Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3740
Views
5
Helpful
7
Replies

New Expressway MRA error

Ben Dwyer
Level 1
Level 1

‎07-28-2016 12:29 PM - edited ‎03-17-2019 06:16 PM

Hello,

I'm setting up an MRA deployment with a single Expressway-E and single Expressway-C.  I've followed the CVD guide for Collaboration Edge with BE6000.  Zones are set up and active, SRV records are in place and verified from the outside, certificates are installed, and a Secure Traversal Test from Expressway-C returns a success.  However, from the Jabber client, I get "Your username or password is not correct".

The Jabber client log is attached

Expressway-E error: traffic_server[8591]: Event="Sending HTTP error response" Status="401" Reason="Unauthorized" Dst-ip="174.197.10.60" Dst-port="3609" UTCTime="2016-07-28 19:13:32,946"

The Jabber client works internally using the same username/password.

Any help on how to determine the cause of this would be helpful.  Thanks in advance.

Ben

1 person had this problem
Labels:
Preview file
101 KB
0 Helpful
7 Replies 7

jakeriley
Level 1
Level 1

‎07-28-2016 01:44 PM

Hey Ben,

If you haven't done so yet, you might try running a client cert check between the C and E (both ways).  I have seen where zones are up and traversal test passes but client check fails due to certificate issues and does not allow login.  Not sure that's the issue here but one thing to check.

Jake

0 Helpful

Ben Dwyer
Level 1
Level 1
In response to jakeriley

‎07-28-2016 02:36 PM

Jake,

The client cert check fails on the CRL check but I'm not using CRL checking in my configuration.  The strings do match on this check.

Valid Certificate: Invalid: unable to get certificate CRL, please ensure that you have uploaded a CRL for the CA that signed this client certificate

Thanks,

Ben

0 Helpful

jakeriley
Level 1
Level 1
In response to Ben Dwyer

‎07-28-2016 02:44 PM

Interesting, I was getting that same error even with CRL checking off as well and login was failing.  What's your EXP version?  Locally or CA-signed certs (if CA, which vendor)?

0 Helpful

Ben Dwyer
Level 1
Level 1
In response to jakeriley

‎07-28-2016 02:46 PM

Version 8.5.2

Edge has a GoDaddy CA signed cert

Core has a cert from an internal CA

0 Helpful

jakeriley
Level 1
Level 1
In response to Ben Dwyer

‎07-28-2016 03:00 PM

We had issues with GoDaddy cert on our E.  To test we used an internal CA cert on it and ended up manually uploading CRL (even though it was set to off).  Once client cert checks passed, everything worked.  One thing to be aware of - before you upgrade, make sure you have an install file for 8.5.2 which does not seem to be available anymore.  If you need to restore, you won't be able to do so without it (to my knowledge).  8.5.2 has a bug that causes no ringback on audio calls.  Best of luck.

0 Helpful

Varundeep Chhatwal
Cisco Employee
Cisco Employee

‎07-28-2016 01:49 PM

I just gave a quick look in jabber logs. It was able to find exe-e successfully through collab edge but the portion in logs which is throwing error has been truncated. Jabber will ask for its edge config once it is able to exe-e and from there is only it is getting 401  forbidden error. Please make sure you have enabled home cluster option on end user page for this user.

Ben Dwyer
Level 1
Level 1
In response to Varundeep Chhatwal

‎07-28-2016 02:47 PM

Thanks Varundeep,

I went back and made sure that the home cluster option was already enabled.

Ben

0 Helpful
Customers Also Viewed These Support Documents