locked
Calls to Exchange 2007 SP2 UM form OCS 2007 R2 always ringing busy. RRS feed

  • Question

  • Hello,

    I have setup Exchange 2007 SP2 UM and OCS 2007 R2. I have a SIP gateway (Audio Codes) configured with OCS 2007. I can make a call from my PSTN line that is connected to my OCS 2007 R2 mediation server, and the call goes through just fine.

    I have configured my test account for Unified Messanging but when I attempt to forward my calls to Exchange UM I immediatly get a busy signal and the line apparently disconnects.

    If I attempt to access voicemail from my office communicator client I get also get an immediate busy signal.

    Office Comunicator logs the following message:

     There was a problem with the calling service. Wait and then try again. If the problem continues, contact your system administrator with this information. (ID: 504)

    In addition Exchange UM logs the following event:

    The Unified Messaging server has ended a call with ID "77b9b8b1-0e21-478f-846f-ef6881dd6492" because the user at the far end disconnected. Event ID:1007


    I then configured my Exchange UM server with an additional gatway and routing rules that let me place a all directly to exchange UM. This works and I get the autoattendant. This appears to indicate that Exchange UM is working correctly at least with a direct connection.

    Interestingly If I place a call to my OCS account from my PSTN and then hang up I get a missed call notification in my Exchange Mailbox.

    I setup a network trace with Netmon on my Exchange UM server and the attempted a call again and had the following packets:

    16 0.150391 umservice.exe {SSL:6, TCP:5, IPv4:4} 10.1.18.51 10.1.18.70 SSL SSL:  Application Data.
    21 0.153320 umservice.exe {SSL:6, TCP:5, IPv4:4} 10.1.18.70 10.1.18.51 SSL SSL:  Application Data.
    28 0.342773 umservice.exe {TCP:5, IPv4:4} 10.1.18.51 10.1.18.70 TCP TCP:Flags=...A...., SrcPort=1085, DstPort=5061, PayloadLen=0, Seq=1233255266, Ack=2534028423, Win=511
    231 7.998047  {TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 TCP TCP:Flags=......S., SrcPort=50171, DstPort=5061, PayloadLen=0, Seq=969751010, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
    232 7.998047  {TCP:39, IPv4:4} 10.1.18.51 10.1.18.70 TCP TCP:Flags=...A..S., SrcPort=5061, DstPort=50171, PayloadLen=0, Seq=1675961224, Ack=969751011, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
    233 7.998047  {TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 TCP TCP:Flags=...A...., SrcPort=50171, DstPort=5061, PayloadLen=0, Seq=969751011, Ack=1675961225, Win=513 (scale factor 0x8) = 131328
    234 7.998047  {SSL:40, TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 SSL SSL:  Client Hello.
    235 8.000000  {SSL:40, TCP:39, IPv4:4} 10.1.18.51 10.1.18.70 SSL SSL:  Server Hello. Certificate. Certificate Request. Server Hello Done.
    236 8.000000  {TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 TCP TCP:Flags=...A...., SrcPort=50171, DstPort=5061, PayloadLen=0, Seq=969751138, Ack=1675964052, Win=513 (scale factor 0x8) = 131328
    237 8.014648  {SSL:40, TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 SSL SSL:  Certificate.
    238 8.014648  {TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 TCP TCP:[Continuation to #237]Flags=...AP..., SrcPort=50171, DstPort=5061, PayloadLen=1033, Seq=969752598 - 969753631, Ack=1675964052, Win=513 (scale factor 0x8) = 131328
    239 8.014648  {TCP:39, IPv4:4} 10.1.18.51 10.1.18.70 TCP TCP:Flags=...A...., SrcPort=5061, DstPort=50171, PayloadLen=0, Seq=1675964052, Ack=969753631, Win=513 (scale factor 0x8) = 131328
    240 8.018555  {SSL:40, TCP:39, IPv4:4} 10.1.18.51 10.1.18.70 SSL SSL:  Change Cipher Spec. Encrypted Handshake Message.
    241 8.020508  {TCP:39, IPv4:4} 10.1.18.70 10.1.18.51 TCP TCP:Flags=...A.R.., SrcPort=50171, DstPort=5061, PayloadLen=0, Seq=969753631, Ack=1675964111, Win=0 (scale factor 0x8) = 0

    I would appreciate any help in determining what is wrong with my setup and suggestions fixing the configuraiton.

    I followed all the steps in:


    Microsoft® Office
    Communications Server 2007
    Enterprise Voice
    Planning and Deployment Guide


    Thanks

    Bill
    Monday, September 28, 2009 11:16 PM

All replies

  • Check Your Dial-Plan in Exchange Management Console
    Verify that Voip Security is set to secured
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Monday, September 28, 2009 11:32 PM
  • Hello,

    Thanks for you response. I have the Dial-Plan set to sip secured. If I use secured or unsecured the results are both busy signals, and if fact the Exchange UM server does not even log the connection.

    Bill
    Tuesday, September 29, 2009 1:27 AM
  • Looks like you have set up 2 dial-plans - one is SIP (secured) and one is telephony (unsecured most likely)

    Make sure you have (2) dial-plans for this:

    URI type for the telephony dial-plan should be  "Telephone extesion"
    URI type for the OCS UM dial-plan should be SIP_URI

    ---

    Then each one of the your dial-plans should have a UM IP-gateway defined.   One points to the FQDN of your pool and the other to the IP address of your gateway hardware.

    I usually remove the default hunt group for the UM IP-gateway and make sure the name, Dial-plan, Pilot identifier match the dial-plan in UM.


    How are your dial-plans and UM IP Gateways set up?


    Steve Hahn
    Tuesday, September 29, 2009 1:55 PM
  • Hello,

    For the dial plans I have them configured as you have described.  The results for the get-umdial plan included the following:

    UMIPGateway                       : {OCSERVER}
    URIType                           : SipName

    UMIPGateway                       : {SIPGateway}
    URIType                           : TelExtn

    Does the UMIPGateway for the OCS Dialplan have to be to the fully qualifed domain name of the Pool?  The certificate on the OCS server has both the Fully qualified domain name and the Simple name of the server in the Subject Alternative Name.

    Bill
    Tuesday, September 29, 2009 10:17 PM
  • I want to clarify somthing: The settings I was showing in the previous post were my dial plan settings. The Gatways both are configured with the full qualified domain names of my OCS Server and the Sip Gateway respectively.

    Bill
    Tuesday, September 29, 2009 10:27 PM
  • Hello,

    I did an OCS trace and I have the following error. The error sates and Outbound TLS negotaton failed.  So this is outbound from the the OCS server to exchange correct? This would appear to indicate there is a certificate error on my exchagne server or my OCS server?

    LogType: connection
    Severity: error
    Text: Outbound TLS negotiation failed
    Local-IP: 10.16.100.70:55226
    Peer-IP: 10.16.100.51:5061
    Peer-FQDN: EXCHUM1.mydomain.com
    Connection-ID: 0x26701
    Transport: TLS
    Result-Code: 0x80004005 E_FAIL
    $$end_record

    Tuesday, September 29, 2009 10:42 PM
  • Your certificate on the Exchange UM service uses this common name : EXCHUM1.mydomain.com?
    Use the Get-ExchangeCertificate to check wether you have a certificate that is enabled for UM that is not self signed and has the FQDN of the exchange server in the common name

    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Tuesday, September 29, 2009 10:53 PM
  • Hi,

    All of the certificates I am using are issued from my Windows CA. The common name on the exchange UM server is correct (I substitued a fake name for the purpose of this post).

    I have enabled the certificate for UM use on the exchange UM server.

    Bill
    Tuesday, September 29, 2009 11:35 PM
  • Hello,

    I have also imported the Certificate Chain and the CA certificate itself. Given that all of these machines are members of the same Active Directory Domain and the CA I am issuing from is a Windows Enterprise CA that should not have been necessary but I was following the OCS 2007 R2 Deploying Enterprise Voice Guide and this step was part of the setup. Domain members should implicitly trust Enterprise Root CAs correct?

    I do not have a Self signed certificate on the exchagne server.

    Bill
    Tuesday, September 29, 2009 11:40 PM
  • Couple of things. Make sure your Exchange dial plan is set to secured for talk to OCS R2, even though you say this isnt working OCS R2 requires secured to work with Exchange by defualt. Second ensure your location profile in OCS is the FQDN of the exchange UM dial plan. Example

    Exchange UM dial plan : mydialplan 
    OCS location profile : mydialplan.company.com

    Lastly, once you have completed all the steps reboot the front ends in your OCS pool. I have seen this help the first time you configure UM in an OCS pool.

    Cheers
    Chris
    http://voipnorm.blogspot.com/
    Wednesday, September 30, 2009 2:43 PM
  • Hello,

    I have verified the naming on my UM dial plan and OCS location profiles. I am still getting the following errors. Obviously there is somthing failing with the TLS negotiation. I am not sure why. I have replaced all of the certificates. I have verified all of the names (the servers the dial plans the location profiles). Exchange UM will answer using the my sipgateway directly (using its own dial plan) so the underlying UM is working. I can also make calls to the OCS server from my SIP line.

    Any suggestions.

    TL_ERROR(TF_CONNECTION) [0]0B8C.134C::09/30/2009-21:35:43.734.0000584d (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: Outbound TLS negotiation failed
    Local-IP: 10.16.11.70:50167
    Peer-IP: 10.16.11.51:5061
    Peer-FQDN: EXCHANGE.mydomain.com
    Connection-ID: 0x1101
    Transport: TLS
    Result-Code: 0x80004005 E_FAIL
    $$end_record

    TL_ERROR(TF_CONNECTION) [0]0B8C.134C::09/30/2009-21:35:43.734.0000585d (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
    Local-IP: 10.16.11.70:50167
    Peer-IP: 10.16.11.51:5061
    Peer-FQDN: EXCHANGE.mydomain.com
    Connection-ID: 0x1101
    Transport: TLS
    $$end_record

    TL_INFO(TF_PROTOCOL) [0]0B8C.0CC0::09/30/2009-21:35:43.742.00006d05 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record
    Instance-Id: 00000101
    Direction: outgoing;source="local"
    Peer: 10.16.11.101:55750
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "William T. Holmes"<sip:william@mydomain.com>;tag=4b8bd73467;epid=9eae7efce0
    To: <sip:william@mydomain.com;opaque=app:voicemail>;tag=D3F94C3893D284F53D092B347CE30EB6
    CSeq: 1 INVITE
    Call-ID: a390b9656d564caf861ae0153a542a69
    Proxy-Authentication-Info: Kerberos rspauth="602306092A864886F71201020201011100FFFFFFFF47DCE4DD6BAF26DC5E5205DF430A86AF", srand="B678DA57", snum="58", opaque="EA3AC4A4", qop="auth", targetname="sip/OCSERVER.mydomain.com", realm="SIP Communications Service"
    Via: SIP/2.0/TLS 10.16.11.101:55750;ms-received-port=55750;ms-received-cid=200
    ms-diagnostics: 2;reason="See response code and reason phrase";source="OCSERVER.mydomain.com";HRESULT="0xC3E93C69(SIPPROXY_E_CONNECTION_FAILED)"
    Content-Length: 0
    Message-Body: –
    $$end_record

    Wednesday, September 30, 2009 9:48 PM
  • Hi William,

    Take a look at this article it may help you with resolving your issues. Exchange may not be automatically using the correct certificate

    http://theucguy.wordpress.com/2009/05/19/how-to-fix-exchange-um-certificate-errors-when-integrating-with-ocs-2007/



    Cheers
    Chris
    http://voipnorm.blogspot.com/
    Thursday, October 1, 2009 5:05 AM
  • Hello,

    I read this article. I have a certificate issued by my Windows CA on both the Exchange UM server and the OCS server. But to be sure I went through the procedure of generating issuing and assigning new certicates. After doing so I restarted the both the Exchange UM and the OCS Server. I verifed in the event log on the Exchange UM server that the newly issued certificate was being loaded and not the previous certificates.

    A call from OCS to my UM still goes immediatly to a busy signal as before.


    On the OCS server I am running a trace and I still see the following:

    TL_INFO(TF_CONNECTION) [1]0B94.02CC::10/02/2009-04:04:47.409.0001ad8d (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(161))$$begin_record
    LogType: connection
    Severity: information
    Text: TLS negotiation started
    Local-IP: 10.1.84.70:50542
    Peer-IP: 10.1.84.51:5061
    Peer-FQDN: EXCHANGE.mydomain.com
    Connection-ID: 0x3B01
    Transport: TLS
    $$end_record

    TL_ERROR(TF_CONNECTION) [1]0B94.02CC::10/02/2009-04:04:47.426.0001ae43 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: Outbound TLS negotiation failed
    Local-IP: 10.1.84.70:50542
    Peer-IP: 10.1.84.51:5061
    Peer-FQDN: EXCHANGE.mydomain.com
    Connection-ID: 0x3B01
    Transport: TLS
    Result-Code: 0x80004005 E_FAIL
    $$end_record

    TL_ERROR(TF_CONNECTION) [1]0B94.02CC::10/02/2009-04:04:47.426.0001ae53 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
    Local-IP: 10.1.84.70:50542
    Peer-IP: 10.1.84.51:5061
    Peer-FQDN: EXCHANGE.mydomain.com
    Connection-ID: 0x3B01
    Transport: TLS
    $$end_record

    TL_ERROR(TF_DIAG) [1]0B94.02CC::10/02/2009-04:04:47.426.0001ae6c (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(140))$$begin_record
    LogType: diagnostic
    Severity: error
    Text: Message was not sent because the connection was closed
    SIP-Start-Line: INVITE sip:EMAIL REMOVED:5061;transport=tls;maddr=EXCHANGE.mydomain.com SIP/2.0
    SIP-Call-ID: 132a92c677a546ffb67e427e0fdd7da2
    SIP-CSeq: 1 INVITE
    Peer: EXCHANGE.mydomain.com:5061
    $$end_record

    Friday, October 2, 2009 4:09 AM
  • Does anyone else have any ideas on this? Is there a way to configure OCS without TLS?

    Thanks

    Bill
    Friday, October 2, 2009 8:56 PM
  • Hello,

    Does anyone have an Idea on this. I have installed a new UM server and reconfigured everything again with the same result. I would really appreciate any help you can offer. I am still receving the

    Text: Outbound TLS negotiation failed error

    followed by

    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?

    These messages are coming from my OCS trace logs. Is there somthing I have configure on my UC server to make it accept the OCS servers certificate?

    Bill

    Wednesday, October 7, 2009 4:28 AM
  • This still sounds like cert issues on the Exchange server.

    What do you get at an Exchange Management Console for the command:

        Get-ExchangeCertificate   

    I'm still thinking I agree with the above suggestion of checking:

    http://theucguy.wordpress.com/2009/05/19/how-to-fix-exchange-um-certificate-errors-when-integrating-with-ocs-2007/

    Cheers.


    Steve Hahn
    Wednesday, October 7, 2009 1:50 PM
  • Hi,

    I went throught this again but still not luck. I have verified everything that is docuemented. Is there a particular way other than what is documented in this and other articles about creating the certificates.

    Thanks


    Bill
    Thursday, October 8, 2009 2:32 AM