Solved: Hi,I'm assuming you have the

Andrew M12 · ‎05-09-2014

Have deployed an Expressway-C on the internal and Expressway-E on the DMZ, followed the config guide here, have checked it through 4-5 times now and satisfied everything is configured correctly

www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1.pdf

CUCM version is 9.1(2)

IM + P version is 9.1(1)

Jabber for Windows is 9.7

Jabber for Iphone/Android is 9.6

All Jabbers connect fine inside the network, when on the outside they reach the Expressway-E ok but then get an error “Cannot locate server. Check your server address. If the problem persists, contact your system administrator. Send problem report”

When checking the problem report I see this output on all failed connections (Iphones and Androids)

05-08 16:22:08.863 32374 32374 I         : INFO [0x40028ffc] [ts/adapters/imp/components/Login.cpp(90)] [imp.service] [OnLoginError] - ****************************************************************
05-08 16:22:08.863 32374 32374 I         : INFO [0x40028ffc] [ts/adapters/imp/components/Login.cpp(91)] [imp.service] [OnLoginError] - OnLoginError: (data=0) LERR_JABBER_UNREACHABLE <14>:
05-08 16:22:08.863 32374 32374 I         : INFO [0x40028ffc] [ts/adapters/imp/components/Login.cpp(92)] [imp.service] [OnLoginError] - ****************************************************************

I looked up LERR_JABBER_UNREACHABLE and found this blog about it being a bug for Jabber over VPN which is the opposite of Mobile Remote Access, however I still tried the workaround for the bug but it didn't help

http://blog.prorouting.com/2013/12/cisco-jabber-on-iphone-through-asa-vpn.html

Checking on the Expressway-C under Status>Unified Communications I do see an error about Inactive Jabber on the Expressway-E so unsure if this is the cause. Could find no info on this error message in the setup guide or on google

(note – the 2 alarms bubble is just about how I haven’t changed the default passwords, no alarms relating to this Inactive Jabber)

Has anyone else seen this problem yet and knows how to resolve it?

heathrw · ‎05-12-2014

How is your expressway E configured? is it dual interface? Does your MRA Traversal zone point to the DNS name of the expressway E?

View solution in original post

heathrw · ‎05-11-2014

Hi,

I'm assuming you have the DNS records set for the external server and have all the ports allowed, forwarded, NAT, etc you should be running Jabber 9.6.1.

Check that any protocol fixup on the ASA is disabled for SIP, XMPP, etc.. you can do a TCP dump on the ExpresswayE and set level logging to 2 to see what is happening on that side.

How does your MRA Traversal zone look like?

I cannot see any attachments, could be my browser is there any?

Andrew M12 · ‎05-12-2014

Hello Heathrw,

Yes the internal DNS has 2 SRV records of _cisco-uds._tcp. and _cuplogin._tcp. as well as the 2 A records for both the C and the E's private IP

The external DNS has _collab-edge._tls. as well as A record for the E's public IP

I've had 3 different security engineers (ranging from CCNP to CCIE) confirm the ASA's configuration but I'll check on protocol fixup and try that logging you mentioned.

The MRA traversal zone looks just like the guide asks me to set it up

The picture of the error was in the body of my text but doesn't seem to have applied, I have uploaded it as an attachment now

thanks for the reply

Andrew M12 · ‎05-12-2014

Have removed the domain and username output in logs below, replacing with X or Y

Am seeing a failure to authenticate SASL as well as a features query error, possibly linked together.

Unsure what the SASL is trying to authenticate, whether it is the traversal zone or the user trying to log in or something else...

Soon after it I see some authentication messages between the C and E about the traversal zone however which result in being ok

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E XCP_CM[8931]: UTCTime="2014-05-12 08:46:56,164" ThreadID="139744777799424" Module="cm-1.XXX-vp-expressway-e-XXX-co-uk" Level="INFO " CodeLocation="SASLManager.cpp:198" Detail="Failed to query auth component for SASL mechanisms"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E XCP_CM[8931]: UTCTime="2014-05-12 08:46:56,164" ThreadID="139744660883200" Module="cm-1.XXX-vp-expressway-e-XXX-co-uk" Level="ERROR" CodeLocation="DomainFeaturesManager.cpp:152" Detail="DomainFeaturesManager::features query error for : XXX.co.uk"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,753" Module="network.sip" Level="INFO": Action="Received" Local-ip="172.X.X.X" Local-port="7001" Src-ip="10.Y.Y.Y" Src-port="25004" Detail="Receive Request Method=OPTIONS, CSeq=28081, Request-URI=sip:172.X.X.X:7001;transport=tls, Call-ID=f7e3af645ee998e9@10.Y.Y.Y, From-Tag=2f10dd3518cad68f, To-Tag=, Msg-Hash=14098966125509972495"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,753" Module="network.sip" Level="DEBUG": Action="Received" Local-ip="172.X.X.X" Local-port="7001" Src-ip="10.Y.Y.Y" Src-port="25004" Msg-Hash="14098966125509972495"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,754" Module="network.sip" Level="INFO": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Detail="Sending Response Code=401, Method=OPTIONS, CSeq=28081, To=sip:172.X.X.X:7001, Call-ID=f7e3af645ee998e9@10.Y.Y.Y, From-Tag=2f10dd3518cad68f, To-Tag=819b36e2f3c222b7, Msg-Hash=17817441136054781472"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,754" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Msg-Hash="17817441136054781472"

SIPMSG:

|SIP/2.0 401 Unauthorised

Via: SIP/2.0/TLS 10.Y.Y.Y:5061;branch=z9hG4bK7d87f780748bb749e65bef3e4c60d31d34379;received=10.Y.Y.Y;rport=25004

Call-ID: f7e3af645ee998e9@10.Y.Y.Y

CSeq: 28081 OPTIONS

From: <sip:10.Y.Y.Y>;tag=2f10dd3518cad68f

To: <sip:172.X.X.X:7001>;tag=819b36e2f3c222b7

Server: TANDBERG/4129 (X8.1.1)

WWW-Authenticate: Digest realm="Traversal Zone", nonce="48a20b8be6eed34f905363cef53ccaf63d596abe463f58ba6c54a08760e9", opaque="AQAAAG3g/LmPkasxRpJLo5MJWrE10cB4", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

SIPMSG:

|OPTIONS sip:172.X.X.X:7001;transport=tls SIP/2.0

Via: SIP/2.0/TLS 10.Y.Y.Y:5061;branch=z9hG4bKedc5a9fb4c1bd6743e4a14dfdcece49a34380;rport

Call-ID: f7e3af645ee998e9@10.Y.Y.Y

CSeq: 28082 OPTIONS

From: <sip:10.Y.Y.Y>;tag=2f10dd3518cad68f

To: <sip:172.X.X.X:7001>

Max-Forwards: 0

User-Agent: TANDBERG/4129 (X8.1.1)

Authorization: Digest nonce="48a20b8be6eed34f905363cef53ccaf63d596abe463f58ba6c54a08760e9", realm="Traversal Zone", opaque="AQAAAG3g/LmPkasxRpJLo5MJWrE10cB4", algorithm=MD5, uri="sip:172.X.X.X:7001;transport=tls", username="expressway", response="780a1b48c345125fa7e6e8b0cb262991", qop=auth, cnonce="042b40a92c13d613cb9569cc2e69a6222e98f2c95b2c5a5fdebaa4926748", nc=00000001

Supported: com.tandberg.vcs.resourceusage

Content-Type: text/xml

Content-Length: 463

<?xml version="1.0" encoding="utf-8"?> <info><resourceusageinfo><traversalcallsavailable>300</traversalcallsavailable><nontraversalcallsavailable>1500</nontraversalcallsavailable><registrationsavailable>0</registrationsavailable><turnrelaysavailable>0</turnrelaysavailable></resourceusageinfo><timestamp>1399884416</timestamp><media><encryption><mode>on</mode></encryption></media><domains><domain>XXX.co.uk</domain></domains><edge><state>on</state></edge></info>|

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,756" Module="network.http" Level="DEBUG": Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/expressway" Ref="0x7fcdf60b70a0"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,760" Module="network.http" Level="DEBUG": Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="32930" Response="200 OK" ResponseTime="0.003693" Ref="0x7fcdf60b70a0"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,760" Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: expressway"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,761" Module="network.sip" Level="INFO": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Detail="Sending Response Code=200, Method=OPTIONS, CSeq=28082, To=sip:172.X.X.X:7001, Call-ID=f7e3af645ee998e9@10.Y.Y.Y, From-Tag=2f10dd3518cad68f, To-Tag=82153555b5b47f6b, Msg-Hash=8520717247879337074"

2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,761" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Msg-Hash="8520717247879337074"

SIPMSG:

|SIP/2.0 200 OK

Via: SIP/2.0/TLS 10.Y.Y.Y:5061;branch=z9hG4bKedc5a9fb4c1bd6743e4a14dfdcece49a34380;received=10.Y.Y.Y;rport=25004

Call-ID: f7e3af645ee998e9@10.Y.Y.Y

CSeq: 28082 OPTIONS

From: <sip:10.Y.Y.Y>;tag=2f10dd3518cad68f

To: <sip:172.X.X.X:7001>;tag=82153555b5b47f6b

Server: TANDBERG/4129 (X8.1.1)

Supported: com.tandberg.vcs.resourceusage,path,outbound,gruu

Content-Type: text/xml

Content-Length: 540

heathrw · ‎05-12-2014

How is your expressway E configured? is it dual interface? Does your MRA Traversal zone point to the DNS name of the expressway E?

Andrew M12 · ‎05-12-2014

Hi Heathrw

It is single interface, see my last post. Thanks for your input, appreciate it

heathrw · ‎05-12-2014

Good work. Glad is all working.

ilana_ilana · ‎02-17-2016

Hello,

We have vcs-e connected with dmz interface of firewall & vcs-c in internal network.

1- From documentation "Expressway-E sits in the DMZ network and is NATed to a publically routable IP". We have only one public IP on outside interface of Cisco firewall & its NATed (actullay its PATed) to multiple private IP. In this scenario, what ip address should we use in public DNS A Record and in VCS-E under IPv4 static NAT address ?

Public ip (of firewall outside interface) or the private IP (NATed in firewall)?

We have redundant CUCM, single Unity Connection and single IM&P and from vcs, single vsc-c and single vcs-e.

Regards

Vinh Phan Le Tien · ‎02-17-2016

Dear ilana_ilana.

You must use public ip for public DNS A record.

Private IP can't be use in Internet enviroment.

Thanks!

ilana_ilana · ‎02-18-2016

Thank vinh

Got it.

What about IPv4 static nat address option in vcs-e ? Public or private NATed ip ?

Vinh Phan Le Tien · ‎02-18-2016

Public IP too.

You configure it on External Interface

ilana_ilana · ‎02-20-2016

Thank you so much for help.

Regards

ilana_ilana · ‎02-23-2016

Hello,

I am bit confuse in configuring SRV Record as our internal DNS and external DNS are different. I have configured following can someone verify please.

Internal DNS = abc.local

SIP Domain = abc.local

External Domin = abc.com

DNS Records for INTERNAL DNS
_cisco-uds._tcp.abc.local. SRV 10 10 8443 CUCMPUB.abc.local
_cuplogin._tcp.abc.local. SRV 10 10 8443 CUCMIMP.abc.local
CUCMPUB.abc.local. IN A 192.168.10.6
CUCMIMP.abc.local. IN A 192.168.10.9

DNS Records for PUBLIC DNS
_collab-edge._tls.abc.local. SRV 10 10 8443 EXPe1.abc.local
EXPe1.abc.local. IN A 87.23.50.47

Regards,

Andrew M12 · ‎02-23-2016

1 - According to your config, you're not advertising your abc.com anywhere internally or externally

2 - you should open your own support forum entry, it does not relate to the issue on this thread and makes the whole thing hard to read and follow

3 - or search the support forums for people with your exact requirement/issue. Here are two links for you

Someone with your issue

https://supportforums.cisco.com/discussion/12348931/expressway-configuration

Official Cisco doc with your issue

( "This document describes how to configure the Cisco TelePresence Video Communication Server (VCS) for Mobile Remote Access (MRA) when multiple domains are used.")

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html#anc10

kind rgds

Andrew (TigrePojke)

ilana_ilana · ‎02-25-2016

Thanks Andrew for advise and links.

Apologize to ask wrong question on this thread.

Will open another thread for additional question.

Mobile Remote Access Expressway - Inactive Jabber