locked
No audio or video in Live Meeting RRS feed

  • Question

  • We have a problem in getting audio and video to work with Live Meeting with an internal and an external participant. Edge Services are deployed across two servers (one access & web conf, one AV). Both are behind hardware load balancers for future expansion.

     

    The AV edge server does have publically routable IPs (in fact, all IPs in use are public - we have a few /16s..). Our external firewalls are all setup correctly for the revelant ports and hosts (both the VIP on the load balancer and the real servers). There is no NAT on our side.

     

    We have public CA certs on the access, web conf and reverse proxy external VIPs. There are internal enterprise CA certs on the access internal VIP and also on the AV internal VIP. The AV authentication cert is also configured on the AV internal side (using the same subject name as the AV internal VIP and indeed, the same cert).

     

    Our reverse proxy is working fine for address book expansion and LM content.

     

    Validations all pass correctly for the edges and the pool front ends.

     

    Using Office Communicator from outside signs in fine and audio / video works. Packet capture shows that STUN traffic flows between the external IP and the AV edge.

     

    An external can sign into Live Meeting ok (and can see all the content, download handouts etc). As soon as audio and video is introduced into the mix, it fails with the error below:

     

     

    Code Snippet

    ---------------------------
    Voice and Video Error Information
    ---------------------------
    Your audio and/or video session was unexpectedly disconnected.

     

    Action required: Please rejoin audio and/or video.

     

    ---------------------------------------------------------------------------

    More details for technical support:

    ---------------------------------------------------------------------------

    Message Category: 2 (kNetworkError)

    Message Code: 8 (kMediaConnectivityFailure)

    Root Cause Error: 0x00000000

    Root Cause Component: kNetwork

    Audio Input Device: Microphone (High Definition Audio Device)

    Audio Output Device: Speakers (High Definition Audio Device)

    Video Input Device:

    Audio Muted: Yes

    Media State: (43,10,10,10,0,0,Connected)

    AvMcu Uri: sip:<internal OCS pool VIP>:5063;transport=tls;ms-fe=<one of the OCS servers in the pool>

    Avmcu Reachable: Yes

    Acp Reachable: No

    Diagnostics Information:

    ---------------------------------------------------------------------------

    To copy this message, press CTRL+C or press ALT+PRINT SCREEN.
    ---------------------------
    OK  
    ---------------------------

     

     

    Logging on the firewalls shows that the external client is trying to connect directly to the enterprise pool (which, of course, it's not supposed to be able to). Packet captures on the AV edge show no traffic flowing between it and the external.

     

    The only thing I was a bit confused about was the AV authentication cert: I was pretty sure it could be internally signed and attached to the internal interface, but I have read other things that imply it should be public CA and on the external?

    So, I'm a bit stuck really! Any thoughts as to where to troubleshoot from here?

     

    Many thanks in advance,

     

    Alex

    Friday, July 25, 2008 5:18 PM

Answers

  • Well, finally an answer!

     

    The AV edge server must have dual NICs. Each NIC must be on a completely different subnet - this is not immediately obvious in the documentation.

     

    Some added complexity when using two subnets which are both publically routable is with setting default gateways. If both NICs have it set, then they will see two complete route maps and things won't work. Our workaround is to set the default gateway on the "external" NIC and have the "internal" NIC on the same subnet as all the other OCS servers (both FEs and Edge) so they can communicate with each other directly.

     

    I hope this helps someone else with similar difficulties.

    Thursday, August 28, 2008 12:21 PM

All replies

  • A/V authentication cert does not need to be a Public one

    A Private cert on the private interface (none required on the public Interface)

     

    Maybe your EDGE Server is not configured correctly

    Internal and External servernames and ports

     

    Can you do 3 way audio conference with someone exteranlly?

     

    Monday, July 28, 2008 1:47 PM
  •  

    Thanks for the reply.

     

    So, my A/V certs are configured ok then.

     

    The A/V server has the following assigned:

     

    Internal interface:

     

    xxx.xxx.28.45

    ocs-edge-av-int.example.com (this FQDN is actually on the load balancer, but the SLB is configured to pass all protocols and ports to the server).

    A/V auth certificate subject name ocs-edge-av-int.example.com

    TCP ports 443 & 5062, UDP 3478

     

    External interface:

    xxx.xxx.28.44

    ocs-edge-av-ext.example.com (FQDN is on the load balancer, but the SLB is configured to pass all protocols and ports to the server).

    No certs on the ext interface.

    TCP ports 443, 50000-59999, UDP 3478 (all are open on our external firewall, but as I said, logging shows no attempt to connect).

     

    3 way conference calling in MOC does not work (2 participants internal, 1 connecting externally via edge servers).

     

    Monday, July 28, 2008 2:05 PM
  • As I suspected this would not work either (3 way audio conference)

    So there seems to be a problem with A/V conferencing when not peer to peer

     

    Can you rerun Configure Pool wizard and configure the External Access (maybe there is something wrong there)

     

    Do you have an Enterprise pool with dedicated A/V Servers?

     

    Not all required ports are open

    You also need UDP 50000-59999

    Check all ports in this configuration guide for Perimeter network

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a8d703-e41a-47d9-b9dd-2799f894af92&DisplayLang=en

     

    Monday, July 28, 2008 3:54 PM
  •  

    My mistake, I'd missed off the UDP AV ports in my reply (they are open and in use with MOC 1:1 audio video when we log firewall access). We have an enterprise pool set up as consolidated with all servers behind a load balancer - this all works fine.

     

    I have re-run the OCS pool wizard several times - capturing the SIP traffic and analyzing it with snooper from the res kit implies that the external FQDN of the AV server is being sent to Live Meeting ok...

    Monday, July 28, 2008 8:31 PM
  • Well, finally an answer!

     

    The AV edge server must have dual NICs. Each NIC must be on a completely different subnet - this is not immediately obvious in the documentation.

     

    Some added complexity when using two subnets which are both publically routable is with setting default gateways. If both NICs have it set, then they will see two complete route maps and things won't work. Our workaround is to set the default gateway on the "external" NIC and have the "internal" NIC on the same subnet as all the other OCS servers (both FEs and Edge) so they can communicate with each other directly.

     

    I hope this helps someone else with similar difficulties.

    Thursday, August 28, 2008 12:21 PM