locked
Internal next hop error RRS feed

  • Question

  •  

    Hi guys,

     

    i am setting up a Edge server but i am getting an error at Internal next hop. The error is as followed :

     

    DNS resolution succeeded: 10.10.80.22

    TLS connect failed due to incorrect remote subject name: 10.10.80.22:5061 Error Code: 0x80090322 outgoing TLS negotiation failed; HRESULT = -2146893022.

     

     

    The OCS 2007 has the following network addresses:

     

    IP: 10.10.80.22

    Sub: 255.255.0.0

     

    The Edge server has 2 interfaces:

     

    Internal:

     

    IP: 10.10.80.33

    Sub: 255.255.0.0

     

    DMZ:

     

    IP: 192.168.10.101

    Sub: 255.255.255.0

     

    I am thinking that it is the certificate, but i am not sure. Does anyone have a idea ? 

    Wednesday, January 2, 2008 9:48 AM

All replies

  • Judging by the "TLS connect failed" and "subject name" strings in that error, I'd agree that it is certificate related.

     

    Does the certificate's subject name on your front-end server match that of the server's FQDN?  Assuming your Edge server is not a member of your internal domain, have you exported the internal CA's root certificate to your Edge server?

     

    Wednesday, January 2, 2008 11:42 PM
    Moderator
  • Hi Jeff,

     

    Yes it does, and my Edge server is a part of my domain.

    Monday, January 7, 2008 7:28 AM
  • Hi,

    MS recommends that your edge server be a member of a workgroup rather than a domain. This probably isn't the heart of your issue, but it might help clear things up a bit if you deactivated (through the OCS admin console) the Edge server in your domain and rebuilt it in a workgroup.

     

    Are you using standard or enterprise? When you are using enterprise, the next hop needs to be the pool name rather than the server name. If it is standard, then you don't need to worry about this.

     

    The other thing to doublecheck is that you have used the FQDN in all of the OCS setup steps (rather than the IP address). If you've entered the IP address rather than the FQDN when it asks for "internal next hop" you'll see similar errors to what you've posted.

     

    Lastly, on your edge server, have you configured a static route so that it can route to both the 10.X.X.X networks and the 192.168.X.X networks? If not, this could cause some routing trouble.

     

    Regards,

    Matt

     

    Monday, January 7, 2008 5:58 PM
  • Hi Matt,

     

    I checked all this and everything is set up correct except for the certificates i guess..

     

    the weird thing is:

     

    Server a = OCS 2007 Ent edition

    Server b = Edge server

     

    When i create a certificate on server a with the server name as subject, my clients will not be able to log in by auto discovery. If i change the settings to manual and fill in the server the clients DO connect and then the EDGE test gives no failures.

     

    So i am sure that it is something with the certificates but i dont know where i went wrong... 

    Wednesday, January 9, 2008 9:16 AM
  •  

    We had this same problem.  Ran the validation and came up with the error you had.  Ran a packet trace from our firewall between the DMZ and Internal.  The trace showed that the traffice was originating from our outside NIC not the inside NIC like it was supposed to.  In our case it turned out this was a bug with the validation application as we were successfully able to connect to OCS from outside of our network.  Validation still shows the error.  But OCS is working normally.
    Wednesday, January 9, 2008 4:08 PM
  • You aren't, by chance, using one NIC with 2 IPs bound to it, are you? I've also seen this happen where traffic gets generated from the wrong IP when you're using 1 NIC 2/ multiple IPs bound to it.

     

    Matt

     

     

    Wednesday, January 9, 2008 6:06 PM
  • Here's a little background on the issue Matt is talking about.

    Wednesday, January 9, 2008 6:54 PM
    Moderator
  •  

    Hi,

     

    no i am not. I will just run some other tests, and maybe i can try to renew the certificate..

    Will let you know!
    Monday, January 14, 2008 7:05 AM