Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Troubleshooting a SIP federation integration
Download this chapter
Troubleshooting a SIP federation integrationTroubleshooting a SIP federation integration
Download the complete book
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1) (PDF - 3 MB)
 Feedback

Contents

Troubleshooting a SIP federation integration

Common Cisco Adaptive Security Appliance problems and recommended actions

Certificate configuration problems

Certificate failure between IM and Presence and Cisco Adaptive Security Appliance

The certificate configuration between IM and Presence and Cisco Adaptive Security Appliance is failing.

The time and time zones on Cisco Adaptive Security Appliance may not be configured correctly.

  • Set the time and time zones on Cisco Adaptive Security Appliance.
  • Check that the time and time zones are configured correctly on IM and Presence and Cisco Unified Communications Manager.

Prerequisite configuration tasks for this integration

Certificate failure between Cisco Adaptive Security Appliance and Microsoft Access Edge

The certificate configuration between Cisco Adaptive Security Appliance and Microsoft Access Edge is failing at certificate enrollment on Cisco Adaptive Security Appliance.

If you are using SCEP enrollment on Cisco Adaptive Security Appliance, the SCEP add-on may not be installed and configured correctly. Install and configure the SCEP add-on.

Related References

Certificate error in SSL handshake

A certificate error displays in the SSL handshake.

There is no FQDN in the certificate. You need to configure the domain on the IM and Presence CLI, and regenerate the certificate on IM and Presence to have FQDN. You need to restart the SIP proxy on IM and Presence when you regenerate a certificate.

Related Tasks

Error when submitting certificate signing request to VeriSign

I am using VeriSign for certificate enrollment. When I paste the Certificate Signing Request into the VeriSign website, I get an error (usually a 9406 or 9442 error).

The subject-name in the Certificate Signing Request is missing information. If you are submitting a renewal certificate signing request (CSR) file to VeriSign, the subject-name in the Certificate Signing Request must contain the following information:

  • Country (two letter country code only)
  • State (no abbreviations)
  • Locality (no abbreviations)
  • Organization Name
  • Organizational Unit
  • Common Name (FQDN)

The format of the subject-name line entry should be:

(config-ca-trustpoint)# subject-name cn=<fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>
Related Tasks

SSL errors when IM and Presence domain or hostname is changed

I changed the IM and Presence domain from the CLI, and I am getting SSL certificate errors between IM and Presence and Cisco Adaptive Security Appliance.

If you change the IM and Presence domain name from the CLI, the IM and Presence self-signed cert, sipproxy.pem, regenerates. As a result you must reimport the sipproxy.pem certificate into Cisco Adaptive Security Appliance. Specifically you must delete the current sipproxy.pem certificate on Cisco Adaptive Security Appliance, and reimport the (regenerated) sipproxy.pem certificate.

Related Information

Errors when creating TLS proxy class maps

The following errors are displayed when configuring the TLS Proxy class maps:

ciscoasa(config)# class-map ent_cup_to_foreignciscoasa(config-cmap)# match access-list ent_cup_to_foreign
ERROR: Specified ACL (ent_cup_to_foreign) either does not exist or its type is not supported by the match command.
ciscoasa(config-cmap)# exit

ciscoasa(config)# class-map ent_foreign_to_cup
ciscoasa(config-cmap)# match access-list ent_foreign_to_cup
ERROR: Specified ACL (ent_foreign_to_cup) either does not exist or its type is not supported by the match command.
ciscoasa(config-cmap)#

The access list for the foreign domain does not exist. In the example above the access list called ent_foreign_to_cup does not exist. Create an extended access list for the foreign domain using the access list command.

Related References

Subscriptions dont reach Access Edge

Subscriptions from Microsoft Office Communicator do not reach the Access Edge. OCS reports network function error with Access Edge as the peer. The Access Edge service will not start.

On Access Edge, the IM and Presence domain may be configured in both the Allow tab and the IM provider tab. The IM and Presence domain should only be configured in the IM Provider tab. On Access Edge, remove the IM and Presence domain entry from the Allow tab. Make sure there is an entry for the IM and Presence domain on the IM Provider tab.

Problems with Cisco Adaptive Security Appliance after upgrade

The Cisco Adaptive Security Appliance does not boot after a software upgrade.

You can download a new software image to the Cisco Adaptive Security Appliance using a TFTP server and using the ROM Monitor (ROMMON) on the Cisco Adaptive Security Appliance. ROMMON is command line interface used for image loading and retrieval over TFTP and related diagnostic utilities.

Procedure
    Step 1   Attach a console cable (the blue cable that is distributed with the Cisco Adaptive Security Appliance) from the console port to a port on a nearby TFTP server.
    Step 2   Open hyperterminal or equivalent.
    Step 3   Accept all default values as you are prompted.
    Step 4   Reboot the Cisco Adaptive Security Appliance.
    Step 5   Hit ESC during bootup to access ROMMON.
    Step 6   Enter this sequence of commands to enable Cisco Adaptive Security Appliance to download the image from your TFTP server 
    ip <Cisco Adaptive Security Appliance inside interface>server <TFTP server>
interface Ethernet 0/1
file <name of new image>
    Note   

    The Ethernet interface you specify must equate to the Cisco Adaptive Security Appliance inside interface.

    Step 7   Place the software image on the TFTP server in a recommended location (depending on your TFTP software).
    Step 8   Enter this command to start the download: 
    tftpdnld
    Note   

    You need to define a gateway if the TFTP server is in a different subnet.

    Common integration problems and recommended actions

    Unable to get availability exchange

    Unable to exchange availability information between Cisco Jabber and Microsoft Office Communicator.

    OCS/Access Edge:

    1. The certificate may have been configured incorrectly on the public interface of Access Edge. If you are using a Microsoft CA, ensure that you are using an OID value of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2. The incorrect value displays on the general tab of the certificate (if it is correct it will not be visible). You can also see the incorrect value on an ethereal trace of the TLS handshake between IM and Presence and Access Edge. Regenerate the certificate for the public interface of the Access Edge with a certificate type of "Other" and OID value of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
    2. The front end server may not be running on OCS. Ensure that the "Office Communications Server Front-End" service is running. You can check this service by selecting Start > Programs > Administrative Tools > Computer Management. In Services and Applications, select Services and locate the "Office Communications Server Front-End" service. If running, this service should have a status of "Started". IM and Presence:
    3. The certificate may have been configured incorrectly on IM and Presence. Generate the correct sipproxy-trust certificate for IM and Presence.
    4. If you are using static routes, a static route may have been configured incorrectly. Also, the SIP Proxy domain may not have been properly set to the domain that the IM and Presence server resides in. Please note that the SIP Proxy will default to domain that was setup during fresh install. If you are using static routes, configure a static route that points to the public interface of the Access Edge. The static route should have a route type set to "domain" and have a reversed destination pattern set e.g. if the federated domain is abc.com then the destination address pattern should be set to ".com.abc.*". Static routes are configured in IM and Presence Administration by selecting Presence > Routing > Static Routes.

    Cisco Jabber client:

    The DNS settings on the Cisco Jabber client may be configured incorrectly. Ensure that the client machine is pointing to the correct DNS. Logout and login of the Cisco Jabber client.

    Related Tasks
    Related References

    Problems sending and receiving IMs

    Problems sending and receiving IM's between a Microsoft Office Communicator user and a Cisco Jabber 8.0 user.

    DNS Settings:

    DNS SRV records may not have been created, or configured incorrectly. To check if the DNS SRV records have been configured correctly, perform an nslookup for type=srv from both IM and Presence and Access Edge.

    On Access Edge:

    1. From a command prompt on Access Edge, enter nslookup.
    2. Enter set type=srv.
    3. Enter the SRV record for the IM and Presence domain e.g. _sipfederationtls._tcp.abc.com where abc.com is the domain name. If the SRV record exists, the FQDN for IM and Presence/Cisco Adaptive Security Appliance is returned. On IM and Presence:
    4. Using a remote access account, ssh into the IM and Presence server.
    5. Perform the same steps as per the Access Edge above, except in this case use the OCS domain name.

    Microsoft Office Communicator client:

    The Microsoft Office Communicator 2007 user may have their presence set to "Do Not Disturb" (DND). If Microsoft Office Communicator 2007 is set to DND then it will not receive IM's from other users. Set the presence of the Microsoft Office Communicator user to another state.

    IM and Presence:

    1. If you are using static routes instead of DNS SRV, a static route may have been configured incorrectly. Configure a static route that points to the public interface of the Access Edge. The static route should have a route type set to "domain" and have a reversed destination pattern set e.g. if the federated domain is "abc.com" then the destination address pattern should be set to ".com.abc.*". Static routes are configured in IM and Presence Administration by selecting Presence > Routing > Static Routes.
    2. The Federation IM Controller Module Status may be disabled. In IM and Presence Administration, select System > Service Parameters, and select the SIP Proxy service. At the end of the screen, check that the Federation IM Control Module Status parameter is set to On.
    3. The Federated Domain may have not have been added, or configured incorrectly. In IM and Presence Administration, select Presence > Inter-Domain Federation and check that the correct federated domain has been added.
    Related Tasks
    Related References

    Losing availability and IM exchange after a short period

    Can share availability and IMs between Cisco Jabber and Microsoft Office Communicator but after a short period, they start to lose each others availability, and then can no longer exchange IM's.

    OCS/Access Edge:

    1. On Access Edge, both the internal and external edges may have the same FQDN. Also in DNS there may be two "A" record entries for that FQDN, one resolving to the IP address of the external edge and the other to the IP address of the internal edge. On Access Edge, change the FQDN of the internal edge, and add an updated record entry in DNS. Remove the DNS entry that was originally resolving to the internal IP of the Access Edge. Also reconfigure the certificate for the internal edge on Access Edge.
    2. On OCS, under global settings and front end properties, the FQDN for the access edge may have been entered incorrectly. On OCS, reconfigure the server to reflect the new FQDN of the internal edge.

    DNS Settings:

    DNS SRV records may not have created, or configured incorrectly. Add the necessary "A" records and SRV records.

    Related Information

    Delay in availability state changes and IM delivery time

    There is a delay in the delivery time of IM and Presence state changes between Cisco Jabber and Microsoft Office Communicator.

    On the IM and Presence server, the Disable Empty TLS Fragments option may not be selected for the Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

    Procedure
      Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Context Configuration.
      Step 2   Click Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.
      Step 3   Check Disable Empty TLS Fragments.
      Step 4   Click Save.

      403 FORBIDDEN returned following a Presence subscription attempt

      IM and Presence attempts to subscribe to the presence of a Microsoft Office Communicator user and receives a 403 FORBIDDEN message from the OCS server.

      On the Access Edge server, the IM and Presence server may not have been added to the IM service provider list. On the Access Edge server, add an entry for the IM and Presence server to the IM service provider list. On the DNS server for Access Edge, ensure that there is a _sipfederationtls record for the IM and Presence domain that points to the public address of the IM and Presence server

      or

      On the Access Edge server, the IM and Presence server may have been added to the Allow list. On the Access Edge server, remove any entry from the Allow list that points to the IM and Presence server.

      Related Information

      Time out on NOTIFY message

      IM and Presence times out when sending a NOTIFY message (when federating directly between IM and Presence and Microsoft OCS using TCP).

      On the IM and Presence server, the Use Transport in Record-Route Header may need to be enabled.

      Procedure
        Step 1   Select Cisco Unified CM IM and Presence Administration > System > Service Parameters.
        Step 2   Select the Cisco SIP Proxy service.
        Step 3   In the SIP Parameters (Clusterwide) section, select On for the Use Transport in Record-Route Header parameter.
        Step 4   Click Save.

        IM and Presence certificate not accepted

        Access Edge is not accepting the certificate from IM and Presence.

        The TLS handshake between IM and Presence/Cisco Adaptive Security Appliance and the Access Edge may be failing.

        OCS/Access Edge:

        1. Ensure that the IM Provider list on the Access Edge contains the public FQDN of the IM and Presence server, and it matches the subject CN of the IM and Presence certificate. If you have opted not to populate the Allow List with the FQDN of IM and Presence, then you must ensure that the subject CN of the IM and Presence certificate resolves to the FQDN of the SRV record for the IM and Presence domain.
        2. Ensure that FIPS is enabled on Access Edge (use TLSv1).
        3. Ensure that Federation is enabled globally on OCS, and enabled on the front end server.
        4. If failing to resolve DNS SRV, ensure that DNS is set up correctly and perform an nslookup for type=srv from Access Edge:
        5. From a command prompt on Access Edge, enter nslookup.
        6. Enter set type=srv.
        7. Enter the SRV record for the IM and Presence domain, for example. _sipfederationtls._tcp.abc.com where abc.com is the domain name. If the SRV record exists, the FQDN for IM and Presence/Cisco Adaptive Security Appliance is returned.

        IM and Presence/Cisco Adaptive Security Appliance:

        Check the ciphers on IM and Presence and Cisco Adaptive Security Appliance. In IM and Presence Administration, select System > Security > TLS Context Configuration > Default Cisco SIP Proxy Peer Auth TLS Context, and ensure that the "TLS_RSA_WITH 3DES_EDE_CBC_SHA" cipher is selected.

        Related Tasks
        Related Information

        Problems starting front-end server on OCS

        The front-end server on OCS will not start.

        On OCS, the FQDN of the private interface of the Access Edge may have been defined in the list of Authorized Hosts. Remove the private interface of the Access Edge from the list of Authorized Hosts on OCS.

        During OCS install, two Active Directory user accounts are created called RTCService and RTCComponentService. These accounts are given an administrator-defined password, however, on both of these accounts the "Password never expires" option is not selected by default so the password will expire periodically. To reset the password of the RTCService or RTCComponentService on the OCS server, follow the procedure below.

        Procedure
          Step 1   Right-click on the user account.
          Step 2   Select Reset Password.
          Step 3   Right-click on the user account.
          Step 4   Select Properties.
          Step 5   Select the Account tab.
          Step 6   Check Password never expires.
          Step 7   Click OK.

          Cisco Jabber not online after login

          Cisco Jabber client does not have available online status after login.

          The client computer may be pointing to the incorrect DNS server. Update the correct DNS server on the client PC and then login to Cisco Jabber again.

          Unable to remote desktop to Access Edge

          Unable to successfully remote desktop to the Access Edge Server with FIPS enabled on Windows XP.

          This is a known Microsoft issue. The workaround to resolve the issue involves installing a Remote Desktop Connection application on the Windows XP computer. To install Remote Desktop Connection 6.0, follow the instructions at the following Microsoft URL:

          http://support.microsoft.com/kb/811770