Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Highlighted
Community Member

Help required for setup Expressway C & E

Hi

I am trying to setup MRA .

But its unsuccessful. and getting the error in the status > unified communication

I am not using any TLS and have not uploaded any certificate since i am not using a secure deployment.

any help in troubleshooting appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

use both domains in

use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration 

Advertise  LAN 1 inside your Internal DNS Server for example:

external domain: abc.com

internal domain: xyz.com

External DNS Server:

SRV :

_collab-edge.-tls.abc.com--- pointing to vcse.abc.com

A:

vcse.abc.com--- pointing to public IP address

Internal DNS:

vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.

While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.

21 REPLIES
Cisco Employee

You do need to get

You do need to get certificates for MRA to work, they're the foundation of this.

That is completely separate from the fact you're not using mixed mode on CUCM, that only means you won't need a few steps and SAN entries in the EXP-C certificate.

You also need to read thoroughly the MRA configuration guide which outlines all the steps and requirements for MRA to work.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

Thanks Jamie for the info .

Thanks Jamie for the info .

I created a CA and uploaded the signed certificate to the expressway C and Expressway E.

I uploaded the root certificate to both of the server

tried creating a traversal zone using TLS but it is not coming up.

Getting the error in the logs field

tvcs: Event="External Server Communications Failure" Reason="Connect failed" Service="NeighbourGatekeeper" Dst-ip="Public IP of Exp-e" Dst-port="7001" Detail="name:FQDN of EXP E" Protocol="TCP" Level="1" UTCTime="2017-03-23 21:21:58,918"

Cisco Employee

Do you have dual NIC on EXP-E

Do you have dual NIC on EXP-E??

Or single NIC, and have you actually used the public IP??

Do you have all the proper ports open between both systems?

for MRA, you need to use the UC traversal zone, there is no TLS option there

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

Do you have dual NIC on EXP-E

Do you have dual NIC on EXP-E?? I tried with Dual and single Nic both but the issue is same

Or single NIC, and have you actually used the public IP?? I tried using the public ip as well but the issue is same

Do you have all the proper ports open between both systems? Yes I all all allow policy

for MRA, you need to use the UC traversal zone, there is no TLS option there: I have used the UC traversal zone and there is no option for TLS

Cisco Employee

OK, if you have dual NIC, use

OK, if you have dual NIC, use it, it will save a lot of headaches.

You need to point to NIC 1, the internal NIC.

Do you have proper DNS resolution?

You can get a packet capture on both servers, and confirm if you're actually receiving something on port 7001

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

only thing is i have my

only thing is i have my expressway c has domain set to internal domain DNS and the expressway e has domain set to external domain

Community Member

if you are using dual nic or

if you are using dual nic or single nic deployment make sure LAN1 ( internal for example ) FQDN is reachable from expressway-C and the same thing applies for expressway-E. Expressway-E should able to reach expressway-c using his FQDN. Make sure 6001 and 7001 is open between expressway-c and e 

Once you have proper reachability then you have to generate the CSR and signed from the CA.

Upload signed server certificate 

Upload ROOT and intermediate certificate on expressway-C and E trusted authority.

you have the option in expressway to check the Certificate validation inside the communication traversal zone.

You can check below link for multidomain MRA deployment 

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html

for any another  issue in MRA deployment paste here i will help you 

Community Member

Thanks for the response.

Thanks for the response.

I have all the port allowed so connectivity should be fine.

In my case my internal domain and external domain are different and I cannot create the external domain in the internal DNS sever since it will create issue with production server.

How can i do the deployment in this case.

Also which domain shall i create( Internal or external) in the expressway E ( Setting for DNS and Domain in exresswya E )

Community Member

use both domains in

use both domains in expressway-E and expressway-c, just add it and enable cm and IMP registration 

Advertise  LAN 1 inside your Internal DNS Server for example:

external domain: abc.com

internal domain: xyz.com

External DNS Server:

SRV :

_collab-edge.-tls.abc.com--- pointing to vcse.abc.com

A:

vcse.abc.com--- pointing to public IP address

Internal DNS:

vcse.xyz.com--- pointing to LAN 1 IP address, who is connecting to a vcs-c IP address.

While creating a certificate in expressway-C keep in mind add expressway-e internal fQDn in San names.

Community Member

Hi

Hi

I have done the modification now my expressway c to e tunnel is up.

here is my setup

internal domain : internal.com

External domain : external.com

external DNS SRV point to CL1-exp-e-01.external.com

Internal DNS SRV point  to CL1-exp-e-01.internal.com

I have created the certificate where i include both the experssway C and E (intebal and external both name ) in the SAN while generating CSR.

My problem is now i am trying to login from internal and its failing with error " cannot communicate with server"

I am attaching the jabber client logs .

I have replace the public ip with 111.11.11.11

Community Member

Good to know your tunnel is

Good to know your tunnel is up 

you can rate the conversation if you feel it,s correct 

now you are geeting cannot communicate to server error .

can you check external DNs are you able to resolve srv records 

command prompt>type nslookup

check expressway fqdn is resolved or not 

then type set type=srv

_collab-edge._tls.externaldomain.com

it should resolve with expressway fqdn 

once all fqdn and srv is fine then check firewall ports from external 

5061

5222

8443

Community Member

Yes i am able to resolve the

Yes i am able to resolve the SRV record from public dns.Its a test environment so i opened all required port.

I am attaching the logs from jabber client

internal domain : internal.com

External domain : external.com

external DNS SRV point to CL1-exp-e-01.external.com

Internal DNS SRV point  to CL1-exp-e-01.internal.com

I have replace the public ip with 111.11.11.11

Community Member

please attached expressway-e

please attached expressway-e-logs

click maintaince> logs> advanced logging > enable TCP dumb and start debugging

now login from jabber externally 

stop logging 

download the logs

share logs file here i will look into that and let you know the issue .

( are you using Dual nic deployement right ?)

.

Community Member

Hi Sushant

Hi Sushant

Now i am no more getting the cannot found server error  from the internet .

But getting the Username and password are invalid in jabber while login from internet.

However same username and password is working when login from the within internal network.

The connectivity between the C & E seems to be good  and the tunnel is also active

1401
Views
9
Helpful
21
Replies
CreatePlease to create content