none
a/v External to Internal Audio calling Issue

    Domanda

  • hi,

    There is an issue with a customer where his External to Internal and External to External PC Audio calling is not working.

    ISSUE

    A/V Conferencing is not working and user gets the message "User left the conference" on enabling Audio.

    Single Edge server | Single Enterprise Edition Server

    Fixes Tried:

    All the neccessary ports have been opened on the External firewall and the Internal Firewall.

    On the Topology, the Edge server NAT IP has been set to Public IP of the A/V Edge server.

    MSTurnPing for A/V Auth and A/V Edge service results in success.

    Ports opened on External Firewall
    SIP/MTLS : 5061 (Inbound/Outbound)
    SIP/TLS : 443 (Inbound)
    TCP/UDP : 50000-59999 (Inbound/Outbound ) STUN/UDP : 3478 (Inbound/Outbound) DNS : 53 (Outbound) HTTP : 80 (Outbound)

    On Internal Firewall

    SIP/MTLS : 5061 (Inbound/Outbound)
    PSOM/MTLS : 8057 (Outbound to Edge)
    STUN/TCP : 443 (Outbound to Edge)
    SIP/MTLS : 5062 (Outbound to Edge)
    STUN/UDP : 3478 (Outbound to Edge)
    HTTPS : 4443 (Outbound to Edge)

    Some Error Logs from Trace on the Lync Client log (Externally) when tryin a peer (external) to peer (internal) lync audio  call.

    SIP/2.0 487 Request terminated -ms-diagnostics: 5002;reason="Request was cancelledc

    SIP/2.0 488 Not Acceptable Here -   reason="Audio mode disabled by policy

    SIP/2.0 480 Temporarily Unavailable - The routing rules did not result in a final response and callee is not enabled for Unified Messaging";

    Any ideas?


    Abhay Kamath (MSFT)- Global Partner Services

    giovedì 16 febbraio 2012 23:01

Risposte

  • Hi Abhay,

    I believe you have an issue with

    1)candidates not showing public ip in the srflx raddr .

    2) Though the Via shows the correct ipaddress which includes the "12.176.99.78".

    donno what that ip is , but looks like a Public routable ipaddress.was that captured from the SIP response.

    3) Yes, Public  ip of AV edge should be communicated to the clients and that become the part of "sip candidate list" .

    4) Route seems to be correct ,but check the NAT and Firewall configuration again as per the following

    i know you must have done that , but verify it again

    http://technet.microsoft.com/en-us/library/gg425882.aspx

    sabato 18 febbraio 2012 13:54
  • Also in your topology builder under the edge settings make sure if you are using NAT. to select "NAT enabled public IP Address used" and enter the Public IP Address you use for av.domain.com. how many IPs are you using for your external settings? in our topology's we use 3 internal and 3 external IPs. and bound the 3 internal to the 3 external via firewall. but on the internet if you ping av.domain.com use that resolving IP Address as mentioned above. Had some AV issues during RTM and that resolved it for us.

    If this post answered your question, Mark As Answer If this post was helpful, Vote as Helpful http://lyncme.blogspot.com

    domenica 19 febbraio 2012 15:32
  • Hi,Abhay,

    You need open the STUN/TCP 443 and UDP 3478 inbound and outbound traffic on your internal firewall,you also need check the corresponding ports on Front End server.For the ports requirement you can check the Lync workload poster for more details.

    Also please double check the client policy with the cmdlet Get-CsClientpolicy to get the policy assigned to users and make sure you have the correct public IP address of A/V edge external interface defined in the topology and published.

    Another more details please check the great article post by Elan Shudnow,here are some details description of different audio/video connection scenarios.Hope it can help you figure out the issue.

    Regards,

    Sharon


    Sharon Shen

    TechNet Community Support

    ***************************************************************************************************************************************************************************** Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial t


    lunedì 20 febbraio 2012 08:31
    Moderatore

Tutte le risposte

  • SIP/2.0 488 Not Acceptable Here -   reason="Audio mode disabled by policy

    Looks like a policy issue on the user or pool.  Go to your Conferencing Policy and make sure Audio/video is set to Enable IP audio/video for on that users policy. 

    SIP/2.0 480 Temporarily Unavailable - The routing rules did not result in a final response and callee is not enabled for Unified Messaging";

    If that doesnt work have the recipients admins verify they are enabled for audio as this error points to then recipients settings being the issue.

    Send me a messasge if you want to test. indubious at me dot com


    BBB

    venerdì 17 febbraio 2012 00:50
  • Thanks for the Reply Indubious

    Customer says that he has just 1 global policy and has audio/video enabled for it. Has checked for both the users for whom audio - audio calling was tested.

    Any other thing that i need to look at from the edge perspective??


    Abhay Kamath (MSFT)- Global Partner Services

    venerdì 17 febbraio 2012 01:05
  • SOME MORE INFO

    Had also noticed in the External Client netmon logs that the Internal IP address of the Edge internal interface was being returned to the external Client.


    Abhay Kamath (MSFT)- Global Partner Services

    venerdì 17 febbraio 2012 16:54
  • Do you have duel NIC configuration on edge box ? (Internal /external)

    Can you check the external NIC gateway and static route on the edge box ? How does external traffic is being routed to pool ?

    venerdì 17 febbraio 2012 16:59
  • HI,

    You external to internal or internal to external call depend on ICE/STUN/TURN.

    1) Check client side trace ,look for SDP information

    verify the candidate list ,there must be external ip listed in candidates

    2) Check Route and Record-route and via header in the trace to find the routing path of the SIP messages.

    For more information ,

    http://blogs.technet.com/b/rickva/archive/2009/04/03/configuring-a_2f00_v-edge-service-for-nat.aspx

    venerdì 17 febbraio 2012 17:36
  •    YES, Customer has a Dual NIC Configuration with the 3 different IP's for sip,webcon,a/v. the IP's are NAT'ed to 3 public IP and another NIC with the Internal Edge IP.

    External NIC Gateway is setup as IM/Prescence is working externally without any issues.

    BTW, i m not sure about the static Route on the Edge box as i assumed that you set the Next hop pool on the Edge on the topology builder to the Front end server which is enough.

    Do i still have to add a manual static route on the Edge server to the front end server? If yes, then what would the command be like.


    Abhay Kamath (MSFT)- Global Partner Services

    venerdì 17 febbraio 2012 17:39
  • @UCGuy,

    Here's what i find in the Client UCC logs.

    For INVITE (From external client to internal client)

    a=candidate:1 1 UDP 2130706431 10.0.0.1 16336 typ host
    a=candidate:1 2 UDP 2130705918 10.0.0.1 16337 typ host
    a=candidate:2 1 TCP-ACT 1684798975 10.0.0.1 16336 typ srflx raddr 10.0.0.1 rport 16336
    a=candidate:2 2 TCP-ACT 1684798462 10.0.0.1 16336 typ srflx raddr 10.0.0.1rport 16336

    For SIP/2.0 200 OK (from external client to external client in From and To field)

    a=candidate:1 1 UDP 2130706431 10.10.11.107 52238 typ host
    a=candidate:1 2 UDP 2130705918 10.10.11.107 52239 typ host
    a=candidate:2 1 tcp-act 1684798975 10.10.11.107 52238 typ srflx raddr 10.10.11.107 rport 52238
    a=candidate:2 2 tcp-act 1684798462 10.10.11.107 52238 typ srflx raddr 10.10.11.107 rport 52238

    Record-Route: <sip:connect.domain.com:5061;transport=tls;ms-fe=Lync01-OPS.domain.net;opaque=state:T:F;lr;received=10.10.11.107;ms-received-cid=F100

    Via:  SIP/2.0/TLS 10.0.0.1:50378;received=12.176.99.78;ms-received-port=54318;ms-received-cid=F000

    Route : sip:sip.domain.com:443;transport=tls;opaque=state:Ci.Rf000;lr;ms-route-sig=bdXvjsh1Oio4jw8ic6l3gZ7SH_cVNJ33AnQ7QSNb46uL4bxKC9RWIgeAAA>

    I understand the article says that DNAT has to be working in the firewall for the Public IP of AV to be routed back to the  client. Is that correct? I have have been told DNAT and SNAT have been configured on the Firewall, though m not sure how confident the customer is on that. Is that fact something to be stressed upon?

    fyi : iN TOPOLOGY BUILDER the NAT field has been populated with Public IP of A/V Edge service and Internal IP address field is populated with Internal IP address of the Edge server.


    Abhay Kamath (MSFT)- Global Partner Services

    venerdì 17 febbraio 2012 21:11
  • Hi Abhay,

    I believe you have an issue with

    1)candidates not showing public ip in the srflx raddr .

    2) Though the Via shows the correct ipaddress which includes the "12.176.99.78".

    donno what that ip is , but looks like a Public routable ipaddress.was that captured from the SIP response.

    3) Yes, Public  ip of AV edge should be communicated to the clients and that become the part of "sip candidate list" .

    4) Route seems to be correct ,but check the NAT and Firewall configuration again as per the following

    i know you must have done that , but verify it again

    http://technet.microsoft.com/en-us/library/gg425882.aspx

    sabato 18 febbraio 2012 13:54
  • @UCGuy,

    Thanks for the reply. Yes i' ll double check their Firewall configs again, however, you mentioned that the srflx raddr field is showin Internal IP (As per my sip logs posted) so does it have to show the Pub IP of the A/V  Edge server ? Just trying to get my understanding correct.


    Abhay Kamath (MSFT)- Global Partner Services

    domenica 19 febbraio 2012 07:02
  • Also in your topology builder under the edge settings make sure if you are using NAT. to select "NAT enabled public IP Address used" and enter the Public IP Address you use for av.domain.com. how many IPs are you using for your external settings? in our topology's we use 3 internal and 3 external IPs. and bound the 3 internal to the 3 external via firewall. but on the internet if you ping av.domain.com use that resolving IP Address as mentioned above. Had some AV issues during RTM and that resolved it for us.

    If this post answered your question, Mark As Answer If this post was helpful, Vote as Helpful http://lyncme.blogspot.com

    domenica 19 febbraio 2012 15:32
  • hi abhay,

    that's correct !! check NAT and Firewall and Edge Configuration in Topology Builder too.

    lunedì 20 febbraio 2012 02:54
  • Hi,Abhay,

    You need open the STUN/TCP 443 and UDP 3478 inbound and outbound traffic on your internal firewall,you also need check the corresponding ports on Front End server.For the ports requirement you can check the Lync workload poster for more details.

    Also please double check the client policy with the cmdlet Get-CsClientpolicy to get the policy assigned to users and make sure you have the correct public IP address of A/V edge external interface defined in the topology and published.

    Another more details please check the great article post by Elan Shudnow,here are some details description of different audio/video connection scenarios.Hope it can help you figure out the issue.

    Regards,

    Sharon


    Sharon Shen

    TechNet Community Support

    ***************************************************************************************************************************************************************************** Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial t


    lunedì 20 febbraio 2012 08:31
    Moderatore