Solved: Jabber and Expressway - MRA success for IM but not for VoIP

JOHN DELANEY · ‎07-03-2017

I am working on a deployment of Jabber MRA over Expressway.

Our deployment has a single Expressway E and Expressway C.
Expressway E has a public IP address.
_collab-edge A record is present in External DNS. \
_uds and _cuplogin records are present in internal DNS.
NSLOOKUP verifies the correct return of the DNS records internally and externally.
A Jabber client connecting internally gets all services voice and IM.
A Jabber client connecting externally can get IM services but no VoIP service.

I've looked through the Expressway E Logs and see the below error but I'm not sure where to go for resolution. Any suggestions will be appreciated.

I can provide any additional information or logs needed but I'd really appreciate any help that someone can offer.

Thanks,

John D.

=================================================================================================

2017-07-03T11:24:47-05:00 redbird tvcs: UTCTime="2017-07-03 16:24:47,407" Module="network.sip" Level="INFO": Action="Received" Local-ip="10.0.8.30" Local-port="25001" Src-ip="207.##.###.###" Src-port="7001" Detail="Receive Response Code=401, Method=OPTIONS, CSeq=9530, To=sip:207.##.###.###:7001, Call-ID=6890d9b42ce507e3@10.0.8.30, From-Tag=6776b7a6e7610616, To-Tag=987ca88bca91036a, Msg-Hash=18346028867299558293"
2017-07-03T11:24:47-05:00 redbird tvcs: UTCTime="2017-07-03 16:24:47,407" Module="network.sip" Level="DEBUG": Action="Received" Local-ip="10.0.8.30" Local-port="25001" Src-ip="207.##.###.###" Src-port="7001" Msg-Hash="18346028867299558293"
SIPMSG:
|SIP/2.0 401 Unauthorised
Via: SIP/2.0/TLS 10.0.8.30:5061;branch=z9hG4bK21cb2c0c15b004d428e0dfd8937f2d4760711;received=10.0.8.30;rport=25001
Call-ID: 6890d9b42ce507e3@10.0.8.30
CSeq: 9530 OPTIONS
From: <sip:10.0.8.30>;tag=6776b7a6e7610616
To: <sip:207.##.###.###:7001>;tag=987ca88bca91036a
Server: TANDBERG/4132 (X8.7.1)
WWW-Authenticate: Digest realm="TraversalZone_Woodsmill_Redbird", nonce="2892c70268bd629aec61b50722ecfa0f1a155f7e259ed904c63d2ab74677", opaque="AQAAABNoo8jUrixAWt3j4l8ZeiQBP4SN", stale=FALSE, algorithm=MD5, qop="auth"
Content-Length: 0

Randy Valverde Rojas · ‎07-03-2017

John,

So there seems to be a TCP connectin timeout on 5061 which ould explain why there is no register.

I see the port is opened but I see the following on the logs:

2017-07-03T16:31:32-05:00 woodsmill tvcs: UTCTime="2017-07-03 21:31:32,283" Module="network.tcp" Level="DEBUG": Src-ip="68.188.58.194" Src-port="10190" Dst-ip="207.###.###.###" Dst-port="5061" Detail="TCP Connecting"
2017-07-03T16:31:32-05:00 woodsmill tvcs: UTCTime="2017-07-03 21:31:32,283" Module="network.tcp" Level="DEBUG": Src-ip="68.188.58.194" Src-port="10190" Dst-ip="207.###.###.###" Dst-port="5061" Detail="TCP Connection Established"

2017-07-03T16:31:36-05:00 woodsmill tvcs: UTCTime="2017-07-03 21:31:36,097" Module="network.tcp" Level="DEBUG": Src-ip="68.188.58.194" Src-port="50670" Dst-ip="207.###.###.###" Dst-port="5061" Detail="TCP Connection Closed" Reason="Timeout"

The messages are almost immediate, captures were not taken but my guess is that the TCP connection is not happen properly.

The phone would send a SYN to which the expressway would respond with a SYN ACK at which point it will display the "connection established" though the phone needs to send an ACK still, if that is not received by the server then it could generate a timeout.

Alternatively, the phone might be the one closing the connection if it established properly but never received a response to a register (that he might have send but was not received by the server).

You might want to look at captures to see exactly what happens but you can also check if SIP packet inspection (ALG) is enaled on the firewall and try disabling it, we usually recommend this to be off.

Hope that helps!

View solution in original post

Randy Valverde Rojas · ‎07-03-2017

John,

If only phone services are failing you will want to check a couple things.

First make sure that port 5061 is opened from the internet to the EXP-E, you can use the tool below to check port availability based on the domain (external domain).

https://cway.cisco.com/tools/SrvRecord/

If that shows to be opened, look at the logs of the EXP-E and look for the register message coming from the Jabber, you can look for it based on the line or username.

The EXP-E will convert that into a Service message which will send to the EXP-C before forwarding the register, this service is to verify the credentials provided on the register.

If the EXP-C gets the register (after accepting the service), make sure it is forwarded to CUCM.

From the CUCM side it should be a standard registration.

Also make sure both the device and the line are associated to the user and that you have the correct phone created (ie CSF for jabber desktop, TCT for iPhone, BOT for Android etc)

Logs would be very helpful.

JOHN DELANEY · ‎07-03-2017

Thank you for the quick reply: Here's the output from the tool you sent the link for:

================================================================

The following SRV records were successfully found:

_collab-edge._tls.xxxx.net: 0 5 8443 woodsmill.xxxx.net.
_xmpp-server._tcp.xxxx.net: 1 7 8443 woodsmill.xxxx.net.

The following SRV records were not found:

_h323ls._udp.xxxx.net
_sip._udp.xxxx.net
_h323cs._tcp.xxxx.net
_sip._tcp.xxxx.net
_sips._tcp.xxxx.net
_cisco-uds._tcp.xxxx.net
_cuplogin._tcp.xxxx.net

Successful TCP Connections:

TCP port(s) 8443, 5222, 5061, 8443, 5222 at 207.86.239.246 woodsmill.xxxx.net.

Failed TCP Connections:
Please make sure the following ports are opened on the firewall.

The following well-known ports were found to be open:
For security purposes, it is best practice to have these ports blocked on the firewall.

=================================================================

I've attached logs from the E & C Expressway servers. I searched in those logs for the word register but found no occurrences.

Randy Valverde Rojas · ‎07-03-2017