Sep 15

CUCM and CUC LDAP Sync Error, null

Recently tried to connect to a customer’s Active Directory Server to sync users and groups as per normal.. However this occasion I received a Error While connecting to LDAP… , null. I tried entering a different password to see if I was actually getting into the LDAP server, I was received a username/password error. I also tried modifying the port to 3268 as this Domain Controller I was trying to access was also a Global Catalog Server.. However I received the same null error.

CUCM LDAP

I started digging around and what I found two things.. The Domain Controller had been moved to another general OU and was not sitting in the default Domain Controllers OU, where the Domain Controllers GPO could be applied, surely this can’t be right. The GPO being applied to the Domain Controller had a few Security Options manually configured, the one I was interested in was the Domain Controller: LDAP server signing requirements had been configured to “Require Signing”. Why this had been manually configured , I have no idea.

I had the Domain Controller object returned back into the Domain Controllers OU.. The Default Domain Controller’s GPO had the above setting defined as NONE. This was the default setting.

CUCM LDAP

After forcing the update GPUPDATE /FORCE then logging off and back on.. Wholla! .. I could now sync my CUCM and CUC servers to the Active Directory OU Structure.

Also check the local security policy (gpedit.msc) on the Domain Controller to confirm the above setting was being applied and as it was greyed out, this meant the governing GPO had been pushed down.

CUCM LDAP

Jul 20

Cisco’s Conference Now

Conference Now is new to Cisco Collaboration starting from release 11. The old Meet Me conference in CUCM (still exists by the way in version 11) didn’t meet the audio conferencing needs for many organisations, especially around security and having that conference menu and feel. Hacks had to be put in place, which typically involved UCCX scripting.

The Conference Now feature strongly competes with many of the audio conferencing bridges in the marketplace and best all of all, this feature is standard with CUCM, so no additional licensing is required. The Conference Now feature includes a standard single Meeting Phone Number while allowing multiple Meetings to be hosted simultaneously without the risk of barging into a uninvited meeting room. The Host can choose their own Attendee Access Code aswell, giving control to the user and not relying on IT Administrators to make these simple changes. The Conference Now feature allows includes a lobby room, where attendees can listen to selected music while they wait for the Host to join the meeting. This is a great enhancement for Cisco UC platform.

Configuring Conference Now

Conference Now uses the IVR media resources in CUCM. As we know Media Resources are enabled by activating the Cisco IP Voice Media Streaming App. Usually, you will enable this service as one of the first tasks you undertake when configuring a new CUCM build.

Cisco Conference NowAdditional Info. Can disable/enable the IVR media resource by navigating to the Service Parameters -> Cisco IP Voice Media Streaming App configuration window. Simply change the “Run Flag” setting.

Cisco Conference Now

Cisco Conference NowSo now, we should be seeing the IVR media resources successfully registered.

Cisco Conference NowNext is to configure the Conference Now Meeting Number. This is found under Call Routing -> Conference Now. Assign a DN and Partition. Also allows for two parameters to be modified being Music on Hold and Maximum Wait Time (default 15mins).

Cisco Conference NowAllowing access to host conferences is configured via the End User page. The Meeting Number is populated by the Self-Service User ID. Then check the “Enable End User to Host Conference Now” checkbox and allocate a Attendees Access Code. (The user can change this later).

I’ve also captured the PIN field for the end user, the PIN field is used by the Host to unlock the Meeting Room. I strongly recommend the PIN and Access Code by at least 8 digits in length.

Cisco Conference NowThe end user can now call into the Meeting Room phone number and follow the prompts to start a Conference. Attendees will be able to dial in anytime and join a meeting room, providing they know the Meeting Room ID and Access Code. If the Host has not joined the meeting within 15 minutes (default) the attendees will be disconnected from the lobby area.

Self Administering the Conference Settings.

Users can change the Meeting Room Access Code at anytime, using the Self Care Portal. URL is https://cucm_ip_address_or_hostname/ucmuser

Navigate to General Settings, then scroll to the bottom of the page where you will find the Conference Now Settings.

Cisco Conference NowCisco Conference NowModifying Announcements

For those Administrators who feel the need to tinker with the default Conference Now announcements, all the announcements are located under the Media Resources -> Announcements Menu. Click on the required announcement and either upload a new wav file or select as existing audio file to use.

Cisco Conference Now

Jul 10

Mobile Voice Access (MVA) – Setup Start to Finish

Mobile Voice Access (MVA) essentially allows authorised users to relay or bounce calls off a CUCM Cluster toward the PSTN. Benefits for this is the user’s calling number is masked by his/her office extension/DID phone number. MVA couple with Single Number Reach (SNR), also allows the called party to return the call to the masked office extension/DID phone number, the CUCM Cluster will then route the call to the mobile (SNR Destination).

User Requirements

1. Ensure the source PSTN phone is configured as a Remote Destination in CUCM.
2. The User PIN is known.
3. Mobile Voice Access is enabled for the User.

The workings of MVA

1. A call is placed from a mobile phone to the configured MVA Phone Number (0255551234).
2. This will match a pots dialpeer. This pots dialpeer will be associated to the MVA Service on the Cisco ISR.
3. The MVA service initiates the MVA IVR on CUCM. If the mobile phone number matches a remote destination, the IVR will prompt you a PIN.
4. Once authenticated, the user will have the option to Dial a number. (Generally this is option 1, following by the PSTN number).
5. CUCM now request that the Cisco ISR forward the call to the MVA phone number (extension 1234). Now if the Cisco ISR doesn’t have a dialpeer matching this MVA extension the Call will simply disconnect.
6. If the dialpeer matches the MVA extension, the call is forwarded. In debugs, you will see the called number being the MVA extension, with a diversion header containing the PSTN number the user called via the MVA IVR menu.
7. The Remote Destination Profile must have access to the called PSTN number. This is the DEVICE CSS field. The REROUTING CSS field is used for SNR.
8. When using SIP and the Cisco ISR is a CUBE, ensure the source interface is known to the CUCM Cluster.

Configuring MVA

CUCM side Configuration

Lets go through and set some of the Service Parameters.

Service Parameters -> Cisco CallManager -> Clusterwide Parameters (System – Mobility)

Enable Mobile Voice Access = “True”
Mobile Voice Access Number = “1234″
Matching Caller ID with Remote Destination = “Partial Match”
Number of Digits for Caller ID Partial Match = “7″
System Remote Access Blocked Numbers = “0000, 000″ (OPTIONAL)

Cisco Mobile Voice AccessMedia Resources -> Mobile Voice Access

Mobile Voice Access Directory Number = “1234″
Mobile Voice Access Partition = “AU_PHONE_PT”
Selected Locales = “English United States”

Cisco Mobile Voice AccessUser Management -> End User

Enable Mobility = “Checked”
Enable Mobile Voice Access = “Checked”

Cisco Mobile Voice AccessDevice -> Device Settings -> Remote Destination Profile

Create a new Remote Destination Profile and completed the required fields. Important to note is the Calling Search Space and the User ID Field. The Line number should reflect the same extension as the User’s office extension. (Essentially this is a shared line setup)

Cisco Mobile Voice AccessDevice -> Remote Destination

Create a new Remote Destination and associate to the Line configured on the Remote Destination Profile. Ensure the Destination Number is in the correct format, as you would when you dial the number from an Internal extension. As you can see I have prefixed a ’0′ to cater for my PSTN Access Code.

Cisco Mobile Voice AccessCisco IOS Side

Steps are to configure the Application/Service. Then create two dialpeers, one for inbound and the second for outbound.

application
  service mva http://10.10.10.1:8080/ccmivr/pages/IVRMainpage.vxml

dial-peer voice 10 pots
  description ** MVA IVR **
  service mva
  direct-inward-dial
  incoming called-number 0255551234$

dial-peer voice 100 voip
  description ** CUCM MVA **
  destination-pattern 1234
  session protocol sipv2
  session target ipv4:10.10.10.1
  voice-class sip bind control source-interface FastEthernet0/0
  voice-class sip bind media source-interface FastEthernet0/0
  dtmf-relay rtp-nte
  voice-class codec 6
  no vad

NOTE: Don’t forget to check if the Mobile Voice Access service has been activated under Unified Serviceability. This service is not included in the “Set Default” services button, so you will have to manually click on the service radio button and activate.

Jun 30

Jabber – Cannot Communicate with Server

Deploying Cisco Jabber (MRA) to a CUCM Cluster can sometimes have its pitfalls especially when the firewall is managed by a third party vendor. Although, the all to common error message “Cannot Communicate with Server” can be frustrating to troubleshoot, the devil lies in the details. This can also be very useful when needing to provide debugs reports to third party firewall vendors to investigate further on your behalf.

1st step is to view the jabber log file, this can sometimes be a long file to extract the key bits of information you’re after.. One idea is just to find the “cannot communicate’ error message. Then reverse engineer the log file.

2nd step is open a wireshark session and attempt a jabber connection. This provides key details about the connection process and is very useful to pass onto the thirdparty firewall vendor. Analysing the packets will give you insights into the login process from the DNS SRV query to attempting connections to CUCM and Presence servers.

In the below example, I had to troubleshoot the “Cannot Communicate with Server” error message. This turned out to be a inbound Firewall Port issue. The vendor did not open TCP 5222 from Public to the Expressway-E device. I had to send the vendore this packet capture for evidence to investigate further into the issue. I’ve also included the error messages in the Jabber log file to complete the picture. TCP Port 5222 is used for XMPP connection to the Presence Server.

Putting the packet capture and the jabber log together, gives you a full picture of where Jabber is exactly failing in the connection process.

Jabber-XMPP

Jabber-XMPP-1

Jun 20

Wireshark – Cannot See Outbound Packets.

I installed Wireshark 2.02 on my Windows 10 laptop, all good. However I was actively troubleshooting a customer issue when I realised I couldn’t see my outbound packets. I could only see inbound packets. Same behaviour for both my ethernet and wireless connection. Found I had to disable the “DNE Light Weight Filter” from the network adapter.. Both my Ethernet and Wireless adapter..

wireshark

May 25

Calabrio QM / AQM Certificates

Certificates are apart of every UC Install these days.. Even more so now with the introduction of Finesse and third-party gadgets. I recently had to install a certificate for the Calibrio AQM Server, rather than you dig through their guides.. I’ve listed the commands you’ll need below. Have fun.

1. Create the certificate signing request.

“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -certreq -alias jetty -file jetty.csr -ext san=dns:tg2aqm10.topgun2.uplinx

2. Install the CA Root or Chain Certificates.

“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -trustcacerts -alias TG2PDC -file root-cer.cer

3. Install the signed certificate for the AQM Server.

“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -alias jetty -file jetty.cer

May 15

Fax Not Answering on ATA190

Come across a fax issue with an ATA190 device. The issue was the fax machine wouldn’t answer any calls. I could see the ATA190 would be in a ‘ringing’ state, however the fax machine wouldn’t budge. The calling endpoint would just ring out.

Checking the setting on the ATA190 as per below, the Ring Voltage set to 85 V and Ring Frequency set to 20 Hz.

Cisco ATA190
All that needed to be done in this case was to adjust both the Ring Voltage and Ring Frequency for the Fax Machine to essentially be compatible and pickup the incoming call. Thank you TAC.

On ATA190 web GUI, navigate to Voice -> Regional -> Ring and Call Waiting Tone Spec

Modify the below values, save the configuration, then reboot the ATA190 device.

Ring Voltage : 70V
Ring Frequency : 25 Hz

May 06

Cisco IPSEC VPN Client for Windows 10 – Painful Experience

As most of you know the Cisco IPSEC VPN Client is not officially supported on Windows 8+. I have Window 10, now that puts me in the not so friendly basket. After googling this, there a raft of blogs and websites advising you to install additional components and modify registry settings.. Not all of which are proven. I finally found a sequence that worked for me.. AND successfully connected to customer sites.

First thing is to get around this virtual adapter filter thing that doesn’t get installed with Windows 10.. The SonicWall VPN Client however does install the ‘DNE Lightweight filter network client’. Beautiful.. Job done.

Link to Sonicwall website for vpn client. http://help.mysonicwall.com/applications/vpnclient/

If the above link is not available and you cannot find it anyway.. Ping me and I’ll email it to you.

Right. Lets install the Cisco IPSEC VPN Client now.. No wait another error.. ‘This software doesn’t support Windows 10′, great. To get around this one.. Extract the install files and manually run the .msi file. Job done.

Now the client is installed and we are away and running.. Try to connect to a customer site and low and behold another error.. ‘Secure VPN Connection terminated locally by the client. Reason 442: Failed to enable Virtual Adapter.’ we are getting closer though right?

Here comes the infamous registry change.. Now I’ll add the general blurb that everyone would say… ‘Backup your registry settings in case you absolutely blunder this change’. Now lets get started.

Open registry and go to HKLM\SYSTEM\CurrentControlSet\Services\CVirtA look for the key ‘Display Name’. We want to modify this key from something like this ‘@oem47.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows‘ to ‘Cisco Systems VPN Adapter for 64-bit Windows‘ (screen shot below of change).

Cisco IPSEC VPN Client

Now open the VPN Client again and try connecting to a customer site.. Whola! Job is now done. Thanks Internet.