Yes traversal zone is up for h323 and sip.  No authentication on DZ, DSZ, TZ on the VCS-E.  Check auth on TZ, DZ, and DSZ on the VCS-C to challenge the provisioning request that "should" come from VCS-E.  No provisioning key installed on VCS-E.

Hi,

When you raise network.sip to debug, when you go to Network Log page, if you find the SUBSCRIE message received from the endpoint in the log, right after that message, you should see some logs with the module "network.search", normally some messages saying "network.search Considering search rule XXXXXX" or "Search rule does not match XXXX". Do you have this kind of message in your VCSe for the jabber registration attempt? Can you share?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,  When I set diagnostic logging to debug level and try again and look at the log I do not see any entries for the network.search function.  Also if I turn on debug for network.search directly and try again I again see no entries for the test.  Thus why I feel like it's not trying to search at all for some reason.

Yeah! You should have this network.search log.

Well, as it seems to be a strange behavior, I will suggest you a way to test. The search rules on VCS are not the only way to route SIP messages, in fact, you can create SIP route patterns in VCS that will be considered before any transform or search rules.

For example, if you go to your VCS Control and type the command:

xconfiguration sip routes

the output will be three SIP routes used by VCS to forward provisionoing message from Jabber clients to the local provisioning server running on VCS Control. My suggestion is, create the same SIP routes in VCS Expressway, but set the destination address and port as being the IP of VCS Control and the port used by VCS Control to communicate to VCS Expressway via traversal zone (you can see the ports used by VCS Control in the status section of the "traverzal zone" page).

The command to add SIP route is xcommand SipRouteAdd

Can you try that?

Of course, that is just for test, that is not the correct way to the communication work between VCSC and VCSE.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

This is the full command you can apply to VCSe:

xcommand SIPRouteAdd Method: "SUBSCRIBE" RequestLinePattern: ".*@(%localdomains%|%ip%)" HeaderName: "Event" HeaderPattern: "ua-profile.*" Authenticated: Off Address: "127.0.0.1" Port: 22410 Transport: TLS Tag: "VCSProvisioningServer"

Replace the 127.0.0.1 by the IP address of VCS Control. Replace 22410 by the port used by VCS Control to communicate with VCS Expressway. You can take this port into the traverzal zone configuration page in VCSe, take a look in down part of the page, you will see something like:

Connection 1          H.323: Active: 172.28.42.202:1719

Connection 2          SIP: Active: 172.28.42.202:25661

In this case, route to the SIP port. In the above example is 25661. Or you can try to use the port 5061, the common SIP port used by VCS. In this case, VCSe will forward the provisioning message to VCSc, and the message will ingress through Default Zone of VCS Control, so make sure that this zone is configured as "Check credentials" (I guess it is already configured this way).

Can you try that?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Thanks I will give that a try tomorrow morning and let you know. Thanks.

Sent from Cisco Technical Support iPad App

Ok. 

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi,

I just did a test with the above suggestion, the result was ok. By using SIP routes alone (without transforms and search rules), I was able to properly route provisioning messages from VCSe to VCSc. I think this is going to work for you as well.

Im my test, I created the SIP routes using the port 5061, because when I tried to send to the same port used in traversal zone, I get a "TCP connection error" message. So I suggest you to use port 5061 as well. So, the full command applied to VCSE is:

xcommand SIPRouteAdd Method: "SUBSCRIBE" RequestLinePattern: ".*@(%localdomains%|%ip%)" HeaderName: "Event" HeaderPattern: "ua-profile.*" Authenticated: Off Address: "172.XX.XX.XXX" Port: 5061 Transport: TLS Tag: "VCSProvisioningServer"

In VCS Control, my default zone is configured to "Check credentials".

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,

Well I tried the SIP route on the VCSE this morning and it didn't seem to make a difference.  Also tried it with all transforms and search rules disabled.  Still producing the 404 Not Found without searching or trying to send to the VCS Control.  DZ on VCSC is confirmed to have check credentials set.  Also no CPL on the VCSE.  Here is the sip route I placed in the VCSE

xconfiguration sip Routes

*c xConfiguration SIP Routes Route 1 Method: "SUBSCRIBE"

*c xConfiguration SIP Routes Route 1 Request Line Pattern: ".*@(%localdomains%|%ip%)"

*c xConfiguration SIP Routes Route 1 Header Name: "Event"

*c xConfiguration SIP Routes Route 1 Header Pattern: "ua-profile.*"

*c xConfiguration SIP Routes Route 1 Authenticated: Off

*c xConfiguration SIP Routes Route 1 Address: "10.1.14.12"

*c xConfiguration SIP Routes Route 1 Port: 5061

*c xConfiguration SIP Routes Route 1 Transport: TLS

*c xConfiguration SIP Routes Route 1 Tag: "VCSProvisioningServer"

I've attached the debug diagnostic log.  I just changed the customer domain to "domain.com" and the public IP source I'm testing from to 4.4.4.4.  VCSC is 10.1.14.12 and VCSE is 10.1.91.12.

-Adam

Hi Adam,

The SIP route uses the pattern with variable %localdomains%, which matches all SIP domains configured in your VCS. So make sure that the SIP domain used in the provisionig message is really created in VCSe, otherwise, the SIP  message wont match SIP route.

Another point is, is your firewall allowing VCSe to communicate to VCSc in the port 5061 using TLS? As this is not the correct way to send provisioning message, you probably don't have this port opened. Can you check?

I will take a look at the logs to see what I get.   =)

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo, actually right now to try and take any firewall rules out of the mix I have a rule allowing all ports from the VCSe to anything.  Which should cover everything.

Hi Adam,

I have analysed the logs you sent.

I have never seen such thing, a real strange behavior. And the most strange thing is, the "404 not found" sent by VCSe has warning tag with "Policy Response" message.

As you said that there is no Call Policy enabled on VCSe (it is set to off), the last thing I have to suggest is to take a look at the local firewall rules of VCS, this is a new feature that allows you to create firewall rules direct in VCS, VCS has a embbed firewall in the new versions.

Besides that, the only thing I can suggest you is to factory reset your VCS, backup the licenses and build the configuration from zero. If you keep having the same problem even after the reset, I suggest to go ahead and open a TAC case.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".