Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VCS-E Not forwarding provisioning request from Jabber to VCS-C

Hello, I recently had to move a VCS-C and VCS-E to new segments on the network.  VCS-C went to another internal vlan and the VCS-E went to a new DMZ interface of the firewall.  Everything worked fine prior to this change but to facilitate the change I had to obviously change the IPs on the appliances and also update the Traversal IP address on the VCS-C for the Traversal Zone.  After these changes I'm unable to register Jabber Video clients anymore.  They can register fine to the VCS-C but when I do a debug level log for network.sip on the VCS-E I see the provisioning@domain.com SUBSCRIBE request come to the VCS-E but it immediately rejects with a 404 Not Found.  I don't see the request sent to the VCS-C via Traversal Zone nor do I see the receipt of this request on the VCS-C.  H323/SIP registration is active for the traversal.  Also outbound communication to external codecs works.  I've deleted and re-created Traversal Zones on both appliances as well as recreated search rules with no luck.  Almost as if after the IP address change the VCS-E is holding on to something invalid or not listening to it's search rules.  I have the generic "any" "any" rule to send all requests to the traversal zone as well as the standard DNS search rule after that.  I've disabled all but the traversal zone search rule with no luck there either.  Appears to not even try to send to VCS-C.

Any suggestions are appreciated.

27 REPLIES

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi,

Is the traversal zone up? VCS does not route calls to a zone if the status is failed. Can you confirm that you don't have the option key "Provisioning" installed on VCSe? Are you using "authentication required" in any of the zones in VCSe?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

VCS-E Not forwarding provisioning request from Jabber to VCS-C

Yes traversal zone is up for h323 and sip.  No authentication on DZ, DSZ, TZ on the VCS-E.  Check auth on TZ, DZ, and DSZ on the VCS-C to challenge the provisioning request that "should" come from VCS-E.  No provisioning key installed on VCS-E.

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi,

When you raise network.sip to debug, when you go to Network Log page, if you find the SUBSCRIE message received from the endpoint in the log, right after that message, you should see some logs with the module "network.search", normally some messages saying "network.search Considering search rule XXXXXX" or "Search rule does not match XXXX". Do you have this kind of message in your VCSe for the jabber registration attempt? Can you share?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

VCS-E Not forwarding provisioning request from Jabber to VCS-C

Hi Paulo,  When I set diagnostic logging to debug level and try again and look at the log I do not see any entries for the network.search function.  Also if I turn on debug for network.search directly and try again I again see no entries for the test.  Thus why I feel like it's not trying to search at all for some reason.

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Yeah! You should have this network.search log.

Well, as it seems to be a strange behavior, I will suggest you a way to test. The search rules on VCS are not the only way to route SIP messages, in fact, you can create SIP route patterns in VCS that will be considered before any transform or search rules.

For example, if you go to your VCS Control and type the command:

xconfiguration sip routes

the output will be three SIP routes used by VCS to forward provisionoing message from Jabber clients to the local provisioning server running on VCS Control. My suggestion is, create the same SIP routes in VCS Expressway, but set the destination address and port as being the IP of VCS Control and the port used by VCS Control to communicate to VCS Expressway via traversal zone (you can see the ports used by VCS Control in the status section of the "traverzal zone" page).

The command to add SIP route is xcommand SipRouteAdd

Can you try that?

Of course, that is just for test, that is not the correct way to the communication work between VCSC and VCSE.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

This is the full command you can apply to VCSe:

xcommand SIPRouteAdd Method: "SUBSCRIBE" RequestLinePattern: ".*@(%localdomains%|%ip%)" HeaderName: "Event" HeaderPattern: "ua-profile.*" Authenticated: Off Address: "127.0.0.1" Port: 22410 Transport: TLS Tag: "VCSProvisioningServer"

Replace the 127.0.0.1 by the IP address of VCS Control. Replace 22410 by the port used by VCS Control to communicate with VCS Expressway. You can take this port into the traverzal zone configuration page in VCSe, take a look in down part of the page, you will see something like:

Connection 1          H.323: Active: 172.28.42.202:1719

Connection 2          SIP: Active: 172.28.42.202:25661

In this case, route to the SIP port. In the above example is 25661. Or you can try to use the port 5061, the common SIP port used by VCS. In this case, VCSe will forward the provisioning message to VCSc, and the message will ingress through Default Zone of VCS Control, so make sure that this zone is configured as "Check credentials" (I guess it is already configured this way).

Can you try that?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Thanks I will give that a try tomorrow morning and let you know. Thanks.

Sent from Cisco Technical Support iPad App

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Ok. 

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi,

I just did a test with the above suggestion, the result was ok. By using SIP routes alone (without transforms and search rules), I was able to properly route provisioning messages from VCSe to VCSc. I think this is going to work for you as well.

Im my test, I created the SIP routes using the port 5061, because when I tried to send to the same port used in traversal zone, I get a "TCP connection error" message. So I suggest you to use port 5061 as well. So, the full command applied to VCSE is:

xcommand SIPRouteAdd Method: "SUBSCRIBE" RequestLinePattern: ".*@(%localdomains%|%ip%)" HeaderName: "Event" HeaderPattern: "ua-profile.*" Authenticated: Off Address: "172.XX.XX.XXX" Port: 5061 Transport: TLS Tag: "VCSProvisioningServer"

In VCS Control, my default zone is configured to "Check credentials".

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi Paulo,

Well I tried the SIP route on the VCSE this morning and it didn't seem to make a difference.  Also tried it with all transforms and search rules disabled.  Still producing the 404 Not Found without searching or trying to send to the VCS Control.  DZ on VCSC is confirmed to have check credentials set.  Also no CPL on the VCSE.  Here is the sip route I placed in the VCSE

xconfiguration sip Routes

*c xConfiguration SIP Routes Route 1 Method: "SUBSCRIBE"

*c xConfiguration SIP Routes Route 1 Request Line Pattern: ".*@(%localdomains%|%ip%)"

*c xConfiguration SIP Routes Route 1 Header Name: "Event"

*c xConfiguration SIP Routes Route 1 Header Pattern: "ua-profile.*"

*c xConfiguration SIP Routes Route 1 Authenticated: Off

*c xConfiguration SIP Routes Route 1 Address: "10.1.14.12"

*c xConfiguration SIP Routes Route 1 Port: 5061

*c xConfiguration SIP Routes Route 1 Transport: TLS

*c xConfiguration SIP Routes Route 1 Tag: "VCSProvisioningServer"

I've attached the debug diagnostic log.  I just changed the customer domain to "domain.com" and the public IP source I'm testing from to 4.4.4.4.  VCSC is 10.1.14.12 and VCSE is 10.1.91.12.

-Adam

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi Adam,

The SIP route uses the pattern with variable %localdomains%, which matches all SIP domains configured in your VCS. So make sure that the SIP domain used in the provisionig message is really created in VCSe, otherwise, the SIP  message wont match SIP route.

Another point is, is your firewall allowing VCSe to communicate to VCSc in the port 5061 using TLS? As this is not the correct way to send provisioning message, you probably don't have this port opened. Can you check?

I will take a look at the logs to see what I get.   =)

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

VCS-E Not forwarding provisioning request from Jabber to VCS-C

Paulo, actually right now to try and take any firewall rules out of the mix I have a rule allowing all ports from the VCSe to anything.  Which should cover everything.

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi Adam,

I have analysed the logs you sent.

I have never seen such thing, a real strange behavior. And the most strange thing is, the "404 not found" sent by VCSe has warning tag with "Policy Response" message.

As you said that there is no Call Policy enabled on VCSe (it is set to off), the last thing I have to suggest is to take a look at the local firewall rules of VCS, this is a new feature that allows you to create firewall rules direct in VCS, VCS has a embbed firewall in the new versions.

Besides that, the only thing I can suggest you is to factory reset your VCS, backup the licenses and build the configuration from zero. If you keep having the same problem even after the reset, I suggest to go ahead and open a TAC case.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi,

You might also check if there is a CPL on VCSE  that would prevent the SUBSCRIBE to be forwarded. Can you share some output of the debug?

cheers

Karim

Cisco Employee

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

I have read through this thread, and there are a few things I would like to point. I strongly suggest not using hard coded SIP routes on the Expressway. These are normally used on the VCS that also runs the provisioning services. These routes are there to route the provisioning and phone book request to the local service. The provisioning requests from the Expressway should really go through the traversal zone. SIP routes on the expressway that point to the control defeats the purpose of a firewall traversal zone. Also, the search rule for the DNS zone should not be set to any alias. This could cause SIP messaging that should stay local be sent out the DNS zone and routed back into the Expressway's default zone - basically a call loop. If you can share your complete xconfig and xstatus of both the Control and Expressway, I can assist on identifying and correcting the configuration that is causing the issue.

- Zac Colton

Sent from Cisco Technical Support iPhone App

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi Zac,

Thanks for your reply.

Well, as I stated before, I suggested SIP Routes only for testing purposes. That's why I said clearly:

Paulo Souza wrote:

Of course, that is just for test, that is not the correct way to the communication work between VCSC and VCSE.

That was just for testing, as it seems to be an strange behavior, VCS not routing provisioning messages.

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Thanks for the response Zac.  As Paulo mentioned the sip route was only to force the hand of the VCSE which did not seem to change anything.  I have a TAC case open on the issue currently if you want to look at it.  You should see the xstat and xconfig attached to the notes if you have visability.  SR#627236283.

I'm going to be on the customer site tomorrow and as you mentioned Paulo my next step was to do a factory reset.  Won't take much to re-configure everything.

-Adam

Cisco Employee

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Adam,

There are numerous configuration issue, including the over all design of the deployment. Issues that you could (but may not have yet come accross) are numerous. The TAC engineer that is the current owner of the service request works at the same location as I. I recommend that we continue working on this issue through TAC. I will contact the TAC engineer tomorrow morning and discuss this case with her. I will ask her to schedule a WebEx meeting withi you so that we can discuss all f the config issues that I have found.

- Zac Colton

New Member

VCS-E Not forwarding provisioning request from Jabber to VCS-C

Zac,

When you say numerous configuration issues I'm curious what you are referring to as this is a fairly vanilla setup of VCS-C and VCS-E and configured per the X7.2 deployment guide for Control and expressway.  Feel free to PM me if there are customer sensitive specifics that I can look at this evening.

-Adam

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi folks,

When you get a solution for the problem, please, let me know. I am really interested on this case, as it seems to be a strange behavior of VCS.

=)

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
Cisco Employee

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

The exact cause of the issue is that the VCS Expressway is configured with an internal IP address only, and that there is an external firewall that is preforming a NAT from the external IP address to the internal IP address. For this design to function, the VCS Expresway requires the Dual NIC Option key installed, and the external LAN interface would contain a NAT configuration. The reason that the SUBSCRIBE message gets a 404 return message is because the route header field contains the SIP route referenceoing the external IP address. The VCS is seeing in this and sending back a  warning: 399 "Policy Response" since it does not know that it is suposed to respond to messages destined for the exernal IP address.

As discussed earlier, there are other issues, and these should be handled within the TAC service request.

- Zac Colton

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Great Zac!   =)

That is true! Now I am checking the SIP SUBSCRIBE message and it really has an external IP address in the "route" field. Then this address should be configured as NAT address in VCS (and that requires dual nic option key), otherwise VCS won't recognize the external NAT address.

Now it makes sense!

However, the strange point is, I have resolved a case just like that here in the community (I didn't find the case unfortunately), but on that case, the error message wasn't 404 not found. In fact, in that case, after receiving the provisioning message, VCSe tried to connect to the external IP address placed in the "route" field, then it received a "TCP connection error" and the registration failed, but the client didn't receive any responde from VCSe.

Here we have different behavior. Now I am confusing about how VCS handle this kind of situation... Can you clarify it? What is the expected behavior for that case?

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
Cisco Employee

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Paulo,

To explain the behavior of that other case, I would need to see the xconfig/xstatus of the VCS Control, of the Expressway, the topology, and a diagnostic log with the failure.

- Zac Colton

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Hi Zac,

No problem, don't worry about it.

Now I know that the "404 not found" message received from VCS can also be related to NAT issues. I didn't know that, once I have never seen a case with NAT issues where that 404 error was sent by VCSe.    =)

Thank you very much for sharing the solution with me. I hope to be able to help another people here with similar problems.

Great Zac!!!!  +5

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
Cisco Employee

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Paulo,

The important thing to take out of this is that it is vital to have a complete understadning of the full topology to effectively diagnose call flow issues. Once you can see the full design, the messaging (and behavior) in the diagnostic logs are much easier to understand.

- Zac Colton

New Member

VCS-E Not forwarding provisioning request from Jabber to VCS-C

It still does not explain why this worked before in the DMZ.  Granted I realize maybe not ideally but it did work and the only element that was different was the ip was in the 172.16.x.x private block instead of the 10.x.x.x private block in the DMZ.

Cisco Employee

Re: VCS-E Not forwarding provisioning request from Jabber to VCS

Adam,

I would need a full topology of what it was. It is possible that the firewall in the previous deployment was also running ALG, and the external SIP communication was only tcp and not tls. The ALG would over-write the external IP with the internal IP address. This is only a theory, as, like I said, I would have needed to see it in action.

Keep in mind that ALG is not supported, and even though it appears to function, there could be issues down the road.

- Zac Colton

712
Views
10
Helpful
27
Replies