Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Highlighted
New Member

Help required for setup Expressway C & E

Hi

I am trying to setup MRA .

But its unsuccessful. and getting the error in the status > unified communication

I am not using any TLS and have not uploaded any certificate since i am not using a secure deployment.

any help in troubleshooting appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

use both domains in

use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration 

Advertise  LAN 1 inside your Internal DNS Server for example:

external domain: abc.com

internal domain: xyz.com

External DNS Server:

SRV :

_collab-edge.-tls.abc.com--- pointing to vcse.abc.com

A:

vcse.abc.com--- pointing to public IP address

Internal DNS:

vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.

While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.

21 REPLIES
Cisco Employee

You do need to get

You do need to get certificates for MRA to work, they're the foundation of this.

That is completely separate from the fact you're not using mixed mode on CUCM, that only means you won't need a few steps and SAN entries in the EXP-C certificate.

You also need to read thoroughly the MRA configuration guide which outlines all the steps and requirements for MRA to work.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Thanks Jamie for the info .

Thanks Jamie for the info .

I created a CA and uploaded the signed certificate to the expressway C and Expressway E.

I uploaded the root certificate to both of the server

tried creating a traversal zone using TLS but it is not coming up.

Getting the error in the logs field

tvcs: Event="External Server Communications Failure" Reason="Connect failed" Service="NeighbourGatekeeper" Dst-ip="Public IP of Exp-e" Dst-port="7001" Detail="name:FQDN of EXP E" Protocol="TCP" Level="1" UTCTime="2017-03-23 21:21:58,918"

Cisco Employee

Do you have dual NIC on EXP-E

Do you have dual NIC on EXP-E??

Or single NIC, and have you actually used the public IP??

Do you have all the proper ports open between both systems?

for MRA, you need to use the UC traversal zone, there is no TLS option there

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Do you have dual NIC on EXP-E

Do you have dual NIC on EXP-E?? I tried with Dual and single Nic both but the issue is same

Or single NIC, and have you actually used the public IP?? I tried using the public ip as well but the issue is same

Do you have all the proper ports open between both systems? Yes I all all allow policy

for MRA, you need to use the UC traversal zone, there is no TLS option there: I have used the UC traversal zone and there is no option for TLS

Cisco Employee

OK, if you have dual NIC, use

OK, if you have dual NIC, use it, it will save a lot of headaches.

You need to point to NIC 1, the internal NIC.

Do you have proper DNS resolution?

You can get a packet capture on both servers, and confirm if you're actually receiving something on port 7001

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

only thing is i have my

only thing is i have my expressway c has domain set to internal domain DNS and the expressway e has domain set to external domain

New Member

if you are using dual nic or

if you are using dual nic or single nic deployment make sure LAN1 ( internal for example ) FQDN is reachable from expressway-C and the same thing applies for expressway-E. Expressway-E should able to reach expressway-c using his FQDN. Make sure 6001 and 7001 is open between expressway-c and e 

Once you have proper reachability then you have to generate the CSR and signed from the CA.

Upload signed server certificate 

Upload ROOT and intermediate certificate on expressway-C and E trusted authority.

you have the option in expressway to check the Certificate validation inside the communication traversal zone.

You can check below link for multidomain MRA deployment 

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html

for any another  issue in MRA deployment paste here i will help you 

New Member

Thanks for the response.

Thanks for the response.

I have all the port allowed so connectivity should be fine.

In my case my internal domain and external domain are different and I cannot create the external domain in the internal DNS sever since it will create issue with production server.

How can i do the deployment in this case.

Also which domain shall i create( Internal or external) in the expressway E ( Setting for DNS and Domain in exresswya E )

New Member

use both domains in

use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration 

Advertise  LAN 1 inside your Internal DNS Server for example:

external domain: abc.com

internal domain: xyz.com

External DNS Server:

SRV :

_collab-edge.-tls.abc.com--- pointing to vcse.abc.com

A:

vcse.abc.com--- pointing to public IP address

Internal DNS:

vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.

While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.

New Member

Hi

Hi

I have done the modification now my expressway c to e tunnel is up.

here is my setup

internal domain : internal.com

External domain : external.com

external DNS SRV point to CL1-exp-e-01.external.com

Internal DNS SRV point  to CL1-exp-e-01.internal.com

I have created the certificate where i include both the experssway C and E (intebal and external both name ) in the SAN while generating CSR.

My problem is now i am trying to login from internal and its failing with error " cannot communicate with server"

I am attaching the jabber client logs .

I have replace the public ip with 111.11.11.11

New Member

Good to know your tunnel is

Good to know your tunnel is up 

you can rate the conversation if you feel it,s correct 

now you are geeting cannot communicate to server error .

can you check external DNs are you able to resolve srv records 

command prompt>type nslookup

check expressway fqdn is resolved or not 

then type set type=srv

_collab-edge._tls.externaldomain.com

it should resolve with expressway fqdn 

once all fqdn and srv is fine then check firewall ports from external 

5061

5222

8443

New Member

Yes i am able to resolve the

Yes i am able to resolve the SRV record from public dns.Its a test environment so i opened all required port.

I am attaching the logs from jabber client

internal domain : internal.com

External domain : external.com

external DNS SRV point to CL1-exp-e-01.external.com

Internal DNS SRV point  to CL1-exp-e-01.internal.com

I have replace the public ip with 111.11.11.11

New Member

please attached expressway-e

please attached expressway-e-logs

click maintaince> logs> advanced logging > enable TCP dumb and start debugging

now login from jabber externally 

stop logging 

download the logs

share logs file here i will look into that and let you know the issue .

( are you using Dual nic deployement right ?)

.

New Member

Hi Sushant

Hi Sushant

Now i am no more getting the cannot found server error  from the internet .

But getting the Username and password are invalid in jabber while login from internet.

However same username and password is working when login from the within internal network.

The connectivity between the C & E seems to be good  and the tunnel is also active

New Member

so that means your _collab

so that means your _collab-edge._tls.domain.com is working fine.

first, check 5222 port is open from external network 

use this site to check firewall ports http://www.yougetsignal.com/tools/open-ports/

Make sure your IMP is active in expressway-C.

Important Note: Define your internal as well as external domain in expressway-c and enable cucm and IMP registration for the public domain. it seems you are using the only internal domain in expressway-c no issues define external domain also inside the domains option.

if a still issue is there then delete IMP and CUCM servers and add again.

Make sure you are using Public CA or Open SSL because  certificate is mandatory to log in from outside:

Best practice is to use external public CA because open SSL will not help you to register your IP phone, Dx series, telepresence endpoints over the MRA.

Note: while signing CSR keep in mind expressway will not support wildcard certificate 

New Member

Hi  Sushant

Hi  Sushant

I tired troubleshooting the issue today and this time i am getting the " cannot communicate with server error " from internet.

The error is not consistent last time when i checked it was giving username and password invalid error.

I am attaching a fresh log from express c,e and jabber PRT

New Member

If you want to resolve issue

If you want to resolve issue you need to troubleshoot step by step .

I can see in logs _collab-edge._tls.domain.com is not resolving from externally .

try below commands from your side.

1) SRV Records not working externally >

C:\Users\sushants>nslookup
Default Server: Cisco00447
Address: 192.168.1.1

> set type=srv
> _collab-edge._tls.sddclab.com
Server: Cisco00447
Address: 192.168.1.1

*** No Service location (SRV) records available for _collab-edge._tls.sddclab.com

2) No Public CA valid certificate installed in expressway-e check attached images 

check SRV records because traffic is not reaching expressway-e 

New Member

Hi Sushant

Hi Sushant

The domain you are looking is my internal domain

my external domain is uc.itp-inc.com

> _collab-edge._tls.uc.itp-inc.com
Server:  aes-static-102.47.22.125.airtel.in
Address:  125.22.47.102
Non-authoritative answer:
_collab-edge._tls.uc.itp-inc.com        SRV service location:
          priority       = 10
          weight         = 10
          port           = 8443
          svr hostname   = CL1-EXP-E-01.itp-inc.com
cl1-exp-e-01.itp-inc.com        internet address = 111.93.141.138
I don't have a public CA  service .I have my internal CA that I have used to sign the Expressway C & E CSR.
The tunnel between C & E is active
I have created both internal and external domain in the expressway
New Member

I can see ssh tunnel is up

I can see ssh tunnel is up between c and e.

with internal CA it will not work.

either to have open SSL or public certificate from external CA.( my recommendation is public CA because later you cannot able to register 78XX,88XX,Dx70,80 over the MRA if you don't use public ca )

Note: while signing the certificate make sure you will purchase UC SAN certificate because wild card is not supported 

New Member

Re: I can see ssh tunnel is up

Hi sushant,

Great help here, i would like to share my scenario and wish for help on setting up MRA

- I have dual interface deployment. My internal and External domain is same.

Internal DNS records as:

A Records and PTR:

GGI-UCM-PUB10.10.10.121CM Pub
GGI-UCM-SUB10.10.11.121CM Sub
GGI-UCN-PUB10.10.10.122CUC Pub
GGI-UCN-PUB10.10.11.122CUC Sub
GGI-CIMP-PUB10.10.11.123IMP Pub
GGI-CIMP-SUB10.10.10.123IMP Sub
expc10.10.10.124Exp-C
expe10.10.10.125Exp-E

 

SRV Records      
_cisco-uds._tcp.ggi.localServiceProtocolPriorityWeightPort numberHost offering the service
 _cisco-uds_tcp008443GGI-UCM-PUB.domain.com
       
_cuplogin._tcp.ggi.localServiceProtocolPriorityWeightPort numberHost offering the service
 _cuplogin_tcp008443GGI-CIMP-PUB.domain.com

 

External DNS:

External DNS records
HostnameIPRecord Type    
expe.ggi-sa.comPublic IPA    
 SRV      
_collab-edge._tls.ggi-sa.comServiceProtocolPriorityWeightPort numberHost offering the service
 _collab-edge_tls008443expe.domain.com

 

- I added licenses for C and E, initial configuration.

- My topology as

Core -- 10.10.10.124 (Internal Subnet as CUCM)

Edge (NIC -2) -- Point to Internal segment -- 10.10.10.125 (Internal Subnet as CUCM)

Edge (NIC -1) -- Point to Public world-- 172.XX.0.104 (DMZ)

- NAT is configured on firewall where Public ip resolves to DMZ ip.

- Does this deployment required static route on E server, if so, plz tell how to configure.

- I can't ping DMZ ip from C server, should it be pingable?

- I can see Traversal zone is active if i provide IP as peer server. But giving FQDN ; fails with DNS lookup error.

- I also stuck on certificates part, i don't have internal CA, Can i generate both certificates for C and E from external CA, Please also must mention the SAN requirement for both certificates, with example if possbile.

- Regarding the NAT, it is configured on the firewall which resolves to the DMZ ip. I am confused about the NAT option which is enabled on E Lan:1 interface, does it required to enable in E server also.

- How to test NAT from internet that it is working properly or no. Because i don't have access to firewall and network team told me that NAT is configured.

- Some snaps are attached to help understand

 

 

Thanks in advance

Regrads,

 

 

Re: I can see ssh tunnel is up

Hi,

 

Since you core and Edge DMZ2 NIC is on same network, you don't need the route. You should be able to ping DMZ 2 ip part of 10.X.X.X network from core.

 

I would not utilize the ggi.local domain for sign into jabber and will use ggi-sa.com (doesn't matter whether jabber is internal or external) and modify the UDS SRV record to domain (ggi-sa.com). DNS administrator might come to you that they can't do this, but i would like to stick to this solution. Workaround would be to use "voiceservice domain" in jabber-config.xml file which means all the users must first signup internally and then they can login via MRA.

 

If the TZ is not coming up with FQDN, it might be because certificates not exchanged properly. Exp-C and Exp-E both must trust each other certificate and to do that you have to install root and any intermediate CA on the servers depending on how you generated it.

 

For e.g. If exp-C is signed by internal CA and Exp-E by an public external CA, then public CA (root and intermediate certs) must be uploaded on Exp-C and internal root/intermediate CA must be installed on Exp-E. This would be done under "trusted CA" section.

 

For the NAT firewall will have NAT configured but you also need to configure the NAT ip on the public facing NIC. Also default gateway on VCS-E will be of public facing NIC.

 

Regards,

Alok

 

 

218
Views
9
Helpful
21
Replies