locked
Outbound TLS negotiation failed between FE Server and Mediation Server RRS feed

  • Question

  • I have a Standard OCS 2007 R2 deployment on a server 2008 R2 system.
    Enterprise Voice is enabled with a mediation server installed on a server 2003 system.
    I am able to place a call from PBX to SIP call though the mediation server.
    However when I place a SIP to PBX call I get the following error.

    TL_ERROR(TF_CONNECTION) [1]0D1C.02C4::09/21/2009-19:54:00.017.000049ba (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: Outbound TLS negotiation failed
    Local-IP: 192.168.11.94:49287
    Peer-IP: 192.168.11.115:5061
    Peer-FQDN: paraxip-lab15.domain.paraxip
    Connection-ID: 0x2603
    Transport: TLS
    Result-Code: 0x80004005 E_FAIL
    $$end_record

    TL_ERROR(TF_CONNECTION) [1]0D1C.02C4::09/21/2009-19:54:00.017.000049ca (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
    Local-IP: 192.168.11.94:49287
    Peer-IP: 192.168.11.115:5061
    Peer-FQDN: paraxip-lab15.domain.paraxip
    Connection-ID: 0x2603
    Transport: TLS
    $$end_record

    TL_ERROR(TF_DIAG) [1]0D1C.02C4::09/21/2009-19:54:00.017.000049e3 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(140))$$begin_record
    LogType: diagnostic
    Severity: error
    Text: Message was not sent because the connection was closed
    SIP-Start-Line: INVITE sip:+15145551019@paraxip-lab15.domain.paraxip:5061;user=phone;maddr=paraxip-lab15.domain.paraxip SIP/2.0
    SIP-Call-ID: f56307565ad545bcb65b19a554e93f3a
    SIP-CSeq: 1 INVITE
    Peer: paraxip-lab15.domain.paraxip:5061
    $$end_record


    .94 is the domain controller and FE server
    .115 is the mediation server


    Could this be due to a certificate misconfiguration, the deployment app validated my certificate installation for the mediation server.

    TIA


    Monday, September 21, 2009 8:28 PM

Answers

  • hi
    You'better not installed the STD 2007 r2 on the Windows 2008 r2.
    Per my known, at present, it is not full supported.
    That is, it will cause some odd issues. 
    There are many cases that caused by that in the forum.
    So i suggest that you can install it on other windows edtion, such as windows 2008(not r2).
    And i am also not know when the windows 2008r2 will full supported it.

    Regards!
    • Proposed as answer by kagen15 Friday, October 2, 2009 5:55 AM
    • Marked as answer by Gavin-ZhangModerator Tuesday, October 6, 2009 10:13 AM
    Monday, September 28, 2009 6:07 AM
    Moderator

All replies

  • Have you checked the solution http://blogs.msdn.com/scottos/archive/2009/04/03/resolved-ocs-2007-r2-pic-fails-against-aol.aspx
    Monday, September 21, 2009 8:39 PM
  • I tried the solution provided in the link, after the change I could no longer log in my Communication clients.
    The TLS handshake failure is not between the Front End Server and the Communicator.
    It is between the Mediator and the Front End Server that is fails.

    Tuesday, September 22, 2009 2:23 PM
  • Have you confirmed that the intermediary and the root certificates for the FE server exist on the mediation server?
    Tuesday, September 22, 2009 4:02 PM
  • Have you confirmed that the intermediary and the root certificates for the FE server exist on the mediation server?
    Tuesday, September 22, 2009 4:02 PM
  • Were the certificates for your FE and Mediation server issued from the same certificate authority? It looks like the Mediation server doesn't trust the certificate your FE is presenting. You could have technically valid certificates on your FE and Mediation, but the TLS negotiation will fail if they don't trust each other's certificate issuer.
    Tuesday, September 22, 2009 7:23 PM
  • Yes, both certificates were issued by the same CA on the domain controller.
    How can I verify the mediation server doesnt trust the certificate presented by the FE?
    Tuesday, September 22, 2009 7:40 PM
  • Yes both the int and the root certs exists on the mediation server.
    Tuesday, September 22, 2009 7:53 PM
  • Have you installed the CA's root certificate in the Trusted Root Certificate Authorities store of the local computer on the Mediation server? Is this a standalone CA or an Enterprise, AD integrated one? If you look at the Mediation server's certificate in the Certificate MMC you'll see if the chain can be validated.

    What are the names of the DC and the Mediation server and what is the subject name for the certificate on each server? They need to match up.
    Tuesday, September 22, 2009 7:57 PM
  • THis is a standalone CA that resides in the domain controller.
    I have used the deployment wizard to install the certificates for both machines and they were successfully installed.
    I have validated the root cetificates are present on both machines as well.
    The FQDN of the DC ( where the FE Server resides) is paraxip-dc.domain.paraxip
    The FQDN ot the mediation server is paraxip-lab15.domain.paraxip

    Do I need to have the machine certificates present on both machines as well ?


    Tom: I am not following you when you say the subject name needs to match up .

             What are the names of the DC and the Mediation server and what is the subject name for the certificate on each server? They need to match up.


    TIA

    Julien
    Wednesday, September 23, 2009 3:02 PM
  • hi
    You'better not installed the STD 2007 r2 on the Windows 2008 r2.
    Per my known, at present, it is not full supported.
    That is, it will cause some odd issues. 
    There are many cases that caused by that in the forum.
    So i suggest that you can install it on other windows edtion, such as windows 2008(not r2).
    And i am also not know when the windows 2008r2 will full supported it.

    Regards!
    • Proposed as answer by kagen15 Friday, October 2, 2009 5:55 AM
    • Marked as answer by Gavin-ZhangModerator Tuesday, October 6, 2009 10:13 AM
    Monday, September 28, 2009 6:07 AM
    Moderator
  • Julien,

    My note about the certificate names was just that the paraxip-dc.domain.paraxip server should have a certificate with a subject name of paraxip-dc.domain.paraxip and the paraxip-lab15.domain.paraxip should have a certificate with a subject name of paraxip-lab15.domain.paraxip. Does that match your configuration?

    The note about Server 2008 R2 not being supported yet is true, but I don't believe that's the cause of your problem here.
    Monday, September 28, 2009 5:14 PM