Brkucc 3732 PDF

#CLMEL
Troubleshooting
Collaboration Edge
Mobile and Remote
Access
Parteek Brar and Craig Cooper, Engineer
Customer Support
BRKUCC-3732
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKUCC-3732
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
#CLMEL BRKUCC-3732 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda • Mobile and Remote Access
Deployment
• Jabber for iOS with the Apple
Push Notification service
• Jabber Registration and Call
Flow
• Mobile and Remote Access
Troubleshooting and Monitoring
• Collaboration Solution Analyzer
Tool
Mobile and Remote
Access
Deployment
Topology
CUCM
Unified CM
Expressway-C Expressway-E
Internet
IM&P
Mobile and Remote Access
Deployment
• System configuration
• Firewall configuration
• Certificate configuration and deployment
• Traversal zone configuration
• UC server discovery
• DNS and domain configuration/deployment
• MRA Access Control
Mobile and Remote
Access
System Configuration
Expressway Service Setup
Expressway Service Setup
System Configuration – NTP, DNS and Clustering
• When NTP is not configured and synchronised on Expressway-C and Expressway-E,
Jabber Telephony registration to CUCM may not succeed.
• Expressway E must have forward and reverse DNS entries.
• Certificate CN validation through DNS reverse lookup
• Clustering peer addresses shall appear in the same order on all servers
Mobile and Remote
Access
Firewall Configuration
• What traffic does the firewall need to pass?
• HTTPS proxy for secure provisioning of endpoints
• SIP/TLS, RTP/SRTP for audio/video media
• XCP/XMPP for IM&P
• HTTPS Services
• Traversal Connection between ExpressWay-C and E
• SSH Tunnel : ClusterDB change notifications and HTTPS reverse proxy traffic
• ICE – TURN Media and Control
Unified Inside firewall Outside firewall
CUC (Intranet) DMZ (Public Internet)
Internet
Unified Unified
CUP CM Expressway- Expressway-E
C
Cisco Expressway IP Port Usage
Firewall Setup
Port Status and Configuration
• Local Inbound ports

• Local Outbound ports
• Remote listening ports
Expressway E – Demultiplexing media ports
Small/medium deployment
->Configured Media Demultiplexing ports
Default : 2776 (RTP) – 2777 (RTCP)
or
->First 2 ports from Traversal Media port range
Default : 36000 (RTP) – 36001 (RTCP)
36000-36001
or
36000-59999 2776-2777
ExpressWay C ExpressWay E
For large systems new install

-> First 12 ports from Traversal Media port range
Default : 36000 (RTP) – 36011 (RTCP)
36000-59999 36000-36011
ExpressWay C ExpressWay E
Mobile and Remote
Access Certificates
Expressway Certificates
• > Maintenance > Security Certificate
- Server Certificate
• > Maintenance > Security Certificate

> Trusted CA Certificate
• Certificate Creation
Expressway-C Certificate
Where is it used?
CUCM
SIP MTLS
Internet
SIP MTLS
Clustering
IM&P
Expressway-C Certificate
Requirements
Extended Key Usage
CUCM
1. TLS Web Server Authentication
Unified CM 2. TLS Web Client Authentication
SIP MTLS
SAN elements configured with :
3. FQDN Expressway C
4. IM and Presence chat node alias
5. Unified CM Security Profile names
6. Cluster Name
SIP MTLS
Clustering MTLS
IM&P Enterprise or Public CA
CA + Intermediate Upload
(incl. remote trust stores)
Device Security Profile
TLS Client Hello
CUCM
Expressway-E Expressway-C
TLS Server Certificate
SIP REGISTER TLS Client Certificate
Finished
SIP REGISTER
Client Identity Validation

1. Does Certificate CN match configured device? NO
2. Does Certificate SAN match associated Security Profile? YES
SIPStationD(9) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ.
Will check SAN the next
…
SIPStationD(9) - validTLSConnection: Found matching SAN,
SAN Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com;csf-secure, Expected=csf-secure
Expressway-E Certificate
Where is it used?
Domain XMPP
CUCM
XMPP TLS
Unified CM HTTPS
SIP TLS
Internet
SIP TLS
SIP MTLS
Clustering MTLS XMPP TLS
XMPP TLS
HTTPS
IM&P
Extended Key Usage
Expressway-E Certificate 1. TLS Web Server Authentication
Requirements 2. TLS Web Client Authentication
Domain XMPP SAN elements configured with :

3. FQDN Expressway E
XMPP TLS 4. Public UC Domain
5. IM and Presence chat node alias
Expressway-C Expressway-E 6. XMPP Federation Domains
Public CA
Internet CA + Intermediate Upload
SIP TLS
SIP MTLS
Clustering XMPP TLS
HTTPS
Mobile and Remote
Access Unified
Communications
Traversal Zone
Unified Communications Traversal Zone
• Expressway-E is traversal server in DMZ
• Expressway-C is traversal client inside the network
• Establish traversal link between both using traversal zone
configuration
Enterprise Network DMZ Outside Network
CUCM
Internet
Expressway-C Expressway-E Endpoint
Traversal Client Traversal Server B
Traversal Link Management
Signal
Media Payload
Endpoint
A
UC Traversal Zone
ExpressWay E – Traversal Server
Select Type : Unified Communications traversal
Configure username to be used by Traversal Client to authenticate with

server
Port is default 7001, listening port for traversal client connection
Must match CN or SAN from Certificate presented by Traversal Client

(ExpressWay C), here clustername
Advanced Encryption Cipher for encrypting/decrypting SRTP media

- Jabber 11.9 with EnableNGEPolicy
- 7800 and 8800 Series do not support over MRA
UC Traversal Zone
ExpressWay E – Traversal Server
• Traversal Zone Status
• Connection status
with Traversal Client
UC Traversal Zone
ExpressWay C – Traversal Client
Select ‘Unified Communications Traversal’ as Type
Configure same username and password as added on the

Traversal Server (Expressway E)
Destination port Traversal Server is listening on
Advanced Encryption Cipher for encrypting/decrypting SRTP

media
- Jabber 11.9 with EnableNGEPolicy
- 7800 and 8800 Series do not support over MRA
UC Traversal Zone
Must resolve to Public IP address
Expressway E when
single NIC deployment
• Must be FQDN
• Must match CN or SAN from Certificate

presented by Expressway E
UC Traversal Zone
Peer Connectivity
Status
Zone Status
Mobile and Remote
Access
UC Server Discovery
CUCM Server Discovery
• Discovers CUCM Nodes
• Discovers Version
• Discovers Cluster Security mode (Transport Protocols)
• Support for : AES GCM, SIP UPDATE (*) and ICE Passthrough (*)
(*) Requires CUCM 12.5
CUCM Server Discovery – TLS verify mode
• Validates the CA from
the Trust store and the
SAN in the certificate
with the give address
• Tomcat for the

configuration over
HTTPS Expressway C UC Servers
• Call Manager for the

SIP to check if it
supports both TLS and
TCP
CUCM Server Discovery – TLS verify mode
TLS verify mode = Off
No requirements for
TOMCAT Certificate Publisher
CUCM Server Discovery
• Zone Configuration
Auto-Zone Configuration per node and per transport protocol
Syntax : ‘CEtcp-<UCMName>’ and ‘CEtls-<UCMName>’
• Search Rule Configuration

One Search Rule per node per transport protocol
Pattern matching for header
Troubleshooting - Search Rule matching for
Edge/MRA calls Set by client based on :
• Device Pool
|INVITE sip:2000@cucm10p.coluc.com;user=phone SIP/2.0
Via: SIP/2.0/TLS 10.48.55.93:7001;egress-zone=TraversalUC;branch=… • Device Security mode
Via: SIP/2.0/TLS 10.48.55.106:52008;branch=z9hG4bK000073dc;received=10.48.55.106;ingress-zone=CollaborationEdgeZone
Call-ID: 0050568a-003a0004-0000592c-00003095@10.48.55.106
CSeq: 101 INVITE
Remote-Party-ID: "5445" <sip:5445@cucm10p.coluc.com>;party=calling;id-type=subscriber;privacy=off;screen=yes
Contact: <sip:1622b86e-bc3b-fa8c-66d3-2d7a96c892bf@10.48.55.106:52008;transport=tls>;video;bfcp
From: "5445" <sip:5445@cucm10p.coluc.com>;tag=0050568a003a000800006fdd-00006fe8
To: <sip:2000@cucm10p.coluc.com>
Max-Forwards: 10
Route: <sip:cucm10p.coluc.com;transport=tls;lr>
Record-Route: <sip:proxy-call-id=a8c00915-9391-463a-a99d-fd511ca1ed85@10.48.55.93:7001;transport=tls;lr;zone-id=1>
Record-Route: <sip:proxy-call-id=a8c00915-9391-463a-a99d-fd511ca1ed85@10.48.55.93:5061;transport=tls;lr>
Allow: ACK,BYE,CANCEL,INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE,INFO
User-Agent: Cisco-CSF
….
Troubleshooting - Self Signed Certificates
• TLS verify + Self Signed CCM/Tomcat certificate
When Tomcat cert is uploaded first -> discovery will succeed
When CCM cert is uploaded first -> discovery will fail
• TLS verify + Self Signed CCM/Tomcat certificate + Encryption
Either discovery will fail or TLS connections with CUCM will fail
With self-signed certificates use ‘TLS verify mode’ = ‘Off’
Mobile and Remote
Access
DNS and Domain
Domain Configuration
DNS Configuration
• System > DNS
Domain Configuration
ExpressWay C – Domain Configuration
• Configurations > Domains
ExpressWay – Mobile and Remote Access
Domain and DNS configuration
• Scenario 1
- Flat domain structure
- ExpressWay Servers : domain.com
- UC servers : domain.com
- IM&P domain : domain.com
cup.domain.com
IM&P Domain =
domain.com
External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server
Jabber Client
xwayE.domain.com xwayC.domain.com cucm.domain.com
ExpressWay – Scenario 1
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server
xwayE.domain.com xwayC.domain.com cucm.domain.com cup.domain.com

with
<userid>@domain.com IM and Presence Domain =
domain.com
Entry Resolves to
SRV record ‘_collab- expwyE.domain.com port
edge._tls.domain.com’ 8443
External IP address
A record ‘expwyE.domain.com’
ExpressWay E
Entry Resolves to
SRV record ‘_cisco- cucm.domain.com port
uds._tcp.domain.com’ 8443
A record ‘cucm.domain.com’ IP address CUCM
ExpressWay – Mobile and Remote Access
• Scenario 2
- Mixed domain structure
- Expressway servers : domain2.com
- UC and CUP servers : domain1.com
- IM&P domain : domain1.com (internal) cup.domain1.com
IM&P Domain =
domain1.com
xwayE.domain2 com xwayC.domain2.com cucm.domain1.com
Domain and DNS configuration cup.domain1.com
IM&P Domain =
domain1.com
xwayE.domain2 com xwayC.domain2.com cucm.domain1.com
Entry Resolves to
SRV record ‘_collab-edge._tls.domain2.com’ xwayE.domain2.com port 8443
A record ‘xwayE.domain2.com’ External IP address ExpressWay E
<userid>@domain1.com (*)
* ‘voiceservicesdomain’ set to domain2.com
Domain and DNS configuration cup.domain1.com
IM&P Domain =
domain1.com
xwayE.domain2 com cucm.domain1.com
Entry Resolves to
SRV record ‘_cisco-uds._tcp.domain2.com’ cucm.domain1.com port 8443
A record ‘cucm.domain1.com’ IP address CUCM
• Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
• Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
Mobile and Remote
Access
- Access Control
Access Control
• “Authorise by user credentials” – Default

• “Authorise by OAuth token” – SSO/Idp
• “Authorise by OAuth token with refresh” – Recommended Deployment
Login Scenario
“Authorise by OAuth token with refresh”
Expressway E Expressway C CUCM Home UDS IM＆P Server

Jabber Client
Device Minimum Software Version
Expressway X8.10.1
UCM 11.5(1)SU3 or 12.0(1)
IMP 11.5(1)SU3 or 12.0(1)
Unity 11.5(1)SU3 or 12.0(1)
Jabber client 11.9(0)
Login Scenario

Jabber Client
Expressway-C > Configuration > Unified Communications > Configuration
Login Scenario

Jabber Client
CUCM/IM&P Administration > System > Enterprise Parameters
Login Scenario

Jabber Client
GET https:///ZGNsb3VkLmNpc2NvLmNvbQ/get_edge_sso
GET //ucm-pub.dcloud.cisco.com:8443/ssosp/ws/public/singleSignOn
200 OK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

200 OK
<SSOResult>
?xml version='1.0' encoding='UTF-8'?> <ErrorCode>0</ErrorCode>
<SSOResult version="1.0"> <Response>
<Response> <SingleSignOn version="11.5.1.13902-2">
<SingleSignOn> <Status enabled="false"/>
<Status enabled="false"/> <Token reuse="true"/>
<Token reuse=”True"/> <Uri>https://ucm-pub.dcloud.cisco.com:8443/ssosp/oauth/authorize</Uri>
</SingleSignOn> <allowEmbeddedSafari>false</allowEmbeddedSafari>
</Response> </SingleSignOn>
</SSOResult> </Response> </SSOResult>
Login Scenario

Jabber Client
Login Scenario

Jabber Client
POST https:///ZGNsb3VkLmNpc2NvLmNvbQ/localauthentication
POST //ucm-pub.dcloud.cisco.com:8443/ssosp/token/authorize_proxy
200 OK
302 FOUND
{"redirect_uri":"https://ucm-pub:8443/ssosp/public/oauthcb#code=<CONCEALED>&
expires_in=300&realm=local&state=1807704808"}
GET https:///oauthcb
200 OK
Authorisation Code
Login Scenario

Jabber Client
POST https:///ZGNsb3VkLmNpc2NvLmNvbQ/access_token
POST //ucm-pub.dcloud.cisco.com:8443/ssosp/token/access_token
200 OK
{ "expires_in":300,
"token_type":"Bearer",
"refresh_token":"eyJhbGci...9qkn8hHhQUA",
"refresh_token_expires_in":86400,
"access_token":"eyJhbGciOiJSUzI1NiIsInR5c...ajRyLaxWSEQ" }
200 OK
Login Scenario

Jabber Client
GET https:///ZGNsb3VkLmNpc2NvLmNvbQ/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
Host: exp-e-1.dcloud.cisco.com:8443
Authorisation:<CONCEALED> Access Token Validated by Expressway-C
Accept: */*
Detail="Process request" Method="POST" URI="/oauthvalidator"
User-Agent: Jabber-Win-30
Detail="Inspecting Access Token"
Detail="Matched AuthZ key" Issuer="ucm-pub.domain.com"
Detail="Validating Access Token payload"
Detail="Access Token OK" Subject=”chris" Expiry="1516799325" Scope="[u'im & presence',
u'voice', u'video']"
Issuer="ucm-pub.domain.com" Issuertype="cucm" Deployment="1"
Detail="Token validation successful"
Refresh CUCM and IM&P Registration
…Action="Received" Request-url="https://ucm-pub.dcloud.cisco.com:8443/ssosp/token/access_token"
HTTPMSG:
|HTTP/1.1 200 OK
{ "expires_in":3600,
"token_type":"Bearer",
"refresh_token":"eyJhbGciOiJSUzI1N...YmT4myINOOBqA2EQ",
"refresh_token_expires_in":5184000,
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImt...gJcUyNlYCb5YZAEkkzIWHKg" }
|
...Detail="Token Validation failed" Type="Access Token" Response="401”

...Detail="Validation failed" Error="No key available to validate." Status="401" Type="Access Token" …

Jabber Client
…Action="Send" Method="GET" URL="https://ucm-pub.dcloud.cisco.com:8443/ssosp/token/keys" Function="token/keys”
…Action="Received" URL="https://ucm-pub.dcloud.cisco.com:8443/ssosp/token/keys" Function="token/keys" Status="200"

Content=" { "keys":[
{ "purpose":"Verify",
"id":"f827...bc1",
"value":"MIIBIjANBg...pqwIDAQAB” },
{ "purpose":"Decrypt",
"id":"f827...6a4",
"value":"nqJm...6dU=”}]}"
Recommended Deployment
• Token Refresh
• Fast Login
• Off-Line Login
• Access Policy Support
• Roaming Support
• Regenerate Tokens
• Encyrption Key - CLI
set key regen authz encryption
• Signing Key – CLI and OS Administration
set key regen authz signing
• Re-voke Tokens
curl -k -u "admin:password”
https://<UCMaddress:8443/ssosp/token/revoke?user_id=<end_user>
• You MUST refresh on Expressway-C the CUCM/IM&P servers!!
Jabber for iOS with the
Apple Push Notification
service
Optimised for Mobile
Apple iOS Push Notifications
• Chat and Call notifications routed via

Apple iCloud
• Apple preferred architecture
• Optimised for battery performance
• iOS automatically starts Jabber when
Chat or Call notification received
• Requires UC Manager 11.5.1(SU3)+
• Requires Expressway X8.10.1 or later
Jabber iOS customers should have
migrated to push model before June 2018
Push Notifications
iOS Push Notification Flows
IM&P / IM&P /
UC Manager Node Messenger Messenger
Platform Platform
UC Manager
Node
SIP XMPP HTTPS
Cisco
Collaboration
Apple APNs
Keep
Alive Incoming
Chat Notification/
Jabber call
Jabber Jabber
Process JABBER in Process JABBER in
FOREGROUND BACKGROUND & SUSPENDED
or KILLED
Communication with the cloud
UC Manager Connection to Cloud
Direct (via firewall)

Registration creates
a total which is CUCM must be able
to connect Cisco
distributed to all cloud
nodes in cluster
Via Proxy server (with auth) These hosts
This token allows all fos-a.wbx2.com
nodes to send APNs push.webexconnect.com
idbroker.webex.com
request to Cisco
cloud. On this port
Via Expressway
TCP/443
How to configure
UC Manager Registration
Advanced Features> Cisco Cloud Onboarding
New configuration screen in
UC manager from 11.5SU2
Process creates machine
account based on UC
manager license.
Customer doesn’t require

Spark org.
Process can also install
required Certificates for
connection to cloud.
How to configure
UC Manager Registration
• UC manager is used to generate “Machine” account
in Cisco cloud
• Smart Licensing requires Voucher be generated by PLM
Firewall Considerations
Getting Notifications to iOS Devices
• iPhone / iPad will need to be able

Devices on to connect to Apple Cloud / APN
corporate network service
may require ACL
• iOS devices connect to

17.0.0.0/8 using port 5223/TCP
On Wi-Fi they can fallback to

17.0.0.0/8 using port 443/TCP
iOS devices on
Internet/Expressway
connect directly
How to Test
Call to see the Call Arrive
1. sign into the Jabber for iPhone app
2. wait for it to register with CUCM
3. either:
- double click the home button
- swipe up from bottom of screen
and pause halfway up screen
4. confirm it is not registered in CUCM
5. ...and flick it off the screen (to kill it)
6. then make a call to it or send IM
Troubleshooting
Trace from CUCM, IM&P & Jabber Problem Report
• CUCM’s “Cisco Push Notification

Service” to a Debug Trace Level of
“Debug”
• IM&P’s “Cisco XCP Config

Manager” to a Debug Trace Level
of “Debug”
• Jabber for iOS enable “Debug

Logging” (settings -> Problem
Reporting)
Troubleshooting
Push Notification Service (PNS) Trace
Request arrives from CallManager to the PNS and is sent on to
push.webexconnect.com:
[com.cisco.ccm.ccmpns.CCMPNSClientConnectionHandler@37f729 ReceiveThread] ccmpns.ReceiveThread (ReceiveThread.java:95) - run() ReceiveThread
waiting for message, socket closed:false
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:83) - run() REQUEST_PUSH_NOTIFICATION

[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:110) - run() PushRequest received
:{"MESSAGETYPE":"REQUEST_PUSH_NOTIFICATION","TYPE":"incomingcall","REF":47807118,"DEVICETOKEN":"c1fee44b8cabcdefghijklmnopqrstuvqxyza6c
974127858702d99b757519f7d","KEY":"1d49TpVtFUHpodDdpduC5xQaLqJge3Bf2qE79o7RowU","ALGO":"A256GCM","CHANNEL":"APNS","TRACKINGID":"
CUCMCallP_3e176d0f-1530-4897-9cb5-adbf69d19b5a_deploy:onprem_clusterinfo:StandAloneCluster-1"}
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:463) - generatePushRestUri() GeneratePushRestURI : PushRestURI generated

:https://push.webexconnect.com/jabber/apns/prod
[pool-3-thread-1] ccmpns.PushVoiceClientPool$Singleton (PushVoiceClientPool.java:63) - get() Stats: {}[leased: 0; pending: 0; available: 0; max: 10]
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:257) - handlePushNotificatonRequest() Obtained HttpClient
org.apache.http.impl.client.InternalHttpClient@16b6dab
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:272) - WorkerThread Host : push.webexconnect.com
200 Response received back from cloud and confirmation sent to CallManager service:
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:294) - handlePushNotificatonRequest() Response received : 200 Text:
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:304) - handlePushNotificatonRequest() Response to client
{"MESSAGETYPE":"RESPONSE_PUSH_NOTIFICATION","TRACKINGID":"CUCMCallP_3e176d0f-1530-4897-9cb5-
adbf69d19b5a_deploy:onprem_clusterinfo:StandAloneCluster-1","STATUS":"200","TEXT":""}
[pool-3-thread-1] ccmpns.CCMPNSClientConnectionHandler (CCMPNSClientConnectionHandler.java:190) - addHeaderAndSendMessage()
{"MESSAGETYPE":"RESPONSE_PUSH_NOTIFICATION","TRACKINGID":"CUCMCallP_3e176d0f-1530-4897-9cb5-
adbf69d19b5a_deploy:onprem_clusterinfo:StandAloneCluster-1","STATUS":"200","TEXT":""}
[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:121) - run() WorkerThread: Done processing, exiting
Troubleshooting
Jabber Log Example
Before Jabber is killed:
[MessageConversationServiceImpl.cpp(2507)] [IMPServices-InstantMessageConversationServiceImpl] [IsPushEnabled] - <PUSH>
IS_PUSH_ENABLED: 1
When APNs launches Jabber:

[ts/csf-logger/src/LogController.cpp(125)] [LogController] [init] - ***** Jabber launched, start logging *****
[tahiti/ui/APNS/YLCVoipPushManager.m(169)] [UI.Action.System] [-[YLCVoipPushManager

pushRegistry:didReceiveIncomingPushWithPayload:forType:]] - jabber receive push message. payload.type:PKPushTypeVoIP, for type:
PKPushTypeVoIP, Cisco-Tracking-ID: CUCMCallP_3e176d0f-1530-4897-9cb5-
adbf69d19b5a_deploy:onprem_clusterinfo:StandAloneCluster-1
The TCT device will then go through the normal registration process, including:
[p/sipcc/core/sipstack/ccsip_debug.c(337)] [csf.sip-call-control] [platform_print_sip_msg] - sipio-sent---> REGISTER sip:10.67.81.72
SIP/2.0
[p/sipcc/core/sipstack/ccsip_debug.c(337)] [csf.sip-call-control] [platform_print_sip_msg] - sipio-recv<--- SIP/2.0 100 Trying
[p/sipcc/core/sipstack/ccsip_debug.c(337)] [csf.sip-call-control] [platform_print_sip_msg] - sipio-recv<--- SIP/2.0 200 OK
…and only then receive a SIP INVITE for the call:

[p/sipcc/core/sipstack/ccsip_debug.c(337)] [csf.sip-call-control] [platform_print_sip_msg] - sipio-recv<--- INVITE sip:b476c5b1-5058-
2bc3-6296-23ddee2eabbf@10.67.248.247:63884;transport=tcp SIP/2.0
Troubleshooting
XCP Config Manager trace
Message received from the XCP Router service for sending to APNS and is sent to push.webexconnect.com:
[Thread-50] xcpconfig.ConfigAPI$ConfigAPIListener - xcpconfig: Packet from Router<message xmlns="jabber:client"
from="ccooper@cooper.lab/jabber_860532993" to="xcpconfigmgr.cc-imp1-cooper-com" id="72f3dbbc-d141-4600-aa84-4b67227806ed"><publish
xmlns="http://protocols.cisco.com/push:2"><XXXXX/><session>5bae01ee-13c8-4fca-921e-7c35ed6e7a13</session><notify type="chat"
from="mtaylor@cooper.lab/jabber_2601" to="ccooper@cooper.lab" id="9bfcb078:4336:4a98:8226:f757367175a3" mid="0708d56e-1cb4-4574-8bba-
e263b2e7187e" body="XXXXXX" /><XXXXX/></publish></message>
[Thread-50] xcpconfig.ConfigAPI$ConfigAPIListener - xcpconfig: onPacket called
[Thread-50] xmlframework.XCPConfigMgr - PNS: Packet :<message xmlns="jabber:client" from="ccooper@cooper.lab/jabber_860532993"
to="xcpconfigmgr.cc-imp1-cooper-com" id="72f3dbbc-d141-4600-aa84-4b67227806ed"><publish
xmlns="http://protocols.cisco.com/push:2"><XXXXX/><session>5bae01ee-13c8-4fca-921e-7c35ed6e7a13</session><notify type="chat"
from="mtaylor@cooper.lab/jabber_2601" to="ccooper@cooper.lab" id="9bfcb078:4336:4a98:8226:f757367175a3" mid="0708d56e-1cb4-4574-8bba-
e263b2e7187e" body="XXXXXX" /><XXXXX/></publish></message>
….
[Thread-50] xmlframework.PushXMPP - PNS: onPacket: Sending packet to: https://push.webexconnect.com/jabber/apns/prod
[pool-4-thread-2] xmlframework.PushPacketHandler - PNS: Encrypt Successful
….
[pool-4-thread-2] xmlframework.PushXmppClientPool$Singleton - Stats: {}[leased: 0; pending: 0; available: 1; max: 10]
[pool-4-thread-2] xmlframework.PushPacketHandler - PNS: Cisco-Tracking-ID is IMPXCPConfigMgr_72f3dbbc-d141-4600-aa84-
4b67227806ed_mid:0708d56e-1cb4-4574-8bba-e263b2e7187e_oid:9bfcb078:4336:4a98:8226:f757367175a3_deploy:onprem
[pool-4-thread-2] xmlframework.PushPacketHandler - PNS: pushCall: Sending Push Notification for packet with Cisco Tracking ID:
IMPXCPConfigMgr_72f3dbbc-d141-4600-aa84-4b67227806ed_mid:0708d56e-1cb4-4574-8bba-
e263b2e7187e_oid:9bfcb078:4336:4a98:8226:f757367175a3_deploy:onprem
Confirmation Received back from cloud:

[pool-4-thread-2] xmlframework.PushPacketHandler - PNS: Push Successful, recieved successful response code from REST. Cisco Tracking ID:
IMPXCPConfigMgr_72f3dbbc-d141-4600-aa84-4b67227806ed_mid:0708d56e-1cb4-4574-8bba-
e263b2e7187e_oid:9bfcb078:4336:4a98:8226:f757367175a3_deploy:onprem
Jabber Registration and
Call Flow
<EnablePRT>
<EnableForensicsContactData>
Diagnostics <PrtLogServerURL>
<EnablePrtEncryption>
Problem Report Tool <PRTCertificateName>
<PRTCertificateUrl>
• Problem Reporting Tool used to gather logs

and config details and add to a zip file
• Invoked by user via help menu
• Automatically invoked if Jabber crashes
• Logging stored in memory and written to disk

when Jabber closes
• PRT (actual zip file) can be encrypted using
private CA certificates
• PRT decrypted with certificate and
CiscoJabberPRTDecrypter.exe
Diagnostics
Diagnostics Tool
• Diagnostics tool built into Jabber for
Windows and Mac
• Details Jabber login flow and environment
details
• Service Discovery
• Config retrieval including MRA
• Certificate Validation
• Directory discovery
• IM&P details
• To open, while Jabber is in focus, hit Ctrl

+ Shift + D
Diagnostics
Contact Resolution Tool
• Contact Resolution Tool
built into Jabber for
Windows
• Tool can be used to
test/troubleshoot
directory config
• Predictive search
• Number resolution
• To open, while Jabber is

in focus, hit Ctrl + Shift +
C
<EnableMediaStatistics>
Diagnostics
Call Statistics
• Realtime call statistics from an active
softphone mode call
• Voice tx/rx
• Video tx/rx
• Share tx/rx
• Statistics also written to logs and

sent to UC Manager (Call Manager
Records) at end of call if enabled
• To open, while the Jabber
conversation window is in focus, hit
Ctrl + Shift + S or access via the
Help menu
Jabber Diagnostics
Jabber Diagnostics - CTRL-SHIFT-D
Jabber Diagnostics – Edge Configuration
SIP REGISTER
Jabber exp-e-1.dcloud.cisco.com
198.18.2.37 198.18.2.152 (external)
REGISTER sip:ucm-sub1.dcloud.cisco.com SIP/2.0
Via: SIP/2.0/TLS 198.18.2.37:51172;branch=z9hG4bK00001055
Call-ID: 005056b8-21130003-000062b1-000035fd@198.18.2.37
Path for SIP responds to
CSeq: 102 REGISTER REGISTER request
Contact: <sip:509764ed-5917-eb59-0bca-413a773223c9@198.18.2.37:51172;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-
005056b82113>";+u.sip!devicename.ccm.cisco.com="cholland";+u.sip!model.ccm.cisco.com="503";video
From: <sip:+19725555018@ucm-sub1.dcloud.cisco.com>;tag=005056b82113000200001174-0000712a
Contact = Jabber IP
To: <sip:+19725555018@ucm-sub1.dcloud.cisco.com>
Max-Forwards: 70
Route: <sip:exp-e-1.dcloud.cisco.com;transport=tls;lr>,<sip:198.18.133.152:5061;transport=tls;zone-id=1;directed;lr>,<sip:ucm-
sub1.dcloud.cisco.com;transport=tcp;lr>
Route for SIP REGISTER
Expires: 3600
Date: Wed, 20 Apr 2016 10:00:24 GMT
Proxy-Authorization: Digest username="cholland", realm="exp-e-1.dcloud.cisco.com", uri="sip:ucm-sub1.dcloud.cisco.com",
response="d8ad62d5f7555cd944f464b5d8f2a869", nonce="bc9fde6c224d6617f6dc4a6f8ae59a369c5f9ebcecb20220091dbf27ea75",
opaque="AQAAAEXd5mTRpkTDUddWM/ttJLnZZuOd", cnonce="0000654b", qop=auth, nc=00000001, algorithm=MD5
Supported: replaces,join,sdp-anat,norefersub,resource-priority,extended-refer,…
Reason: SIP ;cause=200;text="cisco-alarm:25 Name=cholland ActiveLoad=Jabber_for_Windows-10.6.2 InactiveLoad=Jabber_for_Windows-10.6.2 Last=initialized"
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary=uniqueBoundary After ‘SIP 407 Proxy Authentication Required
Content-Length: 1271
SIP REGISTER
exp-e-1.dcloud.cisco.com exp-c-1.dcloud.cisco.com
198.18.1.152 (internal) 198.18.133.152

REGISTER sip:ucm-sub1.dcloud.cisco.com SIP/2.0 REGISTER request
Via: SIP/2.0/TLS 198.18.1.152:7001;egress-zone=TraversalServerMRA
;branch=z9hG4bK272c22f12e37e8551419ddf2b74557c6111.62f36d33d1c49546b9ec07f652ee345b;proxy-call-id=abb45b93-a6b5-4c2a-…
Via: SIP/2.0/TLS 198.18.2.37:51172;branch=z9hG4bK00001055;received=198.18.2.37;ingress-zone=CollaborationEdgeZone
Call-ID: 005056b8-21130003-000062b1-000035fd@198.18.2.37
CSeq: 102 REGISTER
Contact: <sip:509764ed-5917-eb59-0bca-413a773223c9@198.18.2.37:51172;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-
005056b82113>";+u.sip!devicename.ccm.cisco.com="cholland";+u.sip!model.ccm.cisco.com="503";video
Contact = Jabber IP
Max-Forwards: 15
Route: <sip:ucm-sub1.dcloud.cisco.com;transport=tcp;lr>
Path: <sip:198.18.1.152:7001;transport=tls;lr>
Path: <sip:198.18.2.37:51172;transport=tls;apparent;ds;lr>
Expires: 3600 Route for SIP REGISTER request
Date: Wed, 20 Apr 2016 10:00:24 GMT Match search rule on Expressway C
Supported: replaces,join,sdp-anat,norefersub,…
P-Asserted-Identity: <sip:+19725555018@ucm-sub1.dcloud.cisco.com>
X-TAATag: bd6ccf07-67f3-4003-9f89-7d8d0c73777c
Reason: SIP ;cause=200;text="cisco-alarm:25 Name=cholland ActiveLoad=Jabber_for_Windows-10.6.2 …
…
SIP REGISTER
exp-c-1.dcloud.cisco.com ucm-sub1.dcloud.cisco.com
198.18.133.152
198.18.133.219

Via: SIP/2.0/TCP 198.18.133.152:5060;egress-zone=CEtcpucmsub1dcloudciscocom;
branch=z9hG4bK4c0a69b71818676b4f9b1843da21359561537.1f271e07df1c8857e73858d689a16fb9;proxy-call-id=d1b5a0d4-a227-4636-a9f9-2c1db44f750a;rport
REGISTER request
Via: SIP/2.0/TLS 198.18.1.152:7001;egress-zone=TraversalServerMRA;
branch=z9hG4bK272c22f12e37e8551419ddf2b74557c6111.62f36d33d1c49546b9ec07f652ee345b;proxy-call-id=abb45b93-a6b5-4c2a-a06e-
bc829293b12e;received=198.18.1.152;rport=7001;ingress-zone=TraversalClientMRA
Call-ID: 005056b8-21130003-000062b1-000035fd@198.18.2.37
CSeq: 102 REGISTER
Contact: <sip:509764ed-5917-eb59-0bca-413a773223c9@198.18.133.152:5060;transport=tcp;orig-hostport=198.18.2.37:51172>;+sip.instance="<urn:uuid:00000000-
0000-0000-0000-005056b82113>";+u.sip!devicename.ccm.cisco.com="cholland";+u.sip!model.ccm.cisco.com="503";video
Contact = Expressway C
Max-Forwards: 14
Expires: 3600
Date: Wed, 20 Apr 2016 10:00:24 GMT Route for SIP REGISTER request
Match search rule on Expressway C
Supported: replaces,join,sdp-anat,norefersub,resource-priority,…
P-Asserted-Identity: <sip:+19725555018@ucm-sub1.dcloud.cisco.com>
X-TAATag: bd6ccf07-67f3-4003-9f89-7d8d0c73777c
Reason: SIP ;cause=200;text="cisco-alarm:25 Name=cholland ActiveLoad=Jabber_for_Windows-10.6.2 InactiveLoad=Jabber_for_Windows-10.6.2 Last=initialized"
…
How to validate the registration?
Expressway
CUCM Registration
Jabber username & IP address

Session will timeout
How to validate the registration?
Expressway
Show Expressway C as source IP address
SIP Registration – SIP Path Headers Support
• Expressway X8.9
• CUCM 11.5(1)SU2
• Provides feature support for :
Shared line features 78XX and 88XX
• Check release notes for more details
SIP REGISTER
exp-c-1.dcloud.cisco.com ucm-sub1.dcloud.cisco.com
198.18.133.152
198.18.133.219

Via: SIP/2.0/TCP 198.18.133.152:5060;egress-zone=CEtcpucmsub1dcloudciscocom;
branch=z9hG4bK4c0a69b71818676b4f9b1843da21359561537.1f271e07df1c8857e73858d689a16fb9;proxy-call-id=d1b5a0d4-a227-4636-a9f9-2c1db44f750a;rport
Via: SIP/2.0/TLS 198.18.1.152:7001;egress-zone=TraversalServerMRA;
branch=z9hG4bK272c22f12e37e8551419ddf2b74557c6111.62f36d33d1c49546b9ec07f652ee345b;proxy-call-id=abb45b93-a6b5-4c2a-a06e-
bc829293b12e;received=198.18.1.152;rport=7001;ingress-zone=TraversalClientMRA
Call-ID: 005056b8-21130003-000062b1-000035fd@198.18.2.37
CSeq: 102 REGISTER
Contact: <sip:509764ed-5917-eb59-0bca-413a773223c9@198.18.2.37:51172;transport=tcp;orig-hostport=198.18.2.37:51172>;+sip.instance="<urn:uuid:00000000-0000-
0000-0000-005056b82113>";+u.sip!devicename.ccm.cisco.com="cholland";+u.sip!model.ccm.cisco.com="503";video
To: <sip:+19725555018@ucm-sub1.dcloud.cisco.com> Contact = Jabber
Max-Forwards: 14
Path: <sip:198.18.2.37:51172;transport=tls;apparent;ds;lr>
… Path Headers included
How to validate Calls? Expressway
See Next Slide

Generic Call Info

Call Type
Bandwidth Allocated
Zones route
Calling Party – Leg 1
Called Party – Leg 2
SIP Session State

Media Stats
See Next Slide
Mobile and Remote
Access
Troubleshooting and
Monitoring
“Authorise by OAuth token
with refresh” - Monitoring
Unified Communications Status – Expressway E
Unified Communications Status – Expressway C
Unified Communications Status
Unified Communications Status (example1)
Alarms
DNS Lookup
Troubleshooting
CA Root not uploaded on ExpressWay E
Traversal Zone State Failed
• Expressway-C Diagnostics logs (traversal client)

.. Event="Outbound TLS Negotiation Error" Service="SIP"
Src-ip="10.48.55.98" Src-port="25016" Dst-ip="10.48.55.113" Dst-port="7001"
Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name=”eft-xwye-a.coluc.com” ..
• Expressway-C Event logs
Troubleshooting
Peer Address not matching CN
• Peer Address/FQDN not matching CN
Troubleshooting
Password incorrect
• Traversal Client will show for this zone
• ExpressWay C diagnostic logs

Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="xwaye.coluc.com" Type="A and
AAAA”
Module="network.dns" Level="DEBUG": Detail="Resolved hostname to: ['IPv4''TCP''10.48.55.99'] (A/AAAA)
Number of relevant records retrieved: 1”
Module="network.tcp" Level="DEBUG": Src-ip="10.48.55.98" Src-port="25723" Dst-ip="10.48.55.99" Dst-
port="7001" Detail="TCP Connecting”
Module="network.tcp" Level="DEBUG": Src-ip="10.48.55.98" Src-port="25723" Dst-ip="10.48.55.99" Dst-
port="7001" Detail="TCP Connection Established”
Password incorrect (contd…)
• ExpressWay C diagnostics logs
Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.48.55.98" Local-port="25723" Dst-ip="10.48.55.99" Dst-port="7001"

SIPMSG:
|OPTIONS sip:10.48.55.99:7001;transport=tls SIP/2.0
….
Module="network.sip" Level="DEBUG": Action="Received" Local-ip="10.48.55.98" Local-port="25723" Src-ip="10.48.55.99" Src-
port="7001"
SIPMSG:
|SIP/2.0 401 Unauthorised
…
WWW-Authenticate: Digest realm="TraversalZone", nonce="527e7f2a24ff1c54e3e4cd5025f674967e81d2aa9b214fda98cef27f3f82",
opaque="AQAAAPet….
….
Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.48.55.98" Local-port="25723" Dst-ip="10.48.55.99" Dst-port="7001"
SIPMSG:
|OPTIONS sip:10.48.55.99:7001;transport=tls SIP/2.0
….
Authorisation: Digest nonce="527e7f2a24ff1c54e3e4cd5025f674967e81d2aa9b214fda98cef27f3f82", realm="TraversalZone",
opaque="AQAAAPet+0JJTq4cyuB34opHePwV7bkk", algorithm=MD5, uri="sip:10.48.55.99:7001;transport=tls", username="xway", response=”
...
Module="network.sip" Level="DEBUG": Action="Received"...
SIPMSG:
|SIP/2.0 401 Unauthorised
….
Event="External Server Communications Failure" Reason="gatekeeper timed out" Service="NeighbourGatekeeper" Dst-ip="10.48.55.99"
Dst-port="7001" Detail="name:xwaye.coluc.com" Protocol="TCP" Level="1”
Password incorrect (contd…)
• ExpressWay E diagnostic logs

Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: xway”
…
Module="developer.nomodule" Level="WARN"
CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(686)"
Method="SipProxyAuthentication::checkDigestSAResponse" Thread="0x7f2485cb0700":
calculated response does not match supplied response,
calculatedResponse=769c8f488f71eebdf28b61ab1dc9f5e9,
response=319a0bb365decf98c1bb7b3ce350f6ec
…
Event="Authentication Failed" Service="SIP" Src-ip="10.48.55.98" Src-port="25723"
Detail="Incorrect authentication credential for user" Protocol="TLS" Method="OPTIONS" Level="1”
Expressway Diagnostic Logs
• Diagnostics logs
Collaboration Solution Analyzer
cs.co/csa
Conclusion & Key Takeaways
• Make sure to update the Trust store of both Expressway E and C

servers with both Root and intermediate if any
• Refresh UCM servers if any changes made
• Enable OAuth Token with Refresh to increase the user experience
and security end-to-end
• Collaboration Solutions Analyzer helps you to troubleshoot and
analyze the most common issues, validate your deployment and
helps you to understand how the solution works
Q&A
#CLMEL
Visit the Customer Experience booth in the World of Solutions and
donate for charity!
Step 1: pick up your token $$ at

Step 2: visit the Customer Experience Booth in the World
this session or, the Customer
of Solutions, chat with one of our experts and donate to
Experience Booth in the World of
the charity of your choice.
Solutions.
Donate to
Charity!
#CLMEL BRKUCC-3732 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL

Brkucc 3732 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Brkucc 3732 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

#CLMEL

Cisco Expressway IP Port Usage

• Local Inbound ports

For large systems new install

• > Maintenance > Security Certificate

Client Identity Validation

Domain XMPP SAN elements configured with :

Enterprise Network DMZ Outside Network

Configure username to be used by Traversal Client to authenticate with

Port is default 7001, listening port for traversal client connection

Must match CN or SAN from Certificate presented by Traversal Client

Advanced Encryption Cipher for encrypting/decrypting SRTP media

• Traversal Zone Status

Configure same username and password as added on the

Destination port Traversal Server is listening on

Advanced Encryption Cipher for encrypting/decrypting SRTP

• Must match CN or SAN from Certificate

(*) Requires CUCM 12.5

• Tomcat for the

• Call Manager for the

TLS verify mode = Off

• Search Rule Configuration

When Tomcat cert is uploaded first -> discovery will succeed

When CCM cert is uploaded first -> discovery will fail

• TLS verify + Self Signed CCM/Tomcat certificate + Encryption

xwayE.domain.com xwayC.domain.com cucm.domain.com

xwayE.domain.com xwayC.domain.com cucm.domain.com cup.domain.com

xwayE.domain2 com xwayC.domain2.com cucm.domain1.com

xwayE.domain2 com xwayC.domain2.com cucm.domain1.com

xwayE.domain2 com cucm.domain1.com

• “Authorise by user credentials” – Default

Expressway E Expressway C CUCM Home UDS IM＆P Server

Device Minimum Software Version

UCM 11.5(1)SU3 or 12.0(1)

IMP 11.5(1)SU3 or 12.0(1)

Unity 11.5(1)SU3 or 12.0(1)

Jabber client 11.9(0)

Expressway E Expressway C CUCM Home UDS IM＆P Server

Expressway-C > Configuration > Unified Communications > Configuration

Expressway E Expressway C CUCM Home UDS IM＆P Server

CUCM/IM&P Administration > System > Enterprise Parameters

Expressway E Expressway C CUCM Home UDS IM＆P Server

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Expressway E Expressway C CUCM Home UDS IM＆P Server

Expressway E Expressway C CUCM Home UDS IM＆P Server

Expressway E Expressway C CUCM Home UDS IM＆P Server

Expressway E Expressway C CUCM Home UDS IM＆P Server

...Detail="Token Validation failed" Type="Access Token" Response="401”

Expressway E Expressway C CUCM Home UDS IM＆P Server

…Action="Send" Method="GET" URL="https://ucm-pub.dcloud.cisco.com:8443/ssosp/token/keys" Function="token/keys”

…Action="Received" URL="https://ucm-pub.dcloud.cisco.com:8443/ssosp/token/keys" Function="token/keys" Status="200"

• Chat and Call notifications routed via

SIP XMPP HTTPS

Direct (via firewall)

Customer doesn’t require

• iPhone / iPad will need to be able

• iOS devices connect to

On Wi-Fi they can fallback to

• CUCM’s “Cisco Push Notification

• IM&P’s “Cisco XCP Config

• Jabber for iOS enable “Debug

[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:83) - run() REQUEST_PUSH_NOTIFICATION

[pool-3-thread-1] ccmpns.WorkerThread (WorkerThread.java:463) - generatePushRestUri() GeneratePushRestURI : PushRestURI generated