Either upload here or use the collaboration solution analyzer to check the possible errors. (URL: https://cway.cisco.com/csa )

Regards,

 

Thanks a lot.. i found something wrong with my certificates configuration ..I used OpenSSL and it says that the rootCA does not respect some constraints.. but i followed the cisco guideline.. so I don't understand very well.

The zone state on E is Failed. Check your configuration and communication between the C and E.

image.png

Also check that the certificates chain of trust is established between both nodes. What type of certificates do you use on the E and C? Self signed, internal CA or public CA signed.



Response Signature


Hi, I used certificates signed with a rootCA. In particular, the rootCA is made by using OpenSSL. The csr are generated by the expressways and then the csr has been signed by the rootCA using OpenSSL. I followed this guide, https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X12-5.pdf .

I would prefer going with dual NIC.

 

Example configuration

Expressway C

 

NIC IP  192.168.10.10 >> VOIP VLAN

 

Internal  DNS Records

  • Certificate

    • Generate CSR, sign the certificate using Internal CA of domain  internal.domain.it.
    • Upload CA root to trust
    • upload the Server certificate.

 

CUCM

 

CUCM IP : 192.168.10.9

Certificate

  • Generate CSR, sign the certificate using Internal CA of domain  internal.domain.it.
  • Upload CA root certificate to trust
  • upload the Server server certificate.

Internal  DNS Records

_cisco-uds._tcp.internal.domain.it SRV service location:
priority = 6
weight = 30
port = 8443
svr hostname =cucm.internal.domain.it

 

Do the same with other nodes.

 

Expressway E

 

NIC 1 IP  192.168.10.10 >> VOIP VLAN

NIC 2 IP  192.168.20.10 >>DMZ IP

Public IP 45.45.45.26

 

Internal DNS

 

  • Create  subzone domain.it 
  • A record(Forward and reverse Lookup) in domain.it.  expresswayE.domain.it  192.168.20.10
  • Certificate

    • Generate CSR, sign the certificate using public CA (what ever your provider)
    • while generating CSR DNS filed should have entry domain.it
    • Upload public CA root to Expressway C and E trust 
    • Upload root CA of   internal.domain.it  to trust
    • upload the Server server certificate.

Public DNS Records

 

  • A record(Forward and reverse Lookup) expresswayE.domain.it  <<YOUR PUBLIC IP>>
  • SRV   _collabedge._tls.domain.it pointing to above IP/Hostname

 

when configure dual NIC, use your network design. and the above is just an example configuration.

 



Response Signature


View solution in original post

Thanks a lot, i will give a shot to this configuration and I'll let you know.

Your need to look in to few more things related to your DNS and NIC design. 

 

Your external and internal domain, is it same.

 

Can you provide the details of DNS ( both internal and external) entries.

 

I never worked with single NIC, But AFAIK there is some firewall hair pining to be done for this work. 



Response Signature


Hi, the internal and external domain are not the same. In particular the internal is internal.domain.it and the external is domain.it .

Hi, 

There is no much difference than @Nithin Eluvathingal mentioned when you have separate domains. 

Add both domains in the expressway Configuration >> Domain 

  • internal.domain.it
  • domain.it

SRV records still remain the same if your users use the same URI format to login to jabber. But this comes later. first, you have to correct the all config up in the expressway. 

 

  1. Did you check everything mentioned by the community members @Nithin Eluvathingal  @Roger Kallberg in this thread?
  2. Did you create the unified communication traversal zone for MRA?
  3. If you suspect an issue with the certificates, use the traversal test tool to verify the issue with certificates or not. Maintenance >> Security>>Secure traversal test
  4.  ensure that you have NTP configured correctly on both expressway servers
  5. if you still think the config seems to be good, please upload the expressway diagnostic logs

Regards,

 

Its unified Communication traversal.

 

Attached image are  from my lab expressway C and E for MRA version12.5



Response Signature


For details on the zone look at this section in the configuration document https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_01000.html?referring_site=RE&pos=3&page=https://www.cisco.com/c/en/us/td/docs/voic...

It is quite well documented, recommend you to read the links provided by me and others in this post.



Response Signature


The image which you shared is UC configuration on expressway  and its not Zone. can you create a Unified communication traversal zone.

 

1.png



Response Signature


Hi, 

Please share the screenshot of 

  1. Configuration >> Unified Communications >>Unified CM Servers 
  2. Configuration >> Zone, you find the zone with type Unified Communication traversal zone created between expressway E and C. Take a screenshot of it. or provide the screenshot of the list of the zone. 

if you don't have one, please configure it. 

 

Regards,

Shalid

 

Create
Recognize Your Peers
Content for Community-Ad