Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Failed to login with Jabber from outside through MRA

Dear All
I deploy MRA solution but i can't login from outside and this networks logs on EXP-E  .Please Help

phone - Network Log

2017-04-12T14:52:42.703+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,703" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="87" Dst-ip="45.107.224.135" Dst-port="47238" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:52:42.702+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,702" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="87" Src-ip="45.107.224.135" Src-port="47238" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:52:42.235+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,235" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="86" Dst-ip="45.107.224.135" Dst-port="47237" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:52:42.235+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:52:42,235" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="86" Src-ip="45.107.224.135" Src-port="47237" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:46:56.338+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:56,338" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="85" Dst-ip="45.107.224.135" Dst-port="47235" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:46:56.338+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:56,338" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="85" Src-ip="45.107.224.135" Src-port="47235" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T14:46:14.094+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:14,094" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="84" Dst-ip="45.107.224.135" Dst-port="47234" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:46:14.094+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:14,094" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="84" Src-ip="45.107.224.135" Src-port="47234" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:46:13.313+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:13,314" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="83" Dst-ip="45.107.224.135" Dst-port="47233" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:46:13.313+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:46:13,313" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="83" Src-ip="45.107.224.135" Src-port="47233" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:45:45.636+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:45,636" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="82" Dst-ip="45.107.224.135" Dst-port="47232" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:45:45.636+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:45,636" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="82" Src-ip="45.107.224.135" Src-port="47232" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T14:45:35.178+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:35,178" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="81" Dst-ip="45.107.224.135" Dst-port="47231" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:45:35.178+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:35,178" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="81" Src-ip="45.107.224.135" Src-port="47231" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:45:34.685+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:34,685" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="80" Dst-ip="45.107.224.135" Dst-port="47230" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:45:34.685+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:45:34,685" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="80" Src-ip="45.107.224.135" Src-port="47230" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:25:43.294+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:43,294" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="79" Dst-ip="45.107.224.135" Dst-port="47226" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:25:43.294+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:43,294" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="79" Src-ip="45.107.224.135" Src-port="47226" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:25:42.862+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:42,862" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="78" Dst-ip="45.107.224.135" Dst-port="47225" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:25:42.862+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:42,862" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="78" Src-ip="45.107.224.135" Src-port="47225" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:25:06.190+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:06,191" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="77" Dst-ip="45.107.224.135" Dst-port="47223" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:25:06.190+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:25:06,190" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="77" Src-ip="45.107.224.135" Src-port="47223" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T14:24:30.042+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:30,041" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="76" Dst-ip="45.107.224.135" Dst-port="47222" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:24:30.041+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:30,041" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="76" Src-ip="45.107.224.135" Src-port="47222" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:24:29.600+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:29,601" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="75" Dst-ip="45.107.224.135" Dst-port="47221" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:24:29.600+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:24:29,600" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="75" Src-ip="45.107.224.135" Src-port="47221" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:22:46.518+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:46,518" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="74" Dst-ip="45.107.224.135" Dst-port="47220" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:22:46.518+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:46,517" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="74" Src-ip="45.107.224.135" Src-port="47220" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:22:45.749+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:45,749" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="73" Dst-ip="45.107.224.135" Dst-port="47219" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T14:22:45.749+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:45,748" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="73" Src-ip="45.107.224.135" Src-port="47219" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
2017-04-12T14:22:37.784+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:37,784" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="72" Dst-ip="45.107.224.135" Dst-port="47217" Msg="HTTP/1.1 503 Service Unavailable"
2017-04-12T14:22:37.784+02:00 traffic_server[1084]: UTCTime="2017-04-12 12:22:37,784" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="72" Src-ip="45.107.224.135" Src-port="47217" Msg="GET https:///oauthcb HTTP/1.1"
2017-04-12T13:56:20.454+02:00 traffic_server[1084]: UTCTime="2017-04-12 11:56:20,454" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="71" Dst-ip="45.107.224.135" Dst-port="47193" Msg="HTTP/1.1 403 Forbidden"
2017-04-12T13:56:20.454+02:00 traffic_server[1084]: UTCTime="2017-04-12 11:56:20,454" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="71" Src-ip="45.107.224.135" Src-port="47193" Msg="GET https:///aXRjZWd5cHQuZWc/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1"
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

Hi,

The logs are in info mode. May be you copied the event logs and pasted here.

Anyways from the screenshot it looks you are missing Expressway series. However you have the traversal server license, so that makes your VM as VCS-E instead of Exp-E which is fine.

But you need to make sure that you must have Cisco supported deployment.

The traversal only supported with Exp-C (Core) and Exp-E (Edge) or VCS-C(control) and VCS-E(Expressway) pair.

You can have Exp-C paired with VCS-E and vice-versa, but it won't be supported by Cisco, however i believe that it must still work. But better to have similar pair.

What setup you have from above ? control with expressway or core with edge ?

Can you attached the diagnostic logs when you try to login?

Regards,

Alok

19 REPLIES
Cisco Employee

Is login working internally?

Is login working internally?

Do you have any alerts in either expressway?

Have you deployed MRA before?

Versions?

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

HI Jaimeyes we can login

HI Jaime

yes we can login internally success

There's alarm on  EXP-C 
exp-c - Alarms

Unified Communications SSH tunnel notification failure This system cannot communicate with one or more remote hosts: phone.XXXXXXX.eg Raised Warning Ensure that your firewall allows traffic from the Expressway-C ephemeral ports to 2222 TCP on the Expressway-E
New Member

And Traversal zone is OK and

And Traversal zone is OK and active .
anf FW allows all traffic

Cisco Employee

You never mentioned the

You never mentioned the versions you're using.

I had a similar issue, make sure to go to your UC servers and refresh them, make sure no errors come from that.

Then if you have not rebooted the boxes, reboot exp-e, wait until if fully comes up, and give it 5-10 minutes before rebooting exp-c.

This fixed the same alarm in my lab, I already had MRA working fine, but got that alarm after upgrading to x8.9.2 and was not able to use phone services.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

HI JaimeThanks for your help

HI Jaime
Thanks for your help.
kindly be informed SSH tunnel issue has been solved after applied your  recommendation ..

But we still have  error 403 forbidden issue .
kindly find attached EXP-E logs and EXP-C .
also we noted that we have missing in license as appeared on attached file ,could it cause this issue ?? 

Cisco Employee

Yes, you need the right

Yes, you need the right licensing, what does it say on top of the web page??

Do you see expressway-C and expressway-E?? If not, then you certainly have a problem with licensing

I'll assume that's the EXP-E due to the name of the file, you need the expressway series license and the traversal server license.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Hello Jaime,

Hello Jaime,

I have this similar issue.In my own case ,i had performed the above steps before i read your post. I upgraded  five days ago and there was no issue.I encountered the issue yesterday and i rebooted the exp e and exp c. The alarm disappeared but re-occurred today.

I am thinking of re-issuing new certificates. what do you think?

If you have upgraded from

If you have upgraded from prior to x8.8 then it could be possible you don't have an reverse lookup entry for Expressway edge server on internal DNS causing the SSH tunnel to break. Even though your UC traversal zone is up SSH tunnel will be borken.

Second error 403 forbidden could be related to domain. make sure MRA login domain is configured correctly on core. I recently worked to fix a issue for my friend where he wrongly spelled the domain :). 

If this is not the case, please attach expressway logs, and i can help you to look at this.

2017-04-12T13:56:20.454+02:00 traffic_server[1084]: UTCTime="2017-04-12 11:56:20,454" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="71" Dst-ip="45.107.224.135" Dst-port="47193" Msg="HTTP/1.1 403 Forbidden"

Rgds,

Alok

New Member

Hi AlokThanks for your help

Hi Alok
Thanks for your help.
kindly be informed SSH tunnel issue has been solved after applied Jaime recommendation in previous Comment .

But we still have  error 403 forbidden issue .
kindly find attached EXP-E logs and EXP-C .
also we noted that we have missing in license as appeared on attached file ,could it cause this issue ?? 

Hi,

Hi,

The logs are in info mode. May be you copied the event logs and pasted here.

Anyways from the screenshot it looks you are missing Expressway series. However you have the traversal server license, so that makes your VM as VCS-E instead of Exp-E which is fine.

But you need to make sure that you must have Cisco supported deployment.

The traversal only supported with Exp-C (Core) and Exp-E (Edge) or VCS-C(control) and VCS-E(Expressway) pair.

You can have Exp-C paired with VCS-E and vice-versa, but it won't be supported by Cisco, however i believe that it must still work. But better to have similar pair.

What setup you have from above ? control with expressway or core with edge ?

Can you attached the diagnostic logs when you try to login?

Regards,

Alok

New Member

Hi Alok thanks for your

Hi Alok 
thanks for your attention and help ,

Our setup is EXP- C and VCS - E ,we configured UC traversal Zone and it's Active between them .

Kindly find diagnostic logs attached when we try to login .

New Member

Hi AlokThe Main issue now has

Hi Alok
The Main issue now has been solved after we configured the external domain ON EXP-c and active UC services for this Domain.
No i can login through MRA and make calls but no Audio .
I searched about this issue i foud that i must set EXP-C point to Public IP of EXP-E is it right .
But i configured this UC traversal zone and it's active  with this setup (EXP_C point to EXP-E Internal IP )

Thanks

If you are using a single nic

If you are using a single nic static nat deployment then yes it needs to point to public ip. The media stream goes to public ip and hairpins back in.

However if the deployment type is dual nic with internal nic for communication and external nic with direct public ip or second nic has a private ip Nd nated then you just need to point to internal nic ip-address.

With dual nic keep in mind that default gateway should be of second nic on expressway-e and for any internal communication from exp-e to exp-c muat be routed via static routes on expressway-e, if core and edge are in different subnet.

Another point is you must open the media ports 36000-59999(udp) from external to dmz so that jabber client can stream media to expressway, expressway never initiates media to external clients if client is behind a nat, because expressway see 2 different address. 

Regards,

Alok

New Member

Hi AlokAfter configuired EXP

Hi Alok

After configuired EXP-C  to point to public ip of EXP-E .
UC traversal zone is active and reachable ,but on EXP-E state is failed and Sip port is active .

and this's network Logs .
and we try to login from outside this error appear 
you can't login out of corporation network .

Thanks
Remon

Hi Remon,

Hi Remon,

The error 503 service unavailable is not giving much info.

Happy to have webex if yoy don't want to expose the ip's and domains.

Thanks

New Member

Hi Alokthanks for your

Hi Alok
thanks for your attention and kind help,
In this setup (VCS-E. with one NIC ),

I want to install a VCS Expressway without a dual network interface.,note that we don't have advanced network license 

currently we have  two options through which we would get this done, please correct me if I am wrong 

1) Give the VCSe an IP address on the LAN and NAT it to a public IP but we don't have feature of nat mode on VCS-E without AN license .
 
so  when we  applied this commands on VCS-E ,"feature not enabled message" appeared to us 
xConfiguration Ethernet 1 IP V4 Address: "LAN IP"
xConfiguration Ethernet 1 IP V4 StaticNAT Address: Public IP
xConfiguration Ethernet 1 IP V4 StaticNAT Mode: on



2) Make the VCSe face the internet directly and assign a public IP to it.

in the first choice will we need to configure nat reflection on firewall and how ???


Please advice if  i'm wrong .

Great Thanks 

That's correct. AN key allows

That's correct. AN key allows you to enable second nic and at the same time to allow you to configure NAT address on the interface.

Without this key your MRA will work, but you won't get any media because expressway doesn't know about the nat ip. 

For a normal b2b call i have seen sometimes that firewall is able to modify the addresses under the sip sdp but its only for few scenarios and specific to firewalls. Not all firewalls are capable enough to do that specially when it comes to encrypted calls, and since MRA is heavily dependent on sip tls i don't it will work.

The only option you left with is to have public ip assigned directly to the expressway, not a good design but you will achieve what you want to with it.

Regards,

Alok

New Member

Hi Alok Thanks for your

Hi Alok 
Thanks for your response ,
now we applied our setup without AN license , but RMA doesn't work .our setup as below .

EXP-C  in internal subnet 192.168.20.0  with ip 192.168.20.10

 

we have two firewall B & A  , the connection is 

FW B (internal) has DMZ1 with subnet 192.168.20.0 
FW A (edge) has DMZ 2 with subnet 192.168.160.0
FW B & FW A have DMZ3 with subnet 192.168.30.0

first expressway connection  scenario

EXP-C ---192.168.20.0------FW B ----192.168.90.0 ----VCS-E ----FW A 

ON exp-c we create UC traversal zone that point to FQDN of VCS-E Public IP
on exp-c UC traversal is reachable and active at the same time on VCS-E UC traversal zone to EXP-C is failed .

Second expressway connection  scenario


EXP-C ---192.168.20.0------FW B ----192.168.30.0 ----VCS-E --192.168.30.0-- FW A
ON exp-c we create UC traversal zone that point to FQDN of VCS-E Public IP
on exp-c UC traversal is reachable and active at the same time on VCS-E UC traversal zone to EXP-C is failed also .

we configured FW A with nat reflection but the same issue .


is the missing AN license the  cause of issue in two scenario ??? or there are some missing configs 

Thanks Alok


Remon,

Remon,

Since you don't have Dual NIC option key you can't use any NAT Reflection.

But for your two scenario's mentioned if you have assigned direct ip on expresswway-e (VCS-E) it should work.

Since on Exp-C it shows active but on VCS-E it shows failed, i assume you have a packet inspection enabled on the FW-B internal interface to communicate with VCS-E or it could be a inside NAT scenario.

can you check the SIP Options reaching to VCS-E from Exp-C , if it shows the src ip-address of Exp-C or the FW-B inside interface ? if its reaching with FW-B internal interface ip VCS-E can throw 503 service unavailable since it doesn't know about that ip-address. 

I can setup a webex to verify your setup and can help you to fix it.

Regards,

Alok

52
Views
10
Helpful
19
Replies