Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisoc Jabber MRA unable to login from outside

I'm facing a problem with cisco jabber that cannot login from outside (internet) to the Enterprise network .I have successfully deployed cisco expressway core and edge ver. 8.1.1 along with UCM,IMP & CUC ver. 10.5. I created the traversal zones and got active connection using FQDN. The certificate has been generated successfully and uploaded, NTP is sync and everything is in order. DNS SRV record has been created internally and externally,also the NAT has been configured on the ASA firewall. From inside the network I can access using jabber with no issue. Only the issue is from outside it gave me error " cannot communicate with the server".

 

Please advise.

2 ACCEPTED SOLUTIONS

Accepted Solutions

503 service unavailable is

503 service unavailable is usually a routing problem. 

On the expressway C, what do you have as a Peer address in the traveral client?

It should be a FQDN and should resolve the external NAT IP (not the internal IP)

Also, make sure that the Expressway C can ping the external NAT IP directly. Chances are that isnt working which will cause this issue. You will need to configure NAT-uturn on the firewall to get this to work.

Please rate useful posts.
VIP Super Bronze

Asherif,Change the internal

Asherif,

Change the internal DNS A record for expwe.domain.com to the public ip address of expwe not dmz address..Ensure port 7001 is allowed on the firwewall..to expwe..

Test again

 

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
28 REPLIES

If its possible, please post

If its possible, please post logs here and we can look. If you cannot post your logs, i would recommend you open a tac case since it looks like you touched on most of the configurations.

Also, make sure that the Unified Communications Status says its all good on the Expressway C/E.

Please rate useful posts.
New Member

Thanks George for your reply

Thanks George for your reply.

I have attached the event log from Expressway-E Noting that I have all status active in unified communication in expc and expe .Also I have changed the expressway-e to point to the internal dns so i can resolve all the UC servers. I tried to access internet outside enterprise network and put the address of the public NAT IP Address but Jabber keeps giving me error "cannot communicate with the server".

 

 

I am sorry, I should have

I am sorry, I should have been more specific. I was looking for logs from Jabber itself (PRT). 

Please rate useful posts.
New Member

Hi, There is a new progress

Hi,

 

There is a new progress as I can currently login from outside and do IM and contact resolution. However, Calls from Outside to Inside ring but when answer No RTP, I checked on expressway-e System->IP and find that the NAT Public IP Address is added and the option is "on". I turned off my firewall and anti virus but still no luck. In regard to calls from Internal to External ,It directly gives me busy tone and a return error 503 Service Unavailable from callmanager side.

 

Attached is wireshark for the calls from internal to external and vise versa. 

 

UCM IP Address:10.0.17.233

My IP Address:10.29.24.152

 

Please advise what could be the problem.

VIP Super Bronze

How did you deploy your

How did you deploy your expressway-e? Are you using a single interface? If you are, have you disabled the second NIC on the expressway?

In the Expressway-E config go to System>IP and you will see the couple of NICs, look for the setting "Use dual network interfaces" and set it to No. Requires a restart

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Yes, I have deployed DMZ on

Yes, I have deployed DMZ on stick. I have disabled the second interface and add the NAT Public IP Address on the specified locaiton on DMZ interface.

I also removed any inspection on the firewall for SIP .

what else I'm missing?.

VIP Super Bronze

Ok..Lets look at the issues

Ok..Lets look at the issues seperately..

The outbound to inbound issue..with no RTP..

From the sip traces we can see that cucm is telling the endpoint (10.29.24.152) to send its media to ip address 10.0.17.235 on port 48140.

Is this port allowed on the firewall and is this ip reachable through the firewall. Do you see any dropped connections on the firewall?

For the inbound to outbound issue we see a disconnect code of 41. Which is one of the worst cause codes as it just tells you there is a failure but nothing specific

If you can send us the cucm logs for the inbound to outbound test calls, that may give us more details

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

We have opened a case with

We have opened a case with Cisco TAC for the ASA and they assure us that there are not blocking for any ports after taking capture. On the other hand, I took UCM logs as described above attaced. I generated two demo calls from Outside to inside and then vise versa.

 

External Jabber Client Info:
----------------------------------

User Internet Public IP Address:87.101.143.209 

Inside User Info:
---------------------

Internal Jabber Client IP Address:10.29.24.152
expressway-e :172.16.2.88
expressway-c :10.0.17.235
UCM : 10.0.17.233

 

New Member

Guys any update for this

Guys any update for this issue. Calls Audio/Video are okay from the internet to the enterprise network however, from inside to outside still giving me error 503 service unavailable and cause code 41.

 

Please if someone could check the logs and let me know why would I receive an error from the Call Manager (10.0.17.233).

 

Thanks,

Amr Sherif

VIP Super Bronze

What endpoint is unable to

What endpoint is unable to make call outside?

Please send the ff logs

1. CUCM logs

2. Expressway E and C logs

3. Jabber logs (if the affected client is Jabber)

Please include calling and called number and time of call...

You can do another test , collect fresh logs and send over

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Also, please make you set the

Also, please make you set the logs to detailed both in CUCM and Expressway C.

CUCM - CallManager detailed. EXP-C - Diagnostic logging.

Please rate useful posts.
New Member

I have made a new test call

I have made a new test call with fresh logs uploaded as instructed by both Ayodeji and George. Attached is UCM-logs, exp-c, exp-e, and Jabber logs .

-Call scenario is as follow:

Jabber Client (Inside the corporate NW) is calling Jabber client (registered on the Internet)

-Call Flow:

Jabber -->UCM-->Exp-C(Internal)-->Exp-E(DMZ on stick)-->ASA (NATing)-->Internet

-Call Credentials:

Calling #: 7002 (Inside)
Called# :  7004 (Outside on Internet)
 

-IP Addresses:

Jabber Client:10.202.3.202
UCM: 10.0.17.233
EXP-C: 10.0.17.235
EXP-E:172.16.2.88
 

Looking forward for your reply :)

VIP Super Bronze

Asif, lookinjg at the logs.

Asif, lookinjg at the logs..It seems you have a licensing problem..

Expressway-C is rejecting the call and the reason is because there is no License available..

9:44:34" 2014-09-03T12:44:27+03:00 tvcs: Event="Call Rejected" Service="SIP" Src-ip="10.0.17.233" Src-port="5060" Src-alias-type="SIP" Src-alias="sip:7002@10.0.17.233" Dst-alias-type="SIP"
Dst-alias="sip:1ea37df6-14b6-10e9-5f73-d2095c1448a5@10.1.54.151:57014;transport\=tls" Call-serial-number="6f8c850d-a061-4048-a265-3183f53ad231" Tag="9bd29105-6ee9-4cc7-938c-7adfdfbe0f33"
Detail="Service Unavailable" Protocol="TCP" Response-code="503" Level="1" UTCTime="2014-09-03 09:44:27,517" 2014-09-03T12:44:27+03:00 tvcs: Event="Search Completed" Reason="Service
Unavailable" Service="SIP" Src-alias-type="SIP" Src-alias="7002@10.0.17.233" Dst-alias-type="SIP" Dst-alias="sip:1ea37df6-14b6-10e9-5f73-d2095c1448a5@10.1.54.151:57014;transport\=tls"
Call-serial-number="6f8c850d-a061-4048-a265-3183f53ad231" Tag="9bd29105-6ee9-4cc7-938c-7adfdfbe0f33" Detail="found:false, searchtype:INVITE, Info:No License Available" Level="1"
UTCTime="2014-09-03 09:44:27,517" 2014-09-03T12:44:27+03:00 licensemanager: Level="INFO" Detail="License not granted" call_id="0cf14320-f475-4c43-aa15-cb3ddda59ed1" lic_type="nontraversal"

 

+++This is what we see on CUCM too. Expwc sends a call reject with no license as the reason.++++

04936720.002 |12:44:27.543 |AppInfo  |SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.0.17.235 on port 5060 index 711 with 464 bytes:
[53349,NET]
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/TCP 10.0.17.233:5060;branch=z9hG4bK4623e8ee1d9;received=10.0.17.233;ingress-zone=CEtcp10017233
Call-ID: e3c1d500-4061e2fb-40e-e911000a@10.0.17.233
CSeq: 101 INVITE
From: "Ismail" <sip:7002@10.0.17.233>;tag=18705~39918b09-8433-4cda-8762-31af669b6923-26048339
To: <sip:7004@10.0.17.233>;tag=498be0fb45e585ac
Server: TANDBERG/4129 (X8.1.1)
Warning: 399 10.0.17.235:5061 "No License Available"
Content-Length: 0
 

Do you have licenses uploaded?

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Yes of course license is

Yes of course license is uploaded from day 1. I have uploaded the following attached license snapshots.

 

Any other license is required?.

 

Kindly let me know.

 

VIP Super Bronze

Asherif,I have been doing

Asherif,

I have been doing some research on this and it doesnt look like a licensing issue even though thats wwhat the logs are reporting. This looks like a configuration issue.

Can you confirm that the peer address on the expresswayc for expressway e is the public/NAT ip address...If it is not can you change it and test again.

 

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Ayodeji is correct. The peer

Ayodeji is correct. The peer address on the exp-c needs to be the public NAT/IP address. Another thing to note is, it needs to be the FQDN which points to the public IP for the Exp-E. The certificate that the Exp-E is using should have this FQDN as its common name or Subject alternative name else your traversal zone will not come up.

Please rate useful posts.
New Member

George & Ayodeji,Thanks for

George & Ayodeji,

Thanks for your reply. Exp-c is configured with a peer address expe.domain.com which is added on the internal DNS equivalent to the IP Address 172.16.2.88(expe ip address in the dmz) ,Also expe.domain.com is added on the external DNS with the NAT public IP Address 82.X.X.X. However, on exp-c in the Zone section I can see that the zone is active and showing me the peer address 172.16.2.88 not 82.X.X.X  as attached .

In regard to certificate,You are right expe.domain.com is added in the certificate common name from day one and the prove that the Zone is UP with no problem.

BTW if i tried to add a direct public IP Address, it gives me Zone status Failed, I believe this is because this 82.X.X.X is not part of the certificate when it was generated although I am able to ping it from expc as attached.

Thus, How can I be able to add expe.domain.com and allow it to show 82.X.X.X instead of 172.16.2.88 noting that I am adding  a hostname not the Public IP Address directly.

 

Please advise what do you think?

 

VIP Super Bronze

Asherif,Change the internal

Asherif,

Change the internal DNS A record for expwe.domain.com to the public ip address of expwe not dmz address..Ensure port 7001 is allowed on the firwewall..to expwe..

Test again

 

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Yup, Finally this was the

Yup, Finally this was the catch !!!!!...After doing some firewall configuration and changing the DNS it worked like magic ,although I'm not convenced as I'm supposed to add the internal DNS not the public one.

If you can elaborate it for my reference I would appreciate it.

But really nice work and thanks alot for your support guys Ayodeji & George :)

VIP Super Bronze

Asherif,The reason for this

Asherif,

The reason for this is that for this solution to work properly, you need to enable static NAT mode on expressway. This is because traditional firewalls can only modify the ip headers in a sip/h323 packets leaving the Payload/SDP portion unchanged. This implies that when an INVITE is sent to the firewall facing the internet, the source ip ie from header will be modified to use the NATed ip address of your expressway e, however the media ip address which is usually in the SDP will remain unchanged, hence the endpoints on the internet cant connect to this address leaving you with one way audio issues. This issue is resolved by enabling static nat mode on expressway. The expressway will send its INVITE or h323 setup to firewall with the media address in the payload as the NATed ip address of expwe..

Now this introduces a new challenge. Once static NAT is enabled with the NATed ip address of expwe, it will request all signaling and media traffic to be sent to this static NAT ip address. This also means that the traversal client (expwc) must send traffic on this ip address. Hence the need to configure the traversal client with the public ip address of the expwe.

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Well good Explanation .

Well good Explanation .

New Member

Hi Ayodeji,Could you please

Hi Ayodeji,

Could you please guide me How can i change the Internal DNS A record for expressway-E to a Public ip address. I tried to change to the public ip, but dns is not resolving.

Jabber can login from outside the enterprise network and make calls, but no Audio and video. At present the expressway-E is pointed private DMZ IP address, and this private IP is nated to the Public IP.

 

 

VIP Super Bronze

This should be done on your

This should be done on your internal DNS server. Just create a new A record on your DNS for the FQDN of the expressway-e. That's all

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

503 service unavailable is

503 service unavailable is usually a routing problem. 

On the expressway C, what do you have as a Peer address in the traveral client?

It should be a FQDN and should resolve the external NAT IP (not the internal IP)

Also, make sure that the Expressway C can ping the external NAT IP directly. Chances are that isnt working which will cause this issue. You will need to configure NAT-uturn on the firewall to get this to work.

Please rate useful posts.
New Member

Currently, Expressway-C has

Currently, Expressway-C has IP Address 172.168.2.88 (DMZ IP Address of Expressway-E) and the traversal zone is active.When trying to just add the NAT Public IP Address it gives me Failed. Thus, I'll try to do the NAT U-TURN feature and let you know the update.

VIP Super Bronze

Do you have any update on

Do you have any update on this? Have you configure NAT-UTURN?

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Hello , I have configured the

Hello ,

 

I have configured the NAT uTURN but still unable to ping from expressway-c to the public IP Address.

 

Information
---------------

PUBLIC IP:- 82.205.255.94 interface outside 
PDMZ1 Server IP:- 172.16.2.88      interface pdmz1 
Inside Server IP:- 10.0.17.233      interface inside
  10.0.17.234 
  10.0.17.235 
  10.0.17.236

 

Please Help

VIP Super Bronze

As George said please send us

As George said please send us jabber logs. Have you also verified that your external SRV records are working? ie your _collabe-edge_.tls record?

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
2144
Views
5
Helpful
28
Replies
CreatePlease to create content