locked
Not getting AV on consolidated edge R2 with nat RRS feed

  • Question

  • Hi!

    We have deployed ocs 2007 r2 and for the edge server we are using a single external IP address behind a NAT. NAT option is selected on av edge interface properties.

    IM is working fine with external users, but we are getting problems with AV. No errors are dumped in event viewer.

    Communicator throws an error saying: "Some calls to and from outside of your corporate network may not connect to server connectivity problems".

    When trying to do AV the call, communicator says "Answering Call", suddenly it stops with this error: "The call was disconnected because Víctor Fernández stopped receiving audio. Please try the call again."

    Tests I've made:
    - All ports are open, and tested connection with telnet, from outside and between ocs servers.
    - Internal-to-internal AV works.
    - External-to-external AV works (on the same network).

    I've made a debug session with SIP and S4 with all flags. Analyzing with snooper everything seems ok, sip responses with OK to petitions and a BYE petition when call is disconnected.

    All the posts I've seen talk about checking open ports and having the AV on a public IP, but the ports are OK and R2 supports AV behind NAT.

    Any clue out there? If you require more information just ask for it! Thank you!!

    Marc Rabell Systems Engineer Raona Enginyers
    Wednesday, February 11, 2009 12:13 PM

Answers

  • Finally today we have found the problem.

    OCS 2007 R2 Edge must be installed with regional settings set to English (United States), otherwise the pool server can't authenticate correctly the edge server.

    Joachim Farla explains it well in this post: http://unified-communications.blogspot.com/2009/01/ocs-2007-r2-and-localization.html

    Hope this helps someone!

    Marc Rabell Systems Engineer Raona Enginyers
    • Marked as answer by Marc Rabell Thursday, March 19, 2009 5:26 PM
    • Marked as answer by Marc Rabell Friday, March 20, 2009 8:39 AM
    Tuesday, March 10, 2009 2:59 PM

All replies

  • I've seen the error on the client pc in event viewer:

    A SIP request made by Communicator failed in an unexpected manner (status code 0). More information is contained in the following technical data:
     
     RequestUri:   sip:xx.xx@xxx.com;opaque=user:epid:jf7tBXhjRFuGhvgknx6NJAAA;gruu
    From:         sip:marc.rabell@xxx.com;tag=da9cb066a6
    To:           sip:xx.xx@xxx.com;tag=641d5e339a
    Call-ID:      273ce9ce8ca3467b9b41970e6ee1372d
    Content-type: application/sdp;call-type=audiovideo

    (null)

    Response Data:

    180  Ringing


    0  (null)
    Ms-client-diagnostics:  52031; reason="Call terminated on media connectivity failure"

     
     Resolution:
     If this error continues to occur, please contact your network administrator. The network administrator can use a tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit in order to interpret any error codes listed above.


    I can't find where the connectivity failure is.

    Marc Rabell Systems Engineer Raona Enginyers
    • Edited by Marc Rabell Wednesday, February 11, 2009 4:21 PM
    Wednesday, February 11, 2009 12:35 PM
  • Marc,

    You said that you tested everything via telnet but it's not possible to test UDP ports this way, especially since the port is negotiated via SDP at the time the call is made.  Can you run a netmon and ensure that you are receiving the UDP RTP stream from the external user?  My suspicion is that you are not.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Wednesday, February 11, 2009 1:38 PM
    Moderator
  • Marc,

    What are you using for an external perimeter firewall, and does it support configuring DNAT and SNAT separately on incoming/outgoing traffic?  The R2 support for NAT on A/V Edge is specific to a consolidated Edge server only, and it's also recommended to have a dedicated IP address for A/V Edge. Are you using the same NAT'd IP for all three Edge roles by chace?

    Here's an excerpt from the help documentation describing the configuration requirement:

    If you do so, configure the NAT as a destination network address translation (DNAT) for   
    inbound traffic—in other words, configure any firewall filter used for traffic   
    from the Internet to the Edge Server with DNAT, and configure any firewall   
    filter for traffic going from the Edge Server to the Internet (outbound traffic)   
    as a source network address translation (SNAT). The inbound and outbound filters   
    must map to the same public IP address and the same private IP address, as shown   
    in Figure 1. 


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, February 11, 2009 2:18 PM
    Moderator
  • Mike,

    I'm waiting for an external peer to look for udp traffic on the server.

    Jeff,

    I'm using a linksys router for the external connection. I can't separate DNAT and SNAT, I only can enble NAT for the wan connection. It seems its doing SNAT for traffic going to internet and DNAT is configured with port mapping on the needed ports on the server. I understand that would make the trick.

    And yes, I'm using the same IP on the server, the edge is configured to listen on different ports for each service that where using 443.

    Marc Rabell Systems Engineer Raona Enginyers
    Wednesday, February 11, 2009 3:26 PM
  • I'm not getting any udp traffic on the external ip. Firewall has the udp ports mapped to the edge server... I don't know what this means, if communicator answers the call some udp traffic should arrive from one side or another... do you know any way to test udp ports?

    Marc Rabell Systems Engineer Raona Enginyers
    Wednesday, February 11, 2009 4:18 PM
  • I've just tested if udp traffic was comming thru, it was. So it seems that for some reason there's no udp traffic generated from communicator clients... any idea?

    If both sides are talking sip normally I don't understand why they can't talk udp on stun or on the media range...

    Marc Rabell Systems Engineer Raona Enginyers
    Wednesday, February 11, 2009 4:35 PM
  • Marc,

    What I would personally do is give each Edge role it's own dedicated IP address and reset all external roles to using default TCP/UDP ports.  Using a single external IP address for a consolidated Edge server has always been a huge pain and almost never ends in success.  I have seen a few people get it working but if you are able to use a private IP range then I see no reason to complicate the configuration by jamming everything on 1 IP address.  While it was common for users to try and collocate on a single IP when using limitied public IPs, unless you have some very small subnetwork mask on the external segment adding 3 private IPs instead of 1 to the external Edge roles should be a non-issue.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, February 11, 2009 4:42 PM
    Moderator
  • I can use as many private ip address I need, the problem is that my gateway have to forward from 1 public ip address so ports have to be different than default.

    Now, I've configured my gateway to forward all traffic to a DMZ server, in my case a single ip address in edge server and different ports. AV server listens on 443 as per default.

    Well, no traffic is sent apart from IM traffic to the server... no udp traffic when trying voice... nothing...

    I don't understand how communicator is telling that it has "limited external calling", how does it know?? I'm thinking that is something between ocs edge and my ocs internal server... what do you think?



    Marc Rabell Systems Engineer Raona Enginyers
    Wednesday, February 11, 2009 5:59 PM
  • Ok I think I've got something... After sniffing all the traffic from point to point....

    When I call someone, my computer starts to sned udp packets with a STUN binding request. The problem is that the source address is my private ip address and the destination is an IP from my company private range where my peer resides... At this point, I don't know where's the error. Configuration seems fine but clients try to communicate each other over private ips...

    Any idea of what can I check now?

    Thanks

    Marc Rabell Systems Engineer Raona Enginyers
    Thursday, February 12, 2009 3:15 PM
  • Hi Marc,

    I found this to be the case as well and called Microsoft PSS about it a few weeks back. Our issue had to do with the fact that we had a private IP listed in DNS and the Edge server was resolving its own external A/V interface to the private IP.

    I'm assuming you have split horizon DNS here? If this is the case, check your internal DNS zone for any records matching the fqdn of your public IP (NAT'd to your a/v edge). In my case ours was 'ocsav.contoso.com' and we had an A record sitting in local DNS which resolved to the wrong IP.

    Hope this helps. Your symptoms are exactly what we've found as well and this was our fix.

    Cheers!

    Jason
    Infrastructure Architect
    Tuesday, February 24, 2009 2:23 PM
  • Finally today we have found the problem.

    OCS 2007 R2 Edge must be installed with regional settings set to English (United States), otherwise the pool server can't authenticate correctly the edge server.

    Joachim Farla explains it well in this post: http://unified-communications.blogspot.com/2009/01/ocs-2007-r2-and-localization.html

    Hope this helps someone!

    Marc Rabell Systems Engineer Raona Enginyers
    • Marked as answer by Marc Rabell Thursday, March 19, 2009 5:26 PM
    • Marked as answer by Marc Rabell Friday, March 20, 2009 8:39 AM
    Tuesday, March 10, 2009 2:59 PM
  • Thanks Joachim, the change of localization solved my problem. Still there is another problem left:
    Communicator could not retrieve calendar or Out of Office information from Exchange web services.
    Communicator will automatically continue to retry.... contact your system administrator

    Any idea of what I may check now?

    Cheers!

    Henrik Börjesson, System Engineer
    Wednesday, May 13, 2009 12:33 AM