locked
EDGE server routing - edge trying to route traffic from external interface to internal edge interface and to front end pool RRS feed

  • Question

  • Hi,

    So this is one of those kinda detailed problems that will come down to a slight oversight on my config, so just so it's clear I'm going to spell out our network configuration first:

    • Lync Enterprise Front End Pool - Lync-EFE.ewx.local - Pool IP 192.168.70.26
    • Single Lync Enterprise Front End Machine (so far) - Lync-EFE1.ewx.local

    • Lync Edge Pool - lyncedge.ewx.dmz
    • Single Lync Edge Machine - edge1.ewx.dmz
    • Internal Nic
    • 192.168.70.16
    • No Gateway configured
    • No DNS configured - hosts file entries for front end pool.
    • External Nic
    • 10.20.1.11 - Access Edge Service
    • 10.20.1.12 - Web Conf Edge Services
    • 10.20.1.13 - A/V Edge Service - NAT enabled on 41.160.87.46
    • Default gateway configured
    • DNS lookups from DMZ server (with no knowledge of internal machines)
    • Public Ips
    • 41.160.87.44 - webconf.ewx.co.za - firewall routes to 10.20.1.12
    • 41.160.87.43 - av.ewx.co.za - firewall routes to 10.20.1.13
    • 41.160.87.46 - access.awx.co.za - firewall routes to 10.20.1.11

    So I think that's everything.  Yes unfortunately we do no not have a second firewall for our dmz.  However we do have the traffic physically seperated on a different interface and there is no rule that allows traffic from the dmz onto the local network.  I know this isn't absolutely correct, but I'm working with what we've got for now.

    Everything appears to work fine - we have internal and external clients, desktop lync, polycom phones, and mobile apps, and everything signs in, makes calls and appears to operate correctly.

    The only problem we have is with federation.  If I add a federated contact we get the dead-end presence unknown message.  However if I look at the trace logs for the edge server, first I saw this message:

    TL_WARN(TF_DIAG) [lyncedge\edge1]130C.28E4::11/23/2013-10:23:42.768.00000007 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(805)) [3549713091] $$begin_record

    Severity: warning

    Text: Host name resolution failure

    Result-Code: 0xc3e93c82 SIPPROXY_E_DNS_HOST_NAME_QUERY_FAIL

    SIP-Start-Line: SUBSCRIBE sip:x@y.com SIP/2.0

    SIP-Call-ID: 0e50809a6020906e4b3313f074820817

    SIP-CSeq: 1 SUBSCRIBE

    Source: lync-efe.domain.local:50478

    Data: fqdn="lyncedge.ewx.dmz"

    $$end_record

    So it appears that the edge server is trying to resolve it's own host name for some reason.  When I added a hosts entry to point to itself on 192.168.70.16, I started to get this message:

    TL_INFO(TF_PROTOCOL) [lyncedge\edge1]22C4.0FA4::11/23/2013-22:34:03.105.000003F9 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265)) [3437591884]

    Trace-Correlation-Id: 3437591884

    Instance-Id: 126

    Direction: outgoing;source="local";destination="internal edge"

    Peer: lync-efe.domain.local:60367

    Message-Type: response

    Start-Line: SIP/2.0 504 Server time-out

    From: "Adam Pawsey" <sip:adam.pawsey@ewx.co.za>;tag=49050841-E5074EEA;epid=0004f2820817

    To: <x@y.com>;tag=AA0F8B96EA03894CB0F713FC64412B6A

    Call-ID: d4849628de6469f2d10c176809820817

    CSeq: 1 SUBSCRIBE

    Via: SIP/2.0/TLS 192.168.70.26:60367;branch=z9hG4bK04BF2F5B.04CC0888594F780E;branched=FALSE;ms-received-port=60367;ms-received-cid=600

    Via: SIP/2.0/TLS 192.168.70.202:53765;branch=z9hG4bK1083881357A5F3BC;ms-received-port=53765;ms-received-cid=1700

    Content-Length: 0

    ms-diagnostics: 1046;reason="Failed to connect to a federated peer server";fqdn="lyncedge.ewx.dmz:5061";ip-address="192.168.70.16";peer-type="FederatedPartner";winsock-code="10061";winsock-info="The peer actively refused the connection attempt";source="access.ewx.co.za"

    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=lyncedge.ewx.dmz;ms-source-verified-user=verified

    $$end_record


    So basically I don't understand why it is trying to route traffic from the external interface to the internal interface.  Anyone got any ideas what obvious mistake I've made?

    Thanks,

    Adam.


    • Edited by Murphy Monday, November 25, 2013 8:14 PM formatting
    Monday, November 25, 2013 8:14 PM

Answers

  • You need to created DNS A record Lyncedge.ewx.dmz pointing to the IP address of Lync Server internal interface in internal DNS Server.


    Lisa Zheng
    TechNet Community Support

    • Marked as answer by Lisa.zheng Tuesday, December 3, 2013 8:29 AM
    Wednesday, November 27, 2013 8:10 AM