VCS Control And VCS Expressway Calling with CallManager

OK, I think I found every stupid configuration mistake a person could make, mainly because of my lack of experience with this product as well as documentation which I feel isn’t as detailed as it needs to be, at least not for me.

1. You will have a “Neighbor” zone pointing to CallManager configured on the Control node. This is the counterpart to the SIP trunk on CallManager. Make sure you change the TCP port on the CallManager SIP Security Profile to something different than 5060 and match that with the SIP Port in the Zone configuration on the Control node.
2. Search rules are evidently analogous to router patterns. Create one with the “INTERNAL” domain of your SIP clients. This will route Internet Calls to the CallManager. I ran into a nasty issue that cost me a lot fo time. But in CallManager there is an Enterprise parameter on how Directory UIR matching is conducted, the default is case sensitive. I changed that as the first letter of my first and last name were capitalized in the Directory, hence I wasn’t able to dial all lowercase until I figured this out. Also set the “Target” field to the CUCM Neighbor zone.
3. Now my big mistake was, I created a DNS matching zone, but again, not understanding the product I created it on the Control node assuming it would push the config to the E-Node, which is NOT the case. And the result was truly confusing.
   1. First strange thing was that inbound calls would work fine.
   2. Second strange thing was that outbound calls would connect, but with no audio/video. After looking at traces and wireshark captures I discovered the Jabber client on the inside was using the public address of the remote end instead of the VCS C-Node, and there was no incoming audio packets. Once I deleted the “DNS” zone on the C-Node and created it on the E-Node, it worked as expected.
4. On the C-Node, I created a search rule for any alias, set the source name to the CUCM Neighbor zone, and set the Target as my TraversalZone I’m using for MRA.
5. As mentioned previously, I created a zone on the E-Node named Internet, set the transport to UDP, Type to DNS and the Zone Profile to Default.
6. I then created a Search rule with Source of “TraversalZone”, Mode of Any Alias and Target of my “Internet” zone.

All of my call flows for MRA and URI dialing to the Internet appear to be working with the one nagging issue that on outbound calls, CallManager uses its IP address in the source URI, which prevents people from being able to call directly back. I have created Transforms to try and correct this but they don’t seem to be matching at this point, so still an issue that’s on my plate.

Cisco Expressway C/E Config Errors

OK, after finally getting it licensed correctly, I have been running into erros where the Unified Communications Service on the C node would never show up right. And the IM&P kept showing XMPP Router: Inactive. I rebuilt the Traversal Zones a number of times. The C side would show active with no issues, but the E Side would show “Status: Fail” with zero connections. Several reboots did nothing, and the CA signed certs were correct.

Background:
On the E-Node, I have the Advanced Networking license since I have the VM in a DMZ with a private address, and I am statically NATing this on a firewall.

My Resolution:
On the E-Node, go into System->Network Interfaces->IP
Change IPv4 Static NAT Mode to ON
When the new IPv4 Static NAT Address appears, input the EXTERNAL IP address for the E-Node.

OK, Now when I try to log in via an outside client, I  get error messages like this on the e-Node;

traffic_server[7756]: Event=”Sending HTTP error response” Status=”403” Reason=”Forbidden” Dst-ip=”x.x.x.x” Dst-port=”49489” UTCTime=”2015-08-05 15:01:52,724“
traffic_server[7756]: Event=”get_edge_sso” Detail=”SSO access denied” Reason=”Domain not allowed” Domain=”external.domain” Src-ip=”x.x.x.x” Src-port=”49489″ UTCTime=”2015-08-05 15:01:52,724″

It appears I need to add a domain on the C-Node that matches my external domain name. Which seems to have fixed the 403 error.

Now, My jabber client can’t locate services, and I’m not seeing any errors on the Expressway systems. What I am seeing is on my DNS, I am getting SRV DNS requests for my external domain. After messing around with a jabber-config.xml file I could never get it to work right.

It appears that, contrary to many of the documents I have read, your INTERNAL DNS needs to be able to resolve the _cisco-uds._tcp SRV record for your EXTERNAL domain, once I added this, then my Jabber client has been able to successfully login.

OK, progress. I downloaded the jabber-config.xml file, added the <VoiceServicesDomain> TAG to the XML file with the EXTERNAL domain in it. Uploaded that file back up to the UCM TFTP server, restarted the TFTP services, and connected via VPN and connected Jabber up so it could download the new config file. After this, I disconnected the VPN, shut down Jabber and restarted it and most everything seems to be working.

Still having an issue with the CWMS connection via a Jabber Client that isn’t on the domain. Still need to research this.

Cisco VCS Expressway C/E Licensing

Well, after fudging up once already, I think I have some insight into the licensing for Expressway. Basically my mistake was I took the PAK for the LIC-EXP-E-PAK and assigned all quantities to the C node (The claim document says you can register the PAK multiple times, which I must be interpreting wrong as the licensing portal tells me it’s been fully fulfilled).

What I SHOULD have done evidently is registered as below;

C-Node:

LIC-EXP-RMS-PMP QTY 10
LIC-EXP-SERIES       QTY 1
LIC-EXP-GW           QTY 1

E-Node:

LIC-EXP-RMS-PMP   QTY 10
LIC-EXP-AN           QTY 1 (Optional, if using Advanced Networking)
LIC-EXP-SERIES       QTY 1
LIC-EXP-GW           QTY 1
LIC-EXP-E           QTY 1

Anyways, currently have a case open with TAC Licensing to verify my current assumptions.

UPDATE:
OK, wow, the config guide makes much more sense after the nodes are licensed. The licensing gives the node their identity as either a C-Node or E-Node. The config guide had what I thought were errors, for instance, on the zone configuration page for the E side that didn’t match the actual GUI. Once the license was added, and I deleted what I had put in there before and created a new one, it matches and not the C-Node to E-Node SIP session shows active.