Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Could not establish TLS connection on port 7001 - "unable to get local issuer certificate"

tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="" Src-port="29127" Dst-ip="<Public IP>" Dst-port="7001" Detail="unable to get local issuer certificate" Protocol="TLS" Common-name="ewe.<domainname>.com" Level="1" UTCTime="2014-11-12 12:48:20,071" 2014-11-12T15:48:05+03:00

Getting above error on Expressway-C server while establishing TLS connection with Expressway-E in DMZ. I have enabled static NAT on Expressway-E and give the Public IP on peer address of Expressway-C. At that time, i was getting DNS resolution error  on Expressway-C so we added a host record on local DNS for Public IP. Later, I created CSR from both Expressway C & E server and ask local microsoft team to issue Local CA certificates. After uploading, i was getting above error (Failed to establish TLS). Also i have uploaded company (wilcard) Public certificates (issued from Geotrust) and we are getting the samer error and Expressway server could not establish TLS connection on port 7001. Firewall connections are done and i double checked it. 

Expressway ver 8.2


Assuming that the peer

Assuming that the peer address specified on the Exp-C is a FQDN of the Exp-E, does that FQDN exist in the certifcate subject name or SAN of the certificate that was installed on Exp-E? Also, were the root certificates and intermediate certificates (if applicable) or the CA uploaded to the Exp-C/E?

Note: Wildcard certs will not work in this case.

Please rate useful posts.
Community Member

Yes, Exp-C > Peer Address

Yes, Exp-C > Peer Address (FQDN of Exp-E)

Certificate of Exp-E -> When generating CSR from Exp-E, automatically FQDN (Exp-E(hostname) will be shown. Then this CSR will be send to local CA or Public CA to generate a certificate. OR you meant to say in Exp-E CSR we need to add FQDN of Exp-C server also in alternative name and vice versa too.

Yes, root certificates & intermediate certificates are uploaded to trusted CA.

No FQDN of Exp-C is not

No FQDN of Exp-C is not required as SAN on Exp-E. Did you put the FQDN of the Exp-C in the Subject verify name under the traversal zone on the Exp-E? Does the cert have client authentication attributes?
Please rate useful posts.
Community Member

OK. Yes, I put the FQDN. Yes

OK. Yes, I put the FQDN. Yes cert have client authentication attributes.

Ok, it sounds like you have

Ok, it sounds like you have everything configured but its still complaining about not able to see the issue certificates. If you can post screenshots of the traversal zone/client configurations here, that would be great else you might have to open a TAC to troubleshoot this further. You could also take a packet capture and look at the certificates being presented to make sure you are seeing what is expected.

Please rate useful posts.
Community Member

I was seeing a similar error

I was seeing a similar error on my Expressway-E, C deployment.  Turned out that I needed to have the public intermediate CA installed before root CA.  Once I corrected the order in the Trusted CA certificate store, the UC traversal zone was able to establish a connection between E and C.

I was having the same issue,

I was having the same issue, with GeoTrust cert, then I opened the VCS-E with Firefox, exported all the certificate chain to different pem files accordingly and imported them to the VCS-C. Worked just fine. Somehow I was not able to match the GeoTrust root cert from their website...

CreatePlease to create content