Issue MRA Expressway

Similar Questions

• Highway-E dual NIC and MRA Expressway-C

  Hi guys,.

  I've seen a few threads and crossed a few guides, but still a little confused on implementing MRA on one double NIC Expressway-E.

  We have the following text:

  ExpC - lan - expe - ASA-Internet

  ExpC: LAN1 - 10.1.1.2

  Experience: LAN1 - 10.1.1.5
  Experience: LAN2 - 10.1.10.10 (Nat'ed 20.20.20.20)

  As you can see, I would have only one firewall located between the external port on the experience and the Internet.

  Q1:
  Since I am on dual NIC, how can I set up the course of ExpC of experience? I'm going to point to the domain name FULL on experience (expe.company.com - 20.20.20.20)? I know that's what Cisco is recommended, if you use single NIC on the experience. Apply to dual NIC too?

  Q2:
  Which firewall ports must be open between ExpC LAN1 and LAN2 expedition (10.1.10.10)? I take a look at the guides, but was not clear if the ports to be opened were between ExpC LAN1 and LAN2 expedition (10.1.10.10) or ExpC LAN1 and ExpE LAN1 (10.1.1.5)

  Thanks in advance

  Q1:
  Since I am on dual NIC, how can I set up the course of ExpC of experience? I'm going to point to the domain name FULL on experience (expe.company.com - 20.20.20.20)? I know that's what Cisco is recommended, if you use single NIC on the experience. Apply to dual NIC too?

  your EXpC must point to the 10.1.1.5 because she has no consciousness of NAT, if you want to point to a FQN then let the EXpC resolve in the internal IP address. 10.1.1.5 double NIC in my opinion are the best set up.

  T2, on top of my head (and there is a lot of info about it) between expc and experience: port 7001 for the crossing area, to the IP external expe 10.1.1.5, sip, sip tls, rtp dns etc.

• MRA Expressway - C routed false Media

  Hi all

  I have install an Expressway (X8.2.2) deployment for Mobile and remote access. Both servers are well experienced, and it is possible to connect with a remote Jabber Client through the Express-E track. The chat works correctly and that telephone Services are configured correctly, too.

  Question: When you try to establish a telephone call between a Jabber Client internally and a remote Jabber Client, signaling works, but there is no stream multimedia creation. Highway-E shows under status to call a Session connected with call routed and routed media set to True, but Expressway-C is routed with fake media.

  c screen1.png

  

  c screen2.png

  

  Highway-E Session looks good, showing the way through the TraversalZone and having call connected state and media and routed real appeal.

  For the signalig itself, there is a problem, too. When calling internal remotely, it is possible to end the phone call from the internal client, but it times out trying to put an end to the external client. (The call is still open from the Point of view of the internal Client then).

  Issues related to the:

  one)

  What is the reason, I can't end calls from the client to the outside, but only from inside one and only if customer inside called the remote client?

  (b)

  What is the reason for not being able to establish the media stream? I guess it's related to channel Express-C or the firewall between C and E, but am not sure.

  Configuration:

  My setup is a highway-C in the same domain as the CUCM and Server instant messaging & presence, with two settings properly and a TraversalZone work internally with the Expressway-E Interface through a firewall.

  Highway-E: two Interfaces in different subnets (static routes are configured for internal traffic from the front) with static NAT is configured on the interface external face to handle the payload. Be connected to the Internet via a FW with static NAT from internal to external IP address.

  Kind regards

  Christoph

  Hi Christoph,

  It's normal, you won't see the three components of the call on the highway-E. Regarding UDP packets, are you sure the routes/IP settings are correct on the highway-E? Can you do a ping/traceroute of the highway-E to an IP address on the internet and to ensure that the work and you can see ICMP traffic, leaving the external interface. Test similar to the IP address of the Exp - C and if ensure that traffic leaves inside interface.

  -

  Jason

• VCS - C VCS-E DNS

  Dear,

  I have two VCS-E and VCS - C and I followed the VCS - C and E Deployment guide please help me with the following:

  1. in the SCV DNS deployment guide - area E string model ((?. * @% localdomains%.*$).*) what should I use instead of localdomain?) What is the domain DNS record?

  2 - I did everything as the guide suggested, but I do not understand the DNS part can anyone briefly explain it to me, or give me an example, because I want units to be able to call me from outside and im not a expert in DNS, please help

  If you have any SIP domains configured on your highway?  You can leave % localdomains % as it is, as that will match all SIP domains configured on your Expressway.  If you do not have any installation areas SIP, to replace it by whatever your field.

  Insofar as the DNS records, I guess you're talking about SRV records?  If so, see some of the discussions in the forums below.

  VCS-Expressway-and-Endpoint-DNS-Registration

  VCS-Expressway-cluster-DNS-SRV-Records

  DNS-SRV-record-issue-VCS-Expressway

  Essentially, you have an a record for your Expressway which will be that it is COMPLETE, and on your external domain, you create SRV records for each type of service that point to this FQDN Expressway.

• Issue of Cisco Expressway MRA

  Dear all

  I'm testing the MRA of VCS - C and VCS-E feature

  I use the firewall architecture 3 ports that the VCS - C and CUCM are placed inside with the same subnet.

  The VCS-E is placed in the DMZ and static use of the ASA 5510 1-1 NAT to translate private IP address: 172.16.0.225 to the public IP address, for example 100.1.1.1

  In the context of VCS - C, I use the FQDN of the SCV - F that map to the public IP of VCS-E (100.1.1.1)

  And the VCS-E use the FQDN of the SCV - C to map to the IP private of VCS - C

  Area traversed in VCS - C is active, but the area crossed in VCS - E is inactive, it is said that server inaccessible.

  I found that my VCS-E is not the license of the Advanced Networking option.

  In the VCS-E ip settings page, there is not any NAT setting

  I want to ask if I need to use NAT, in addition to the NAT of firewall functionality, I need also the license of advanced networking option to activate NAT in VCS - E?

  Or it may work to use only the function NAT firewall without NAT for the VCS - F?

  Also, I put the reflection of the NAT to my ASA 5510

  Hello

  The option networking advanced to activate NAT on VCS - E or the edge of the highway is a requirement for the crossing of firewall deployment.

  Useful guide:

  Deployment Configuration Guide (Control with Expressway) Cisco VCS Basic (X8.7)

  With your case about the progress of the deployments of networks, you will need to follow the 3 firewall ports using single VCS Expressway LAN Interface DMZ on the guide on page 60.

  Kind regards

  Acevirgil

• Jabber client - encryption of VCS Expressway with MRA

  Hi all

  I'm working on the implementation of MRA for a video solution existing. Version CUCM is 9.1.2 (no IM & P server), vcs - c and vcs-e 8.2.2.  Client Jabber is 11.5.x

  I finished most of the introduction and I am able to call internally and externally through MRA.

  I still have a few things to tweak.  One is the encryption of video calling once jabber connects from outside.  From my understanding, the thigh jabber call end point and VCS Expressway uses TLS. But when I run wireshark on the PC with Jabber client, I don't see the RTP stream as being encrypted.

  CUCM my jabber device does not use a secure profile.  Is it ok or not?

  Please let me know if more are needed.  Thank you

  You can confirm the call is encrypted from the client of jabber MRA by doing as follows (I used 11.5 jabber client, if you are using an older client, I can't guarantee this method):

  1. make a call from the client jabber ARM, once the call is configured and media is established, you can end the call.
  2. create a jabber client problem report (help > report a problem...)
  3. Enter the required details and save the .zip file.
  4 extract the file "jabber.log" from the .zip file. Since this file (at least since the version of client jabber 11.5) has the SIP messaging included in this document, you can use TranslatorX to view the file (you can also use a text editor if you wish).
  5 generate a diagram of the log file.

  translatorx - 01.png

  

  6. in the diagram of the scale, you should be able to locate the origin of the call. Search for an invitation, in my case a "RE-INVITE" and select it. A pop-up window will appear with the details of the SIP message.

  translatorx - 02.png

  

  7. read the content of the message prompt of the SIP protocol (focusing on the SDP - the component of negotiating media). I won't go into detail about how to read SIP messages (there's a good article here, it is not for jabber specifically, but the same concepts apply).

  translatorx - 03.png

  

  8. close the prompt message and open the message 'OK w/SDP' to examine the response of the VCS-E. The SDP response, we can confirm that the encryption settings have been accepted for the media (media will be encrypted).

  translatorx - 04.png

  

  For re - apply point Jamie, unless you run CUCM in mixed mode and using security profiles, signalling/media encryption stops on the thigh of CUCM/endpoint and the VCS - C respectively. See the diagram below for reference (mixed mode not implemented).

  MRA-media - flow.png

  

  You need not applied to the device of CSF security profiles to obtain the encryption between the client of jabber MRA and the VCS-E. If you can decode signaling and media packets in Wireshark your jabber client, you probably will not connect via ARM (ARM is always encrypted).

  Please let us know if that helps.

  -Jon

• SX10 T7.1 with Expressway MRA

  Hi all

  Does anyone know if it is possible to make a SX10 on Internet with Expressway ARM activity?

  The only options I get for the supply are "CUCM" and "VCS".

  If I select "VCS" and enter the address of the highway e and I look in the log, I see the SX10 SRV _sip_ research, but not fundamentally a _collab-edge_tls. SRV lookup.

  This makes me think that T7.1 does not work with Expressway - is that correct?

  Thank you very much!

  As mentioned in Jamie, you'll want to upgrade your SX10.  You must run TC7.2 or higher to get the "CUCM" highway"option.  It's in the TC7 Release Notes on pg 25.

• Expressway MRA several clusters

  Hello

  I plan on the implementation of jabber for a client, but demand is not familiar to me:

  2 groups:

  (A.) -Cluster production xyz.com

  (B) Dev-Cluster abc.com

  The customer would like to know if it can connect Highway only to the Dev-Cluster and make jabber client to connect on the Internet via the Dev-Cluster for the Production Cluster to help THEY between the Cluster.

  [email protected] / * /.

  Jabber Client (External)---> Expy - E---> Expy - c---> Dev - Cluster---> Production-Cluster (Registers)

  [email protected] / * /.

  Jabber Client (External)---> Expy - E---> Expy - c---> Dev-Cluster (registers)

  If not, is there another way to fix that tls between prod-cluster and highway communication.

  I think that "Partitioned Unified Communications services deployment" is what you are looking for:

  http://www.Cisco.com/c/dam/en/us/TD/docs/voice_ip_comm/Expressway/config...

• Cisco softphone Expressway is not on the outside

  Hi all

  Recently, we have deployed Expressway C and E managed to get MRA completely well work

  But after that we have to change the IP address from the highway E and now IM & P service and Directory works fine but telephone service does not register. Covered area is active. You have an idea about this problem? I completely blocked on this problem, I have tried everything that I could to resolve this problem. I have even done a factory reset to Expressway C and E and recreated crossing area. But the problem is always the same. Pls let me know any solution to this or how to fix it

  Here is some info

  CUCM and CIMP ver 10

  See worm X8.5 Express (first I've deployed X8.2 but after this issue I upgraded to X8.5)

  The highway is in mode single nic

  Internal Jabber in network work quite well. External (public internet) IM & P service and Directory works but softphone does not register gives error on Jabber online status below

  Softphone - unhealthy
  Status: Not connected
  Protocol: SIP
  Address: 10.3.146.201 (CCMCIP - Expressway)
  Error reason: connection. Make sure that the server information in the tab on the Options window telephone Services are correct. Contact your system administrator.

  Landline - no
  Status: Not connected
  Protocol: CTI
  Address: 10.3.146.201 (CTI)

  Presence - healthy
  Status: connected
  Address: ExpresswayEdge.mydomain.com
  Protocol: XMPP
  Port: 5222

  Directory - healthy
  Status: Last successful login.
  Address: 10.3.146.201
  Protocol: UDS (HTTPS)

  Thank you

  I don't see the REGISTER message received in newspapers Expressway-E or C-Expressway. This suggests the following options:

  (1) the Jabber client did not send it

  (2) newspapers do not capture the time that the REGISTRY has been sent

  (3) the firewall blocks tcp 5061.

  I don't see the problem report Jabber that tell us what is happening. Can you provide this after you re-create the problem?

• See Express vs VCS Control series & Expressway

  Hello

  I am little bit confused what is the difference between the Expressway series and legacy VCS-C/E.

  If I deploy series Expressway (X8.6) running on the virtual machine as traversal server for ARM, can I use that as same as VCS - C and VCS - E, the installation program.

  By running the MRA, can I also used these local SIP/h.323 recording servers of the endpoints of SX and Jabber Video (Movi)? Can I need separate license to achieve?

  On the two highways are the licenses ordered. Are these already for what I want to achieve, or this is just for the deployment of the ARM?

  LIC-EXP-AN

  LIC-EXP-BASE-K9

  LIC-EXP-E

  LIC-EXP-GW

  LIC-EXP-SERIES

  LIC-EXP-TOUR LIC-EXP-RMS

  Thank you

  Sy

  So I need instances of additional and separate VCS to support records the of the SIP/h.323 endpoints. And need additional licenses for the latter as Non-parcours/course would issue licenses, commissioning, FindMe.

  OK, that all of these are specific to the series of VCS, while the freeway series does not have the provisioning and FindMe, it also has a system of license different call where it is a type of single license unlike licenses non-parcours course you have with VCS.  The

  TMS I 'LIC-TMS-PE-25' to activate the user commissioning for Movi so I want to use.

  You must use the VCS-control/Highway if you want to use video telepresence Jabber (aka Movi).

  Series Expressway (centre/periphery) are therefore only for ARM with CUCM deployment?

  Yes, Expressway series was created to provide courses of firewall and external recording to CUCM via Mobile and remote access capability.  It can also provide comments of Jabber, but MRA and Jabber comments cannot be run on the same server.  On another note, the series of VCS can take all the series Expressway, because the latter is simply a subset of the functionality of VCS.

• Lane Express MRA DNS Cluster

  Hello

  I am the expressway MRA Cluster design and I'm a little confused on the Expressway to Natting private dashboard Public.

  Veuileez it correct me if I'm wrong.

  Publish Srv DNS to ISP records:

  _collab - edge.example.com

  to point to "A" records the two expressway Edge host

  Question?

  I don't have a single public IP address, it is fine if the two hosts expressway-edges ' A' records are pointing to the same public IP address.

  Name of the Expressway-Edge Cluster must be the same in the same domain as the Expressway-Edge servers

  Question?

  Where do I create the Cluster FQDN internal or external, and that it should resolve to?

  Expy.jpg

  

  Hello

  If you have a public IP, single and multiple inside hosts to reach outside, you can use static NAT differentiating ports of destination outside

  for example.

  IP nat inside source static tcp 10.10.10.1 80 80.123.54.1 80

  IP nat inside source static tcp 10.10.10. 2 80 80.123.54.1 8080

  Although you can form a cluster, each E highway has its own ip address

  Unfortunately, because a MRA session involves different TCP and UDP ports, this can not be done.

  In this case, the use of a specific load balancer might be a solution, but the Cisco could not support it.

  So the way forward is to set up a public ip address for each node E

  Here's a post with a similar request.

  https://supportforums.Cisco.com/discussion/12070126/VCs-Expressway-clust...

  Concerning

  Carlo

• IP address component Expressway-C

  A requirement to the composition of the IP route of CUCM recorded both internal endpoints H.323 endpoints and external H.323 endpoints.

  Expressway-C and E and configured SIP 'IP address' model of routing to the highway-C.

  Issue.

  If I set "Calls to unknown IP addresses" live on the highway-C, I understand that Express-C can then reach out and the independent H.323 endpoint point of signals directly. However, how one also have the ability to route to unknown external IP via road Express-E addresses.

  So, if I put the channel Express-c in Direct mode, is failover Indirect mode if it does not receive a response from an end point?

  Thank you

  Ben

  The idea is not bad and it can be done in reality at work, especially if you can distinguish internal IPs / outside. (superficially tested in the laboratory, it worked)

  As the search rules appear not to apply models comparison of IP addresses and CUCM supporting not IP composition anyway, I let the transformation of intellectual property "alias" used for circumvention of numbering CUCM IP for a real to the Exp-E/Exp-C IP (2) and then route be as model alias corresponds to an internal or external IP address.

  For example, let's say you use @ip.net as model of SIP URI for the composition of ownership intellectual of CUCM and your internal IP address are all in 10.0.0.0/8

  Exp - c (1) create two rules of research, 10. [0 - 9.] [email protected]/ * /, pointing to the area of Exp - C (2) nearby, then a second rule [0 - 9.] [email protected]/ * / pointing to the crossing area of Exp - E.

  Both Exp - C (2) and Exp - E have a transformation of regex for--------([0 - 9.] * \)@IP.net to replace with \1)

  In addition, both will have the interoperability of SIP-H323 gateway license.

  See you soon,.
  Zoltán

• VCS Expressway & movi 4.2 configuration

  Hi all

  I created movi account manually in the TMS and it work perfectly with VCS - control.

  However, it cannot register for VCS expressway. Is it mandatory to have a name authority pointer record in DNS?

  For example, configure us abc.com as the domain name SIP Highway VCS, is mandatory to fix abc.com as public highway VCS by DNS server IP address?

  Thank you

  Ben

  That is to say you do not originate in the AMZ comes directly to the public IP address of the VCSE

  If that's the case at least, you should see registration tent if nothing can be seen then you need to look at the firewall

  is he ASA? try tp packets capture and see why you arew not hitting the VCSE using SIP

  as it could be firewall issue!

  HTH

• VCS Expressway cannot connect

  Hello

  I just put in place a control of VCS and a highway of VCS. I set up the traversal client on the VCS control using the port 6001 H.323 and SIP 7001.  I set up the crossing on the VCS Exp server using the same ports.  I get "H.323 could not not connect to x.x.x.x:6001 no response of the system.

  The SIP will not connect either 'connection failed '.

  There is no list of the control of VCS to VCS highway.  Authentication is disabled.  They are both pointed out the same NTP.

  Any ideas?

  Thank you!!

  Rhonda,

  In short, the configuration looks OK. Can specify you what other types of devices couche3 between the VCS - C and VCS-E outside the ASA?

  If the firewall is not the issue, the problem may be caused by routing problems. If you allow ICMP from the command to the highway, you can check if the routing of the works by logging in as root (with SSH) for the VCS - C and launching the command

  Traceroute x.x.x.x

  where x.x.x.x is the IP address of your Expressway.

  Thank you

  Andreas

• Highway-C & E MRA connection TLS certificates

  Unable to get X8.2.1 Expressway-C & E to form a TLS connection to the course of ARM.  We have generated an SSL certificate using a client certificate template and server on a Windows Server CA and downloaded this certificate to the highway-C and the chain of authority to the express-E track, but the TraversalClient area is unable to establish a TLS connection.  The event log shows "unable to get local issuer certificate".  Yet the certificate Client test tool shows the certificate is good when checked.  Under SIP of certificate revocation checking is set to Off.  Can anyone tell why the TLS connection form?  Thank you.

  I'm pretty sure that one of the deployment guides (perhaps with respect to the certificates, perhaps with regard to the deployment of VCS) said that wildcard certificates are NOT supported. This seems to be common on another type (e.g. Lync) UC platform