Академический Документы
Профессиональный Документы
Культура Документы
Troubleshooting
Philip Smeuninx
Technical Leader Services
psmeunin@cisco.com
BRKCOL-2602
Agenda
Introduction
XMPP Federation
B2B
Takeaways
Before we start
For your reference
Tool bookmark
Questions
Topology
CUCM
CUP
Internet
Expressway-C
Expressway x8.5
CUCM/CUP 10.5(2)
Expressway-E
System configuration
Firewall configuration
UC server discovery
System Configuration
Check the Administrator guide for more help on system configuration topics
Firewall Configuration
Firewall Configuration
To which ports does this translate?
Internet
IM&P
CUCM-UDS
ExpressWay E
ExpressWay C
ExpressWay C
Source Port
ExpressWay E
Listening Port
Open Firewall
Private to DMZ
IP address of
- ExpressWay C
IP Address
IP address of
- ExpressWay E
IP Ports
TCP Ue
30000 to 35999 *
TCP 7400
SSH
(HTTP/S tunnels)
TCP Ue
30000 to 35999 *
TCP 2222
UDP YC
36000 to 59999 **
UDP YE
36000 to 36011 **
SIP signaling
SIP media
Firewall Configuration
Where to configure these ports?
ExpressWay C
ExpressWay C
Source Port
Management Control
Open Firewall
Private to DMZ
IP address of
- ExpressWay C
IP Address
ExpressWay E
Listening Port
IP address of
- ExpressWay E
TCP Ue
30000 to 35999 *
TCP 7400
SSH
(HTTP/S tunnels)
TCP Ue
30000 to 35999 *
TCP 2222
UDP YC
36000 to 59999 **
UDP YE
36000 to 36011 **
SIP signaling
SIP media
Firewall Configuration
Where to configure these ports?
ExpressWay C
Management Control
Open Firewall
Private to DMZ
IP address of
- ExpressWay C
IP Address
ExpressWay E
Listening Port
IP address of
- ExpressWay E
TCP 7400
TCP Ue
30000 to 35999 *
TCP Ue
30000 to 35999 *
TCP 2222
UDP YC
36000 to 59999 **
UDP YE
36000 to 36011 **
Firewall Configuration
Where to configure these ports?
ExpressWay C
Management Control
Open Firewall
Private to DMZ
IP address of
- ExpressWay C
IP Address
ExpressWay E
Listening Port
IP address of
- ExpressWay E
TCP 7400
TCP Ue
30000 to 35999 *
TCP Ue
30000 to 35999 *
TCP 2222
UDP YC
36000 to 59999 **
UDP YE
36000 to 36011 **
Firewall Configuration
Where to configure these ports?
ExpressWay E
Management Control
Open Firewall
IP Address
ExpressWay E
Listening Port
Private to DMZ
IP address of
- ExpressWay C
IP address of
- ExpressWay E
TCP Ue
30000 to 35999 *
TCP 7400
SSH
(HTTP/S tunnels)
TCP Ue
30000 to 35999 *
TCP 2222
UDP YC
36000 to 59999 **
UDP YE
36000 to 36011 **
SIP signaling
SIP media
Small/medium deployment
->Configured Media Demultiplexing ports
Default : 2776 (RTP) 2777 (RTCP)
or
->First 2 ports from Traversal Media port range
Default : 36000 (RTP) 36001 (RTCP)
36000-59999
ExpressWay C
36000-36001
or
2776-2777
ExpressWay E
36000-59999
ExpressWay C
36000-36011
ExpressWay E
Firewall configuration
Demultiplex port range after upgrades
Upgrade from x8.1 (upgraded from x7) to x8.2 -> 50000 50001
Demultiplex port range = retained from previous version and
Use configured demultiplexing ports is set to Yes
Firewall Configuration
To which ports does this translate?
Internet
IM&P
CUCM-UDS
Expressway E
ExpressWay C
Expressway E
Source Port
Management Control
Open Firewall
DMZ to Internet
Public IP address of
- ExpressWay E
IP Address
Internet SIP UA
Listening Port
IP address of
- Any (or specific IP)
IP Ports
N/A
N/A/5269
UDS
(Provisioning and Phonebook)
N/A
N/A
N/A
N/A
TLS
25000 to 29999
TLS S
>= 1024
UDP YE
36000 to 59999 **
UDP N
>= 1024
SIP signaling
Media
Firewall Configuration
To which ports does this translate?
Internet
IM&P
CUCM-UDS
ExpressWay E
ExpressWay C
Expressway C
Listening Port
Management Control
Open Firewall
Internet to DMZ
IP address of
- VCS Expressway
IP Address
Internet SIP UA
Source Port
IP address of
- Any (or specific IP)
TCP 5222/5269
TCP S
>= 1024
UDS
(Provisioning)
TCP 8443
TCP S
>= 1024
UDP 3478
UDP S
>= 1024
SIP signaling
TLS 5061
TLS S
>= 1024
UDP YE
36000 to 59999 **
UDP N
>= 1024
IP Ports
Media
Firewall Configuration
To which ports does this translate?
Internet
IM&P
CUCM-UDS
ExpressWay E
ExpressWay C
CUCM&CUP System
Listening Port
Management Control
ExpressWay C
Source Port
Open Firewall
N/A
IP address of
- Unified CM
- IM & Presence Server
IP Address
Private Network
IP address of
- ExpressWay C
TCP 7400
(IM&P Server)
TCP Ue
30000 to 35999 *
TCP 8443
(CUCM Server, IM&P Server)
TCP Ue
30000 to 35999 *
TFTP
TCP 6970
(TFTP Server)
TCP Ue
30000 to 35999 *
CUC (Voicemail)
TCP 443
(CUC server)
TCP Ue
30000 to 35999 *
IP Ports
UDS CUCM
SOAP IM&P
Dual-NIC enabled but not used/connected (only for static NAT) ExpressWay C
will not be able to connect to 7400 for XMPP
Firewall Setup
Port Status and Configuration
Certificates
> Maintenance
> Security Certificate
> Server Certificate
Certificates
> Maintenance > Security Certificate > Trusted CA Certificate
Troubleshooting
CA Root not uploaded on ExpressWay E
xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Srcport="25016" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS"
Common-name="xwaye.coluc.com" Level="1" UTCTime="2014-03-24 17:33:30,872
Troubleshooting
CA Root not uploaded on CUCM
Softphone Registration fails (other will work) when endpoint security settings are
authenticated or encrypted
Troubleshooting
CA Root not uploaded on CUCM
CUP
CUCM
Troubleshooting
Security Profile added as SAN (CUCM trace)
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25002
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25002 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0
SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]
Troubleshooting
Security Profile not added as SAN (CUCM trace)
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25004
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25004 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0
SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]
SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate Error , did not find matching SAN either,
Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com, Expected=csf-secure
Troubleshooting
Security Profile not added as SAN (CUCM trace)
Must be CA Signed
Public CA
Expressway C
Troubleshooting
CA root not uploaded to ExpressWay C
Enterprise Network
DMZ
CUCM
Outside Network
Internet
Expressway-C
Traversal Client
Endpoint A
Expressway-E
Traversal Server
Endpoint B
Traversal Link Management
Signal
Media Payload
UC Traversal Zone
ExpressWay E Traversal Server
UC Traversal Zone
ExpressWay E Traversal Server
UC Traversal Zone
ExpressWay C Traversal Client
UC Traversal Zone
ExpressWay C Traversal Client
Must resolve to Public IP address
Expressway E when
single NIC deployment
Troubleshooting
Peer Address not matching CN
Troubleshooting
Peer Address not matching CN
Troubleshooting
Password incorrect
Troubleshooting
Password incorrect
Troubleshooting
Password incorrect
UC Server Discovery
TOMCAT UDS/8443
expwayC.domain1.com
colcm10pub.coluc.com
OR (*)
Publisher address = FQDN MUST match SAN TOMCAT Certificate Publisher
(*) Only valid statement RFC 6125
No requirements for
TOMCAT Certificate Publisher
CEtls-<UCMName> Zone:
- TLS Verify mode = On
- Peer Address must match CN or SAN
from Callmanager certificate
Expressway C
expwayC.edge1.com
Internal DNS
CUCM
colcm9pub.coluc.com
Troubleshooting
Different server Domain
Status is Active when DNS resolves
<hostname>@<domain xway>
or
<hostname>
What when Expressway and CUCM
servers are in different domains ?
Expressway C
expwayC.edge1.com
Internal DNS
CUCM
colcm9pub.coluc.com
How to solve?
1) Use FQDN for server configuration on CCMADMIN
Either discovery will fail or TLS connections with CUCM will fail
With self-signed certificates use TLS verify mode = Off
and only upload the CUCM cert
With TLS Verify mode for HTTPS (discovery) and SIP TLS (edge calls)
CCM and TOMCAT Certificates MUST FQDN SAN = DNS-ID
Domain Configuration
ExpressWay C & E DNS Configuration
Domain Configuration
ExpressWay C Domain Configuration
> Configurations > Domains
The client/endpoint does query DNS servers to retrieve service (SRV) records
that provide the location of servers.
Scenario 1
- Flat domain structure
- ExpressWay Servers : domain1.com
- UC servers : domain1.com
- IM&P domain : domain1.com
cup.domain1.com
IM&P Domain =
domain1.com
Jabber Client
External DNS
Expressway E
Expressway C
Internal DNS
cucm.domain1.com
IMP Server
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
Expressway C
xwayC.domain1.com
Internal DNS
cucm.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
expwyE.domain1 com
ExpressWay C
Internal DNS
expwyC.domain1.com
cucm.domain1.com
Resolves to
A record xwayE.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayC.domain1.com
cucm.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayE.domain1 com
cucm.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
ExpressWay C
Expressway E
xwayE.domain1 com
xwayC.domain1 com
Internal DNS
cucm.domain1.com
Resolves to
A record cucm.domain1.com
IP address CUCM
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
Internal DNS
xwayC.domain1 com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 1
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
xwayC.domain1 com
Internal DNS
IMP Server
cucm.domain1.com
Scenario 2
- Mixed domain structure
- Expressway servers : domain2.com
- UC and CUP servers : domain1.com
- IM&P domain : domain1.com
Jabber Client
External DNS
Expressway E
cup.domain1.com
IM&P Domain =
domain1.com
Expressway C
Internal DNS
cucm.domain1.com
IMP Server
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain2 com
Expressway C
xwayC.domain2.com
Internal DNS
cucm.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain2 com
ExpressWay C
Internal DNS
xwayC.domain2.com
cucm.domain1.com
Resolves to
A record xwayE.domain2.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayC.domain1.com
cucm.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain2 com
ExpressWay C
Internal DNS
cucm.domain1.com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
ExpressWay C
Expressway E
xwayE.domain2.com
xwayC.domain2.com
Internal DNS
cucm.domain1.com
Resolves to
A record cucm.domain1.com
IP address CUCM
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
Internal DNS
xwayC.domain1 com
IMP Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 2
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
xwayC.domain1 com
Internal DNS
IMP Server
cucm.domain1.com
Scenario 3
- Mixed domain structure
- Expressway servers : domain3.com
- UC and CUP servers : domain2.com
- IM&P domain : domain1.com
Jabber Client
External DNS
Expressway E
cup.domain2.com
IM&P Domain =
domain1.com
Expressway C
Internal DNS
cucm.domain2.com
IMP Server
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain3 com
Expressway C
xwayC.domain3.com
Internal DNS
cucm.domain2.com
IMP Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain3 com
ExpressWay C
Internal DNS
xwayC.domain3.com
cucm.domain2.com
Resolves to
A record xwayE.domain3.com
IMP Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayC.domain3.com
cucm.domain2.com
IMP Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
ExpressWay C
xwayE.domain3.com
Internal DNS
cucm.domain2.com
IMP Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Answer:
> System > DNS >
- System host name xwayC
- Domain name domain3.com
> Configuration > Domains >
- Domain domain1.com enabled for UCM registrations and IM and Presence
- Domain domain2.com enabled for UCM registrations and IM and Presence
- Domain domain3.com enabled for UCM registrations and IM and Presence
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
ExpressWay C
Expressway E
xwayE.domain3 com
xwayC.domain3 com
Internal DNS
cucm.domain2.com
Resolves to
A record cucm.domain2.com
IP address CUCM
IMP Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain3 com
ExpressWay C
Internal DNS
xwayC.domain3 com
IMP Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
ExpressWay Scenario 3
Domain and DNS configuration
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
xwayC.domain1 com
Internal DNS
IMP Server
cucm.domain2.com
Jabber for each HTTP request will search for cached cookies
If found and domain/target is matched will be used in subsequent requests
Troubleshooting
ExpressWay or UC Server Domain not configured
Decodes to coluc.com
Troubleshooting
IM&P Domain not configured (UC Domain)
Tool bookmark
https://mxtoolbox.com/NetworkTools.aspx
Tool bookmark
Tool bookmark
Base64 decoding/encoding
https://www.base64decode.org
Transformed Url:
https://xwaye.coluc.com:8443/Y29sdWMuY29tL2h0dHAvY29sY205cHViLzY5NzA
=/CSFxwayj.cnf.xml
A good way to verify that the basic MRA components are in place is to run the first
HTTP request Jabber would do.
To do this verification, open a browser and enter the following URL to verify that the
HTTP Reverse proxy is working, and that the ExpressWay-C can discover the DNS.
https://xwaye.coluc.com:8443/Y29sdWMuY29/get_edge_config?service_name=_ci
sco-uds&service_name=_cuplogin
COLUC.COM
Use a CUCM User credentials when prompted by the browser
Service Config
Diagnostics logs
XMPP Federation
Expressway C
Enable Domain for XMPP Federation
Expressway E
Enable XMPP Federation feature
Expressway C shows
CUP shows
XMPP Federation
DOMAIN
VNGTP.LAB
DMZ
5269
5269
user1@coluc.com
5222
UC IM&P
IBM Sametime
Cisco Webex
GoogleTalk
Other XMPP
S2S
CM
7400
IM/P
XCP
UC IM&P Serv
IM/P
7400
SRV
lookup
IM/P
5222
DNS
Static
Route
XCP
XCP
Expressway-C
Expressway-E
employee1@vngtp.lab
Static routes = On
XCP_CM2[1382]:..Level="INFO " Detail="_lookupSRV: static routes not found, proceed to SRV lookup'
XCP_CM2[1382]:..Level="INFO " Detail="(54fe6aa8-687d-40d6-8954-8d9bac710652, coluc.com:vngtp.lab, OUT)
resolved outbound address for host=vngtp.lab method=SRV _xmpp-server._tcp addrs=10.48.36.171:5269 ...
DNS vs Static
DNS vs Static
DNS vs Static
When no static routes defined for a federated domain or chat node alias,
the system will use DNS instead
If static routes are defined for the federated domain or chat node alias,
but the remote system cannot be contacted over those routes,
the system will not fall back to DNS.
If Privacy mode is set to Allow list and Use static routes is On,
any domains (or chat node aliases) that are configured as static routes
are included automatically in the allow list
XMPP Federation
Receiving Server
Authoritative Server
DOMAIN1
DOMAIN2
DOMAIN1
Initiating Server
XCP_CM2[12122]:.. Level="INFO " CodeLocation="stanza.component.out" Detail="xcoder=34A9B60C8 sending::
<db:result from='coluc.com' to='vngtp.lab'>d780f198ac34a6dbd795fcdaf8762eaf52ea9b03</db:result>"
XCP_CM2[12122]:.. Level="DEBUG" CodeLocation="stream.out" Detail="(00000000-0000-0000-0000-000000000000, coluc.com:vngtp.lab, OUT)
xcoder=34A9B60C8 Scheduling dialback timeout in 30 secs."
XCP_CM2[12122]:.. Level="INFO " CodeLocation="ConnInfoHistory" Detail="Connection state change: PENDING->CONNECTED:
Receiving Server
Receiving Server
Authoritative Server
After timeout XMPP traffic will fail Domain pair blocked for 30min
XCP_CM2[21104]: CodeLocation="stanza.router.in" Detail="cm-2_s2scp-1.eft-xwye-a-coluc-com onPacket:: <message
from='user1@coluc.com/jabber_5111' to='employee1@vngtp.lab' type='chat' xml:lang='en'><gone
xmlns='http://jabber.org/protocol/chatstates'/></message>
XCP_CM2[21104]: CodeLocation="debug" Detail="Bouncing packet because domain pair (453d2518-9894-4bb2-ae77-d1a6c88b06aa,
coluc.com:vngtp.lab, OUT) is marked as failed: <message from='user1@coluc.com/jabber_5111' to='employee1@vngtp.lab' type='chat'
xml:lang='en'><gone xmlns='http://jabber.org/protocol/chatstates'/></message>
XCP_CM2[21104]: CodeLocation="stanza.router.out" Detail="cm-2_s2scp-1.eft-xwye-a-coluc-com <message from='employee1@vngtp.lab'
to='user1@coluc.com/jabber_5111' type='error' xml:lang='en'><gone xmlns='http://jabber.org/protocol/chatstates'/><error code='504'
type='wait'><remote-server-timeout xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></message>
XMPP Federation
Certificate requirements:
Troubleshooting
Receiver required TLS, initiator Req or optional
Troubleshooting
Receiver required TLS, initiator Req or optional
Troubleshooting
Receiver required TLS, initiator no TLS
Troubleshooting
Receiver required TLS, initiator no TLS
Troubleshooting
Receiver optional TLS, initiator TLS optional or required
Initiator TLS
Troubleshooting
Receiver no TLS, initiator required
Troubleshooting
Receiver no TLS, initiator required
Troubleshooting
Domain not contained in server certificate
TLS negotiation will fail when CA root is not uploaded to Expressways trusted
CA root list
Troubleshooting
CA not uploaded to initiator trust store
Troubleshooting
CA not uploaded to initiator trust store
XMPP Federation
Scenario Initiating Server Allow list does not contain foreign domain
Troubleshooting Privacy
Receiving Server Allow list does not contain source
XCP_CM2[8002]:..Level="INFO " CodeLocation="debug" Detail="xcoder=21107F2AE onStreamOpen:: <stream:stream from='vngtp.lab'
id='11107F2AE' to='coluc.com' version='1.0' xml:lang='en-US.UTF-8' xmlns='jabber:server' xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'/>
XCP_CM2[8002]:..Level="INFO " CodeLocation="DBVerify.cpp:52" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f, coluc.com:vngtp.lab, IN)
Attempting to do dialback, Xcoder ID: 343BDFCC4"
..
XCP_CM2[8002]:..Level="INFO " CodeLocation="Resolver.cpp:143" Detail="Finished resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmppserver._tcp:defport=0'. Took 0.001415s"
....
XCP_CM2[8002]:..Level="INFO " CodeLocation="DBVerify.cpp:282" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f, coluc.com:vngtp.lab, IN)
DBVerify Packet Received <db:verify from='vngtp.lab' id='21107F2AE' to='coluc.com'
type='valid'>c33b79581b391a1a0c59a65b060c4dd5954e8c10</db:verify>"
..
XCP_CM2[8002]:..Level="INFO " CodeLocation="DBVerify.cpp:301" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f, coluc.com:vngtp.lab, IN)
Passed dialback first stage. packet-from: vngtp.lab, stored-from: vngtp.lab, packet-to: coluc.com, stored-to: coluc.com, packet-id: 21107F2AE,
stored-id: 21107F2AE
Troubleshooting Privacy
Receiving Server Allow list does not contain source
XMPP Federation
10 Retries
Business to Business
calls
Enterprise Network
DomainA
DMZ
CUCM
Internet
Expressway-C
Collab Gateway
Expressway-E
Collab Gateway
DomainB
Dialplan
(Search Rules,
Transforms ..)
DomainA
CUCM
Internet
Expressway-C
Neighbor
Zone
Traversal
Zone Client
Expressway-E
Traversal
Zone Server
DNS Zone
DomainB
B2B Traversal
Troubleshooting
INVITE send to wrong IP address
Key TakeAways
Key TakeAways
SRV records for the different services must exist in DNS with Split DNS
Trunk vs Line
Download the application from iOS App Store, Google Play Store, or from
http://download.ciscospark.com/
Use Cisco Spark to continue the conversation or ask any additional questions
with the speaker for this session. The room name is BRKCOL-2602
How to get added to the Cisco Spark room for this session
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
You can submit an entry for more than one of your favorite speakers
Table Topics
Related sessions
Thank you
Appendix
https:/<expressway>/getxml?location=/Status/XMPP
ExpressWay E
ExpressWay C
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
Not Found
DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
Not Found
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
DNS Query
SRV _collab-edge._tls.coluc.com
Query Response
(Contain Answers including SRV and A/AAAA record)
Service: collab-edge
Protocol: tls
Name: coluc.com
Type: SRV
Port: 8443
Target: xwaye.coluc.com
SRV coluc.com
DNS Query
A xwaye.coluc.com
Query Response
(Contain Answers including A/AAAA record)
Name: xwaye.coluc.com
Type: A
Addr: 122.208.118.4
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
Expressway C
Internal DNS
CUCM Home
UDS
HTTPS
HTTPS: GET /get_edge_config
HTTPMSG:
GET https:///Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: xwaye.coluc.com:8443
User-Agent: Jabber-Win-746
HTTPS
HTTPS: GET /get_edge_config
HTTPMSG:
GET http://vcs_control.coluc.com:8443/Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: vcs_control.coluc.com:8443
User-Agent: Jabber-Win-746
X-Forwarded-For: 64.104.46.217 <= Address of Jabber client that VCS-E received from
Via: https/1.1 vcs[7AD07604] (ATS)
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
When DNS record is not cached ExpressWay C will send out following DNS queries
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
SRV _cisco-phone-tftp._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
DNS Query
A colcm9pub.coluc.com
Query Response
(Addr: 172.16.1.36
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
(Target: colcup.coluc.com)
DNS Query
A colcup.coluc.com
Query Response
(Addr: 172.16.1.33)
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
Expressway C
Internal DNS
CUCM Home
UDS
TFTP
Server
HTTP(S)
Should see Found user cluster and Found UDS server internal status log this point in diagnostic log
===========================================================
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(655)" Detail="Found user cluster" Username=xwayj"
Cluster="172.16.1.36
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(682)" Detail="Found UDS server" Cluster="172.16.1.36"
UdsServer="colcm9pub
===========================================================
HTTPMSG:
HTTP/1.1 200 OK
Content-Type: application/xml
Server:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://colcm9pub:8443/cucmuds/clusterUser?username=xwayj" version="9.1.2"><result version="9.1.2" uri="https://172.16.1.36:8443/cucmuds/user/xwayj" found="true"/><homeCluster>172.16.1.36</homeCluster></clusterUser>
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
HTTP(S)
Get Devices
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
HTTPS 200 OK
Returned configuration:
1) IMP, CUCM, TFTP SRV
2) SIP edge
3) Randomized list of UDS
4) XMPP edge
5) HTTP edge
etc.
HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_ciscophonetftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> .. </edgeConfig></getEdgeConfigResponse>|
HTTPS 200 OK
HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_ciscophonetftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> .. </edgeConfig></getEdgeConfigResponse>|
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
HTTPS
HTTPS: GET /jabber-config.xml
HTTPMSG:
GET https:///...../jabber-config.xml HTTP/1.1
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
HTTPS: POST /EPASSoap/service/ login
HTTPMSG:
POST https:///...../EPASSoap/service/v80 HTTP/1.1
Host: xwaye.coluc.com:8443
User-Agent: gSOAP/2.8
User-Agent: Jabber-Win-746
Cookie: $Version=1;X-Auth=<edge token>;$Path="/";$Domain=".coluc.com
SOAPAction: "urn:cisco:epas:soap/EpasSoapServiceInterface/login"
.
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
HTTPS
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.tlv
HTTPMSG:
GET https:///...../CTLSEPCSFxwayj.tlv HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.cnf.xml
HTTPMSG:
GET https:///....../CSFxwayj.cnf.xml HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1000 REFER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
SIP
407 Proxy
Authentication Required
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1001 REFER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.31:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=xxxxx", opaque=xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1001 REFER
Refer-To: <cid:0000360d@10.71.50.153>
Referred-By: <sip:081196545e65@10.71.50.153>
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:081196545e65@10.71.50.153>
SIP - REFER
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
SIP
SIP
202 Accepted
202 Accepted
SIP
202 Accepted
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 101 REGISTER
Contact: <sip:..... @10.71.50.153:50036;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000081196545e65>";+sip.instance="<urn:uuid:00000000-0000-0000-0000081196545e65>";+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503";video
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
SIP
407 Proxy
Authentication Required
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=..
CSeq: 102 REGISTER
Contact: <sip:xxxxx@10.71.50.153:50036;transport=tls>..
+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503"
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=xxxxx", opaque=xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5
Internal DNS
CUCM Home
UDS
TFTP
Server
IMP
Server
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
SIP - REGISTER
SIP
100 Trying
TFTP
Server
IMP
Server