none
Lync Errors - Schannel 36888 - Front End Service stops randomly

    Question

  • Hi,

    I have been running Lync 2010 in a standard setup for a good six months now.

    about a month ago, issues started occuring with the front end service.

    the service will stop, without any errors in the event log suggesting as to why. the only clues i am getting are a lot of schannel errors in the system log, but after doing some research i cannot find a solution.

    I have seen other people fix these issues by changing records in DNS, but i have got this working before, and nothing has been changed.
    when the service is running, i have internal and external connectivity, as well as video, desktop sharing etc, so I cannot see anything wrong with the setup.

    my gut feeling is that this is ANOTHER bug......

    can someone please give me some advice, before i ring msft complaining about their awful UC system.

    • Changed type gaz-mon Tuesday, June 07, 2011 3:42 PM
    • Changed type gaz-mon Tuesday, June 07, 2011 3:42 PM
    Tuesday, June 07, 2011 2:20 PM

Answers

  • You can't have front end, mediation and edge on the same box, you can have front end and mediation together, definately not edge!

     


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    Tuesday, June 07, 2011 3:19 PM
  • You can say that, but it has been working happily.

    When the front end service is running, the system works fine.

    I would appreciate some assistance rather than just telling me the usual ridiculous microsoft implementation requirements.
    I installed OCS 2007 R2 before, and I had four servers. simply ridiculous for whats meant to be a phone / im system for an SME, dont you think.

    If this is the way it is, then i will just remove the edge role and keep it internal.

     

    • Marked as answer by gaz-mon Tuesday, June 07, 2011 3:41 PM
    • Marked as answer by gaz-mon Tuesday, June 07, 2011 4:21 PM
    Tuesday, June 07, 2011 3:29 PM

All replies

  • Schannel errors are SSL errors.  Has your certificate expired?  Has your CA certificate expired? 

    You can check this by opening the certificate MMC for the local computer and opening the actual certificate to confirm validity.

     


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    Tuesday, June 07, 2011 2:26 PM
  • These are the errors:

     

    The following fatal alert was generated: 10. The internal error state is 1203.     

    Source: Schannel    ID: 36888    Log: System

     

    The Audio/Video Conferencing Server cannot add Conferencing Announcement Service to a conference.

    Audio/Video Conferencing Server Pool: poolname.********.com; Conferencing Announcement Service: sip:poolname.********.com@**********.com;gruu;opaque=srvr:Microsoft.Rtc.Applications.Cas:KqU8LM-T9l2rShqnqQbMgAAA

    Cause: The Audio/Video Conferencing Server is not able to reach the Conferencing Announcement Service. This may be due to network connectivity issues or unavailability of the Conferencing Announcement Service. Conference Announcements in audio/audio-video conferences will be unavailable due to this issue. PSTN dial in users will be impacted, as they will be unable to exercise DTMF controls and other PSTN dial in conferencing functionality while in the conference.

    Source: LS Audio-Video Conferencing Service    ID: 32083    Log: Lync Server

    

    The weird thing, is if you reboot the server, it takes about 3-4 hours beford the schannel errors start appearing in the event log.

    The conferencing errors seem to have cleaned themselves up, but i wanted to put them in here to see if there was an issue.

    I cannot find anything related to the front end service, and why it is stopping.

    I setup recovert on the front end service to restart, but this doesnt work (does that ever work on msft servers, nope)

     

    Before the first schannel error, i got this:



    The Application Experience service entered the stopped state.

    Source: Service Control Manager    ID: 7036    Log: System



    I dont think this is related, but i am putting all i can regarding my investigation :)

    • Edited by gaz-mon Tuesday, June 07, 2011 2:36 PM additional details
    Tuesday, June 07, 2011 2:27 PM
  • Hi Mark,

    thanks for replying.

    The certificate is valid until 2014, and i have checked that the certification path is ok.

    I cannot see any problems with the certificate at all.


    what doesnt make sense, is why it takes about 3-4 hours before these annoying schannel errors appear.
    I dont even know if this is related to the front end service stopping.......

    Tuesday, June 07, 2011 2:31 PM
  • Can you provide some more information about your topology?

    Standard Edition, Enterprise Edition?

    How Many Front End Servers?

    Edge Server Deployed?

    Do you have the following names on the internal cert:

    - poolfqdn, serverfqdn, simple URLs, admin simple url

    Have you applied the latest updates available here: http://support.microsoft.com/?kbid=2493736

     


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    Tuesday, June 07, 2011 3:00 PM
  • Standard Edition

    Front End, Mediation and Edge all on the same box.

    I am suing a wildcard certficate *.company.com  and its been working fine.
    this is a godaddy level 2 certificate that expires in 2014

    internal:  10.0.0.32
    external: **.***.***.25      (NAT)

    the pool and edge pool are both setup in DNS to use the internal address  10.0.0.32

    external settings:


    SIP

    port: 5061  TLS


    Web

    port: 444   TLS


    A/V

    port: 443  TCP


    all use the same external FQDN, which is setup in external DNS

    all services work fine. its just when the front end service crashes, there are problems with connectivity.


    occasionally clients presence gets stuck as well.... :(

    Tuesday, June 07, 2011 3:16 PM
  • You can't have front end, mediation and edge on the same box, you can have front end and mediation together, definately not edge!

     


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    Tuesday, June 07, 2011 3:19 PM
  • You can say that, but it has been working happily.

    When the front end service is running, the system works fine.

    I would appreciate some assistance rather than just telling me the usual ridiculous microsoft implementation requirements.
    I installed OCS 2007 R2 before, and I had four servers. simply ridiculous for whats meant to be a phone / im system for an SME, dont you think.

    If this is the way it is, then i will just remove the edge role and keep it internal.

     

    • Marked as answer by gaz-mon Tuesday, June 07, 2011 3:41 PM
    • Marked as answer by gaz-mon Tuesday, June 07, 2011 4:21 PM
    Tuesday, June 07, 2011 3:29 PM
  • OK I understand but you start the thread by saying that you are going to call Microsoft about a bad UC system but you haven't followed any of the supported topologies. 

    My recommendation is to deploy 2 servers (not 4) and make them virtual if you want which is completely supported for all workloads.  One server can be your front end server with mediation server and av conferencing server while the other is your edge.  It is not only completely insecure what you are doing (direct NAT to a domain joined server) but causes issues like what you are experiencing.  If you are interested in more help I am available to assist but you need to follow at least the fact that this is not a workable solution.

    Mark


    Mark King | MVP: Lync Server | MCTS:UC Voice | MCITP x3 :Lync, Enterprise Messaging 2010, EA | MCSE: Messaging | blog.unplugthepbx.com
    • Proposed as answer by YasinUzman Monday, May 28, 2012 7:11 AM
    Tuesday, June 07, 2011 3:35 PM