Failed to login with Jabber from outside through MRA

Answered Question
Apr 12th, 2017
User Badges:

Dear All
I deploy MRA solution but i can't login from outside and this networks logs on EXP-E  .Please Help

phone - Network Log // "); form.prop("method","post"); form.prop("action",'/download'); var e1 = $(''); e1.prop({ value: fileName, type: 'hidden', name: 'filename' }); form.append ( e1 ); var e2 = $('') e2.prop ({ value: encodeURIComponent(logtext), type: 'hidden', name: 'data' }) form.append ( e2 ); $(document.body).append ( form ); form.submit(); } function postDataForDownloadIE8andBelow (logtext, fileName) { var winWidth = 900; var winHeight = 600; p=window.open('', 'filterview', 'toolbar=no'+',' +'location=no,' +'height=' + winHeight+',' +'width=' + winWidth+',' +'resizable=yes,' +'scrollbars=yes,' +'status=no'); if (p == null) { console.log ("An error occured launching the user window. You may have a popup blocker in operation"); }else{ p.document.open("text/plain"); // IE7+, Gecko. Ignored by WebKit. p.document.write(logtext); p.document.close(); p.document.execCommand("SaveAs", false, "networklog"); } } ;$(window).on('load', function(){new DigitalClock('clock', 1492009355);}); $(window).on('resize', function(){handle_window_resize();}); warningcheckintervalmultiplier = 30; // ]]>

2017-04-12T14:52:42.703+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,703" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="87" Dst-ip="45.107.224.135" Dst-port="47238" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:52:42.702+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,702" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="87" Src-ip="45.107.224.135" Src-port="47238" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:52:42.235+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,235" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="86" Dst-ip="45.107.224.135" Dst-port="47237" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:52:42.235+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,235" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="86" Src-ip="45.107.224.135" Src-port="47237" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:46:56.338+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:56,338" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="85" Dst-ip="45.107.224.135" Dst-port="47235" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:46:56.338+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:56,338" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="85" Src-ip="45.107.224.135" Src-port="47235" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T14:46:14.094+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:14,094" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="84" Dst-ip="45.107.224.135" Dst-port="47234" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:46:14.094+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:14,094" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="84" Src-ip="45.107.224.135" Src-port="47234" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:46:13.313+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:13,314" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="83" Dst-ip="45.107.224.135" Dst-port="47233" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:46:13.313+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:13,313" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="83" Src-ip="45.107.224.135" Src-port="47233" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:45:45.636+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:45,636" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="82" Dst-ip="45.107.224.135" Dst-port="47232" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:45:45.636+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:45,636" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="82" Src-ip="45.107.224.135" Src-port="47232" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T14:45:35.178+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:35,178" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="81" Dst-ip="45.107.224.135" Dst-port="47231" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:45:35.178+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:35,178" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="81" Src-ip="45.107.224.135" Src-port="47231" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:45:34.685+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:34,685" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="80" Dst-ip="45.107.224.135" Dst-port="47230" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:45:34.685+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:34,685" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="80" Src-ip="45.107.224.135" Src-port="47230" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:25:43.294+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:43,294" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="79" Dst-ip="45.107.224.135" Dst-port="47226" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:25:43.294+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:43,294" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="79" Src-ip="45.107.224.135" Src-port="47226" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:25:42.862+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:42,862" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="78" Dst-ip="45.107.224.135" Dst-port="47225" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:25:42.862+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:42,862" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="78" Src-ip="45.107.224.135" Src-port="47225" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:25:06.190+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:06,191" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="77" Dst-ip="45.107.224.135" Dst-port="47223" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:25:06.190+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:06,190" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="77" Src-ip="45.107.224.135" Src-port="47223" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T14:24:30.042+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:30,041" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="76" Dst-ip="45.107.224.135" Dst-port="47222" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:24:30.041+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:30,041" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="76" Src-ip="45.107.224.135" Src-port="47222" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:24:29.600+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:29,601" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="75" Dst-ip="45.107.224.135" Dst-port="47221" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:24:29.600+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:29,600" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="75" Src-ip="45.107.224.135" Src-port="47221" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:22:46.518+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:46,518" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="74" Dst-ip="45.107.224.135" Dst-port="47220" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:22:46.518+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:46,517" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="74" Src-ip="45.107.224.135" Src-port="47220" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:22:45.749+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:45,749" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="73" Dst-ip="45.107.224.135" Dst-port="47219" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:22:45.749+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:45,748" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="73" Src-ip="45.107.224.135" Src-port="47219" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:22:37.784+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:37,784" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="72" Dst-ip="45.107.224.135" Dst-port="47217" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:22:37.784+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:37,784" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="72" Src-ip="45.107.224.135" Src-port="47217" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T13:56:20.454+02:00 traffic_server[1084]: UTCTime="2017-04-12 11:56:20,454" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="71" Dst-ip="45.107.224.135" Dst-port="47193" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T13:56:20.454+02:00 traffic_server[1084]: UTCTime="2017-04-12 11:56:20,454" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="71" Src-ip="45.107.224.135" Src-port="47193" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
Correct Answer by Alok Jaiswal about 2 weeks 2 days ago

Hi,


The logs are in info mode. May be you copied the event logs and pasted here.


Anyways from the screenshot it looks you are missing Expressway series. However you have the traversal server license, so that makes your VM as VCS-E instead of Exp-E which is fine.

But you need to make sure that you must have Cisco supported deployment.

The traversal only supported with Exp-C (Core) and Exp-E (Edge) or VCS-C(control) and VCS-E(Expressway) pair.


You can have Exp-C paired with VCS-E and vice-versa, but it won't be supported by Cisco, however i believe that it must still work. But better to have similar pair.


What setup you have from above ? control with expressway or core with edge ?


Can you attached the diagnostic logs when you try to login?


Regards,

Alok



Correct Answer by Jaime Valencia about 2 weeks 3 days ago

You never mentioned the versions you're using.

I had a similar issue, make sure to go to your UC servers and refresh them, make sure no errors come from that.

Then if you have not rebooted the boxes, reboot exp-e, wait until if fully comes up, and give it 5-10 minutes before rebooting exp-c.

This fixed the same alarm in my lab, I already had MRA working fine, but got that alarm after upgrading to x8.9.2 and was not able to use phone services.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Jaime Valencia Wed, 04/12/2017 - 08:10
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    2011

Is login working internally?

Do you have any alerts in either expressway?

Have you deployed MRA before?

Versions?

Remon Adel Wed, 04/12/2017 - 08:24
User Badges:

HI Jaime

yes we can login internally success

There's alarm on  EXP-C 
exp-c - Alarms //

Unified Communications SSH tunnel notification failure This system cannot communicate with one or more remote hosts: phone.XXXXXXX.eg Raised Warning Ensure that your firewall allows traffic from the Expressway-C ephemeral ports to 2222 TCP on the Expressway-E
Remon Adel Wed, 04/12/2017 - 08:27
User Badges:

And Traversal zone is OK and active .
anf FW allows all traffic

Correct Answer
Jaime Valencia Wed, 04/12/2017 - 08:36
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    2011

You never mentioned the versions you're using.

I had a similar issue, make sure to go to your UC servers and refresh them, make sure no errors come from that.

Then if you have not rebooted the boxes, reboot exp-e, wait until if fully comes up, and give it 5-10 minutes before rebooting exp-c.

This fixed the same alarm in my lab, I already had MRA working fine, but got that alarm after upgrading to x8.9.2 and was not able to use phone services.

Remon Adel Thu, 04/13/2017 - 07:20
User Badges:

HI Jaime
Thanks for your help.
kindly be informed SSH tunnel issue has been solved after applied your  recommendation ..

But we still have  error 403 forbidden issue .
kindly find attached EXP-E logs and EXP-C .
also we noted that we have missing in license as appeared on attached file ,could it cause this issue ?? 

Jaime Valencia Thu, 04/13/2017 - 10:21
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    2011

Yes, you need the right licensing, what does it say on top of the web page??

Do you see expressway-C and expressway-E?? If not, then you certainly have a problem with licensing

I'll assume that's the EXP-E due to the name of the file, you need the expressway series license and the traversal server license.


Alok Jaiswal Thu, 04/13/2017 - 04:30
User Badges:

If you have upgraded from prior to x8.8 then it could be possible you don't have an reverse lookup entry for Expressway edge server on internal DNS causing the SSH tunnel to break. Even though your UC traversal zone is up SSH tunnel will be borken.


Second error 403 forbidden could be related to domain. make sure MRA login domain is configured correctly on core. I recently worked to fix a issue for my friend where he wrongly spelled the domain :). 

If this is not the case, please attach expressway logs, and i can help you to look at this.

2017-04-12T13:56:20.454+02:00 traffic_server[1084]: UTCTime="2017-04-12 11:56:20,454" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="71" Dst-ip="45.107.224.135" Dst-port="47193" Msg="HTTP/1.1 403 Forbidden"


Rgds,

Alok

Remon Adel Thu, 04/13/2017 - 07:14
User Badges:

Hi Alok
Thanks for your help.
kindly be informed SSH tunnel issue has been solved after applied Jaime recommendation in previous Comment .

But we still have  error 403 forbidden issue .
kindly find attached EXP-E logs and EXP-C .
also we noted that we have missing in license as appeared on attached file ,could it cause this issue ?? 

Correct Answer
Alok Jaiswal Thu, 04/13/2017 - 18:08
User Badges:

Hi,


The logs are in info mode. May be you copied the event logs and pasted here.


Anyways from the screenshot it looks you are missing Expressway series. However you have the traversal server license, so that makes your VM as VCS-E instead of Exp-E which is fine.

But you need to make sure that you must have Cisco supported deployment.

The traversal only supported with Exp-C (Core) and Exp-E (Edge) or VCS-C(control) and VCS-E(Expressway) pair.


You can have Exp-C paired with VCS-E and vice-versa, but it won't be supported by Cisco, however i believe that it must still work. But better to have similar pair.


What setup you have from above ? control with expressway or core with edge ?


Can you attached the diagnostic logs when you try to login?


Regards,

Alok



Remon Adel Sat, 04/15/2017 - 05:22
User Badges:

Hi Alok
The Main issue now has been solved after we configured the external domain ON EXP-c and active UC services for this Domain.
No i can login through MRA and make calls but no Audio .
I searched about this issue i foud that i must set EXP-C point to Public IP of EXP-E is it right .
But i configured this UC traversal zone and it's active  with this setup (EXP_C point to EXP-E Internal IP )

Thanks

Alok Jaiswal Mon, 04/17/2017 - 01:12
User Badges:

If you are using a single nic static nat deployment then yes it needs to point to public ip. The media stream goes to public ip and hairpins back in.


However if the deployment type is dual nic with internal nic for communication and external nic with direct public ip or second nic has a private ip Nd nated then you just need to point to internal nic ip-address.


With dual nic keep in mind that default gateway should be of second nic on expressway-e and for any internal communication from exp-e to exp-c muat be routed via static routes on expressway-e, if core and edge are in different subnet.


Another point is you must open the media ports 36000-59999(udp) from external to dmz so that jabber client can stream media to expressway, expressway never initiates media to external clients if client is behind a nat, because expressway see 2 different address. 


Regards,

Alok

Remon Adel Tue, 04/18/2017 - 05:20
User Badges:

Hi Alok

After configuired EXP-C  to point to public ip of EXP-E .
UC traversal zone is active and reachable ,but on EXP-E state is failed and Sip port is active .

and this's network Logs .
and we try to login from outside this error appear 
you can't login out of corporation network .

Thanks
Remon

Alok Jaiswal Tue, 04/18/2017 - 13:11
User Badges:

Hi Remon,

The error 503 service unavailable is not giving much info.

Happy to have webex if yoy don't want to expose the ip's and domains.


Thanks


Remon Adel Wed, 04/19/2017 - 13:01
User Badges:

Hi Alok
thanks for your attention and kind help,
In this setup (VCS-E. with one NIC ),

I want to install a VCS Expressway without a dual network interface.,note that we don't have advanced network license 

currently we have  two options through which we would get this done, please correct me if I am wrong 

1) Give the VCSe an IP address on the LAN and NAT it to a public IP but we don't have feature of nat mode on VCS-E without AN license .
 
so  when we  applied this commands on VCS-E ,"feature not enabled message" appeared to us 
xConfiguration Ethernet 1 IP V4 Address: "LAN IP"
xConfiguration Ethernet 1 IP V4 StaticNAT Address: Public IP
xConfiguration Ethernet 1 IP V4 StaticNAT Mode: on



2) Make the VCSe face the internet directly and assign a public IP to it.

in the first choice will we need to configure nat reflection on firewall and how ???


Please advice if  i'm wrong .

Great Thanks 

Alok Jaiswal Wed, 04/19/2017 - 15:22
User Badges:

That's correct. AN key allows you to enable second nic and at the same time to allow you to configure NAT address on the interface.

Without this key your MRA will work, but you won't get any media because expressway doesn't know about the nat ip. 

For a normal b2b call i have seen sometimes that firewall is able to modify the addresses under the sip sdp but its only for few scenarios and specific to firewalls. Not all firewalls are capable enough to do that specially when it comes to encrypted calls, and since MRA is heavily dependent on sip tls i don't it will work.


The only option you left with is to have public ip assigned directly to the expressway, not a good design but you will achieve what you want to with it.

Regards,

Alok

Remon Adel Wed, 04/19/2017 - 16:54
User Badges:

Hi Alok 
Thanks for your response ,
now we applied our setup without AN license , but RMA doesn't work .our setup as below .

EXP-C  in internal subnet 192.168.20.0  with ip 192.168.20.10

 

we have two firewall B & A  , the connection is 

FW B (internal) has DMZ1 with subnet 192.168.20.0 
FW A (edge) has DMZ 2 with subnet 192.168.160.0
FW B & FW A have DMZ3 with subnet 192.168.30.0

first expressway connection  scenario

EXP-C ---192.168.20.0------FW B ----192.168.90.0 ----VCS-E ----FW A 

ON exp-c we create UC traversal zone that point to FQDN of VCS-E Public IP
on exp-c UC traversal is reachable and active at the same time on VCS-E UC traversal zone to EXP-C is failed .

Second expressway connection  scenario


EXP-C ---192.168.20.0------FW B ----192.168.30.0 ----VCS-E --192.168.30.0-- FW A
ON exp-c we create UC traversal zone that point to FQDN of VCS-E Public IP
on exp-c UC traversal is reachable and active at the same time on VCS-E UC traversal zone to EXP-C is failed also .

we configured FW A with nat reflection but the same issue .


is the missing AN license the  cause of issue in two scenario ??? or there are some missing configs 

Thanks Alok


Alok Jaiswal Sun, 04/23/2017 - 03:16
User Badges:

Remon,

Since you don't have Dual NIC option key you can't use any NAT Reflection.

But for your two scenario's mentioned if you have assigned direct ip on expresswway-e (VCS-E) it should work.

Since on Exp-C it shows active but on VCS-E it shows failed, i assume you have a packet inspection enabled on the FW-B internal interface to communicate with VCS-E or it could be a inside NAT scenario.

can you check the SIP Options reaching to VCS-E from Exp-C , if it shows the src ip-address of Exp-C or the FW-B inside interface ? if its reaching with FW-B internal interface ip VCS-E can throw 503 service unavailable since it doesn't know about that ip-address. 

I can setup a webex to verify your setup and can help you to fix it.


Regards,

Alok

Actions

This Discussion