Hi,

I've got a working Lync deployment that's been running for a while with no issues.

I have just tried to setup federation access and I have enabled all the options in External Access Policy and Access Edge configuration.

My certificates are publicly certified and the online OCS test tool gives me a green result.

My DNS srv records are also ok (you can check - domain is iwsbeta.beta.co.uk)

However if I try to add an external user in Lync (that has a working federation configuration) I get presence unknown.

When I try to chat to the user I don't see anything hitting the edge server logs but on the front end server I am seeing the following error in the snooping tool

$$begin_record
LogType: diagnostic
Severity: warning
Text: Non-trusted source sent an FQDN/IP that doesn't match a routing table rule
Result-Code: 0xc3e93c5e SIPPROXY_E_ROUTING
SIP-Start-Line: ACK sip:user@externaldomain.com SIP/2.0
SIP-Call-ID: d8e90558fb5940c08a4bb0999c2d97bd
SIP-CSeq: 1 ACK
Data: user="user@externaldomain.com"
$$end_record

And then

TL_INFO(TF_PROTOCOL) [1]0C70.1370::03/13/2012-23:09:48.953.00003664 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
Trace-Correlation-Id: 2566416163
Instance-Id: 00000491
Direction: outgoing;source="local"
Peer: 192.168.9.27:56512
Message-Type: response
Start-Line: SIP/2.0 404 Not Found
From: "Daniel Niasoff"<sip:daniel.niasoff@iwsbeta.co.uk>;tag=570954e9b0;epid=e64c8308f5
To: <sip:user@externaldomain.com>;tag=463944CA0A7A35EC34FC687DA6157810
CSeq: 1 INVITE
Call-ID: d8e90558fb5940c08a4bb0999c2d97bd
Authentication-Info: TLS-DSK qop="auth", opaque="55B167BF", srand="3DC835EC", snum="22", rspauth="f3686ecb7e31bc17793da93a82af21163001fefb", targetname="Dc01BetaLync.iwsbeta.co.uk", realm="SIP Communications Service", version=4
Via: SIP/2.0/TLS 192.168.9.27:56512;ms-received-port=56512;ms-received-cid=2700
ms-diagnostics: 1003;reason="User does not exist";TargetUri="user@externaldomain.com";source="Dc01BetaLync.iwsbeta.co.uk"
Server: RTC/4.0
Content-Length: 0
Message-Body:
$$end_record

I have nothing in my static routing table as you can see

PS C:\Users\lyncadministrator> Get-CsStaticRoutingConfiguration

Identity : Global
Route    : {}

The only routes I have are for enterprise voice and they just match all numbers (^(\d*)$) and route to an external sip trunk.

Is doesn't appear to even be looking up the federated partners address?

Any ideas?

Thanks 

Daniel

Hi Daniel,

Is your Edge Server correctly associated with your Front End pool? Are there any errors in the Lync Server log on the Front End server?

Hi Justin

The edge server receives the sip request from the external Lync client and routes it to the director. The director then routes it to the front-end server. The front-end server then generates the warning

: Non-trusted source sent an FQDN/IP that doesn't match a routing table rule

and then forwards out a

Message-Type

: response

Start-Line

: SIP/2.0 404 Not Found

So the error seems to be generated by the front end server.

And yes, the edge server is functioning ok and is properly connected to the front end pool

I just set up mobilty and test push-sync and that tests end-to-end connectivity though edge.

PS C:\Users\lynadministrator> Test-CsFederatedPartner -TargetFqdn lyncedge.iwsbet
a.co.uk -Domain push.lync.com -ProxyFqdn sipfed.online.lync.com

TargetFqdn : lyncedge.iwsbeta.co.uk
Result     : Success
Latency    : 00:00:00
Error      :
Diagnosis  :

And that seems to work out ok.

Thanks

Daniel

Are you sure the SIP URI you're attempting to federate with is correct? The SIP 404 Not Found error suggests that the URI doesn't exist on the other end.

Also re: your static routing configuration, this doesn't apply to Edge Server connectivity/federation.

Are you seeing the same SIP errors on the Director or only on the Front End?

Hi,

If the problem occurs when you add your federated partner contacts, you need to run the Test-CsFederatedPartner like this:

PS C:\Users\lynadministrator> Test-CsFederatedPartner -TargetFqdn lyncedge.iwsbeta.co.uk -Domain <federated partner' domain>

PLease make sure all the necessary ports is opened on lync FE server and edge server. Please refer the following article about the ports:

http://technet.microsoft.com/en-us/library/gg399001.aspx

You also need to get touch with your federated partner and let Lync admin to check the configuration is ok on his lync servers.

Hi

Thanks for your answers.

I had an issue with my edge certificate which has been resolved now

If I try Test-CsFederatedPartner it works ok but I cannot federate with any user out of my organisation, all I get is "Non-trusted source sent an FQDN/IP that doesn't match a routing table rule" with no attempts to talk to the other parties edge server. So if I debug SIPSTACK on edge I won't see any SIP requests.

Incidentally I am trying to setup Lync to support mobilty but when I try Test-CsMcxP2PIM I get the following error

-------------------------------------------------------------------------------

Error      : Unknown error (0x80131500)
             Inner Exception:Peer disconnected while outbound capabilities nego
             tiation was in progress
             Inner Exception:An existing connection was forcibly closed by the
             remote host

Diagnosis  :

VERBOSE: 'STActivity' activity started.
Starting STS Uri Discovery...
ERROR getting STS Uri.
'STActivity' activity started.
Starting STS Uri Discovery...
ERROR getting STS Uri.
-------------------------------------------------------------------------------

And on the edge server I can see

-------------------------------------------------------------------------------
TL_ERROR(TF_CONNECTION) [0]0730.12E4::03/19/2012-12:50:09.941.0000974d (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_record

LogType

: connection

Severity

: error

Text

: The client connection is not allowed on the internal edge of the Access Edge Server

Peer-IP

: 192.168.9.19:53615

Transport

: TLS

Result-Code

: 0xc3e93d6b SIPPROXY_E_CONNECTION_INTERNAL_FROM_CLIENT

$$end_record d
-------------------------------------------------------------------------------

Not sure if it's related.

My toplogy is fine and was designed by the Lync Server Planning Tool. Also web meetings and external enterprise Voice works for external users works without any issues currently

Thanks

Daniel

Hi,

If you did not allow the federated domain in the Lync server control panel, you will get this error "Non-trusted source sent an FQDN/IP that doesn't match a routing table rule". So please make sure you have allowed this domain in lync server control panel and the replication works correctly between lync FE server and Lync edge server.

Hi,

We have open federation

Get-CsExternalAccessPolicy
Identity                          : Global
Description                       :
EnableFederationAccess            : True
EnablePublicCloudAccess           : True
EnablePublicCloudAudioVideoAccess : False
EnableOutsideAccess               : True

And also 

Get-CsAccessEdgeConfiguration

Identity                               : Global
AllowAnonymousUsers                    : True
AllowFederatedUsers                    : True
AllowOutsideUsers                      : True
BeClearingHouse                        : False
EnablePartnerDiscovery                 : True
EnableArchivingDisclaimer              : True
KeepCrlsUpToDateForPeers               : True
MarkSourceVerifiableOnOutgoingMessages : True
OutgoingTlsCountForFederatedPartners   : 4
RoutingMethod                          : UseDnsSrvRouting

So the domain shouldn't be required. I have added it anyway and it doesn't help.

I can see from edge event logs that replication is fine.

Thanks

Daniel

The error you are getting on the Edge Server:

Severity

: error

Text

: The client connection is not allowed on the internal edge of the Access Edge Server

Peer-IP

: 192.168.9.19:53615

Transport

: TLS

Is definitely related somehow. What IP address is the one listed above under Peer-IP? There is some kind of authorisation error here between either your servers, clients or both connecting to the internal interface of your Edge Server.

192.168.9.19 is the IP address of the front end server so it should be talking to the internal edge of the Access Edge Server?

And this works ok

Test-CsMcxPushNotification -AccessEdgeFqdn lyncedge.iwsbeta.co.uk

TargetFqdn :
Result     : Success
Latency    : 00:00:00
Error      :
Diagnosis  :

Yes it should be. It looks like your Front End server can't connect to the internal interface of your Edge Server on port 5061. The traffic is hitting it though because the Edge Server is generating this error.

Double check your FQDNs in Topology Builder and make sure they match up to names on certificates and also the computer name of your FE server.

Hi,

Need to check something:

Do your remote users and your federated partner' remote users sign in successfully in the external network?

Your federated partner can see the presence of your users?

Do your federated partner allow your domain name in federation domain policy(Lyncserver control panel--External user access--federation domains)?

You run lync server logging tool in edge server and trace the logs and analyze the logs with snooper, when you send IM message to the federated user. The snooper can analyze the message route process. I think you can get more message about this issue.

Found the problem!

In the topology builder I needed to right click on the site and select my director under federation route assignment. As soon as I did that all started working.

Now to solve my "Test-CsMcxP2PIM" probem

• Marked as answer by Daniel Niasoff Wednesday, March 21, 2012 3:18 PM

Found the problem!

In the topology builder I needed to right click on the site and select my director under federation route assignment. As soon as I did that all started working.

Now to solve my "Test-CsMcxP2PIM" probem

• Marked as answer by Daniel Niasoff Wednesday, March 21, 2012 3:18 PM

Found the problem!

In the topology builder I needed to right click on the site and select my director under federation route assignment. As soon as I did that all started working.

Now to solve my "Test-CsMcxP2PIM" probem

• Marked as answer by Daniel Niasoff Wednesday, March 21, 2012 3:18 PM

Thanks.