locked
TLS error on SIP call to Cisco RRS feed

  • Question

  • Hello,

    I can't connect Lync on a Cisco Gateway.

    Lync side, everything is OK. On Cisco all parameters are also ok.
    When I try a call with the rules set, I get an error SIP/2.0 504 Server time-out in the logs collected with snooper.
    I also have this message [ms-diagnostics: 1039; reason = "Failed to complete TLS negotiation with a peer server"; WinsockFailureCode = "10054 (WSAECONNRESET)"; WinsockFailureDescription = "The peer Forced closure of the connection"; Peer = "Frontendpool.domain.local", Port = "5070", source = "FE1.domain.local"]
    while in my topology, it is specified that my connection to the gateway is done by TCP.

     Do you have any idea on what's going wrong?

     regards,


    Monday, July 11, 2011 3:57 PM

Answers

  • Hello All,

    Following error indicates that MTLS handshake failed between the Fronend Service and Mediation Service

    [ms-diagnostics:1039;reason = "Failed to completeTLS negotiation witha peer server";WinsockFailureCode= "10054 (WSAECONNRESET)";WinsockFailureDescription= "The peer Forced closureof the connection";Peer = "Frontendpool.domain.local",Port = "5070",source = "FE1.domain.local"]

    5070 is the SipServerPort for mediation server
    (you can verify that with  Get-CsService –Identity MediationServer:Frontendpool.domain.local)

    run Test-CsCertificateConfiguration -verbose
    It will create a html report in %temp% folder check if there are any errors

    Check the certificate assigned on the server
    Get-CsCertificate | Where{$_.Use –eq “Default”}

    And verify that Subject name is  the Pool FQDN Frontendpool.domain.local and AlternativeNames have Server FQDN FE1.domain.local
    Etc.

    If all this looks correct and if you have Windows 2008 R2 OS ensure that following hotfix is installed
    http://support.microsoft.com/kb/975858

     

    If this doesnt help  please share the Topology document and SipStack and S4 logs and a Network Monitor trace.

    -Santosh


    Santosh More Unified Communications Support Engineer
    • Proposed as answer by Sean_Xiao Monday, July 25, 2011 2:18 AM
    • Marked as answer by Sean_Xiao Monday, July 25, 2011 4:53 AM
    Wednesday, July 20, 2011 3:47 AM

All replies

  • You should try a setup without TLS. Use a plain tcp all the way (un encrypted). 

    It's the easiest way, and it works (Your error message clearly states an error in TLS negotiation, so somewhere in your configuration someone believes it's supposed to use TLS)


    Lasse Wedø,
    Blog:Tech@work, Twitter: @lawedo

    Please take a second to hit the green arrow on the left if the post was helpful, or mark it as an answer if it resolved your issue.
    Monday, July 11, 2011 7:15 PM
  • Hello and thanks for your reply. But like i said, in the topology builder i chose TCP on port 5060, so the message about TLS is not coherent for me.

     

    Rgeards

    Tuesday, July 12, 2011 9:58 AM
  • Ok, 

    How is the configuration on the CUCM part? Did you select a "non secure SIP profile"? Or is it a Cusci IOS GW?

     

    If this is a Cisco IOS GW, You should really change the topology to use 5060, and force the setting on your dial-peer configuration.

    much easier.

    Try debugging the Cisco GW with debug ccsip events, debug ccsip events (or if all fails debug ccsip all. The debug output is usually right on the money. But I suspec a misconfiguration of ports and protocols on the GW/topology


    Lasse Wedø,
    Blog:Tech@work, Twitter: @lawedo

    Please take a second to hit the green arrow on the left if the post was helpful, or mark it as an answer if it resolved your issue.
    Tuesday, July 12, 2011 5:47 PM
  • Port 5070 is typically used by colocated mediation server to get messages fom front end server. Could be a cerificate problem on the server itself.
    Johann Deutinger | MCITP Lync 2010 | MCTS Exchange 2010, OCS | ucblog.deutinger.de | http://twitter.com/jwdberlin
    Wednesday, July 13, 2011 10:11 AM
  • hello All, i always have the problem I use F5 between my collocated mediation and my Cisco Gateway. The port in use is the 5060(tcp) in the Topology Builder.

    I HAVE this log on my connection front end :

    [

    A call to a PSTN number failed due to non availability of gateways.

    Called Number: +33xxxxxxxxx
    Phone Usage: Local
    Route: LocalRoute
    CallId: 1e5b04826e9746d9a561af05183be729

    Cause: All gateways available for this call are marked as down.
    Resolution:
    Verify that these gateways are up and can respond to calls.

    ]

    Thank for your help.

    Tuesday, July 19, 2011 3:46 PM
  • Hello All,

    Following error indicates that MTLS handshake failed between the Fronend Service and Mediation Service

    [ms-diagnostics:1039;reason = "Failed to completeTLS negotiation witha peer server";WinsockFailureCode= "10054 (WSAECONNRESET)";WinsockFailureDescription= "The peer Forced closureof the connection";Peer = "Frontendpool.domain.local",Port = "5070",source = "FE1.domain.local"]

    5070 is the SipServerPort for mediation server
    (you can verify that with  Get-CsService –Identity MediationServer:Frontendpool.domain.local)

    run Test-CsCertificateConfiguration -verbose
    It will create a html report in %temp% folder check if there are any errors

    Check the certificate assigned on the server
    Get-CsCertificate | Where{$_.Use –eq “Default”}

    And verify that Subject name is  the Pool FQDN Frontendpool.domain.local and AlternativeNames have Server FQDN FE1.domain.local
    Etc.

    If all this looks correct and if you have Windows 2008 R2 OS ensure that following hotfix is installed
    http://support.microsoft.com/kb/975858

     

    If this doesnt help  please share the Topology document and SipStack and S4 logs and a Network Monitor trace.

    -Santosh


    Santosh More Unified Communications Support Engineer
    • Proposed as answer by Sean_Xiao Monday, July 25, 2011 2:18 AM
    • Marked as answer by Sean_Xiao Monday, July 25, 2011 4:53 AM
    Wednesday, July 20, 2011 3:47 AM