Mobile Remote Access via Expressway -> Jabber can't connect from the Outside
We're deploying the Mobile Remote Access via Cisco Expressway solution using the Expressway-E and Expressway-C in a VM environment on version X8.1.1.and I feel we're almost good to go. The traversal zones (using IP addresses) are active in both the ExpC and ExpE.
The problem is that I can't login from the Outside, it says that it could not find network services. While on the inside, everything works well.
This is the deal: - internal domain: acme.corp (private) -external domain: acme.com.br (public)
When I signin internally, I use firstname.lastname@example.org in the Jabber's login screen and everything works fine! Without any other configuration I am able to login and call other directory numbers.
When I try to signin externally, the email@example.com gives me a timeout, so I change it to firstname.lastname@example.org, the certificate is prompted and a few moments after accepting it I get the could not find services error message.
Do I have to try both logins when on the inside/outside of the corporate network?
I haven't made any changes in the jabber-config.xml file. Is it necessary on version X8.1.1?
I'm thinking about certificate problems, reading the guide I got a little confused on the certificate exchange:
1)Generate CSR-> OK
2)Add UC Domain (domain.com) and XMPP server information -> ??? Meaning the "Additional alternative names (comma separated)" and "Unified Communications domains" and "IM and Presence chat node aliases" right?
In our deploy we don't use FQDN for the CUCM, CUC and CUP services, we're starting to use FQDN from the deploy of the Expressway solution. Anyways, the CUCM PUB is 192.168.40.100, CUCM SUB 192.168.40.101, CUC 192.168.40.102 and CUP 192.168.40.104. EXPC is 192.168.40.106 and EXPE (Single NIC, on a stick, without NAT) is 184.108.40.206(example).
In the Outside: _collab-edge._tls.acme.com.br is SRV resolved to exp.acme.com.br 8443 -> OK! exp.acme.com.br is A resolved to 220.127.116.11 -> OK!
In the Inside: _cisco-uds._tcp.acme.corp is SRV resolved to 192.168.40.100 -> OK! _cuplogin._tcp.acme.corp is SRV resolved to 192.168.40.104 -> OK! exp.acme.corp is A resolved to 192.168.40.106 -> OK!
Generating the CSR on ExpC I get 'conference-2-StandAloneClusterb7095.acme.corp' auto-filled in the 'IM and Presence Chat Node Aliases'.
Generating the CSR on ExpE I get 'exp.acme.corp' auto-filled in the 'Unified Communications domain'.
How to proper fill these fields generating CSR? We're using OpenSSL to act as CA and sign the CSRs.
About the CUCM, CUC and CUP certificates, do they have to be imported into ExpE and/or ExpC? Which certificate? tomcat.pem or tomcar-trust.pem?
Thanks for sharing this link. The sample configuration that you shared with the link has been the most straightforward so far compared to looking through all the MRA documents for 8.2. Much appreciated!
did you get your issue resolved, I am having the same issue. Cannot seem to connect from the outside, if I put the wrong password for a user, I get the notification of wrong password. But I cannot seem to connect and get cannot communicate with the server.
Make sure if you have the Advanced Networking Option key on the Expressway-E, and you are not making use of the second interface that the "Use dual network interfaces" is set to no. I found that having this set to yes but with no active connection on the second interface, did not impact normal operation or VC calls but it caused the MRA to fail with similar "cannot communicate with the server" errors.
I had the same issue and this discussion was very helpful for me - https://supportforums.cisco.com/discussion/12416861/cannot-connect-server-jabber-issue-when-login-expressway-e.
especially this configuration example - http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html?mdfid=286255326.
you can read my comment and find my mistakes, it may be helpful:
""I had the same issue and Paul gave me right direction.
I followed his link with that configuration example and in my case I haven't configured 2 different domains at VCS Expressway - one for external domain, another for internal domain where IM&P resides. it was first mistake, second was DNS misconfiguration decribed in previously mentioned configuration example.""
These are the paths to get to each CCX logs through CLI. They may be helpful if you are having issues accessing RTMT or downloading logs through it.
If you want to download them you have to prefix "file get " and you can add one of the options (re...