Lync 2010 - External Voice calls do not complete - "Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote"
We have Lync 2010 setup at work and external users can IM, Video, and Share files, desktop, etc... The only piece that is not working is voice.
I have done packet traces, sip traces, and logging on the client and cannot find the cause, please let me know which log files you might need to see.
This is the only error message that I have really been able to pin down:
ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote";CallerMediaDebug="audio:ICEWarn=0x80012b,LocalSite=x.x.x.x:16840,LocalMR=y.y.y.y:3478,RemoteSite=z.z.z.z:55521,RemoteMR=w.w.w.w:59305,PortRange=1025:65000,RemoteMRTCPPort=59305,LocalLocation=1,RemoteLocation=2,FederationType=0"
Thanks!
Bob
October 15th, 2010 6:17am
HI, please confirm certificates, ports and network connectivity are works fine on edge server ,or would you please enable logging on both MOC and Edge server during Audio test failure then paste errors up here for narrow down the issue.
And make sure the ports and software are not be interfered by Firewall or Antivirus.
October 15th, 2010 1:13pm
When it breaks:
10/15/2010|09:43:59.017 1070:1074 INFO :: Sending Packet - 72.50.230.243:443 (From Local Address: 10.0.0.214:51956) 1414 bytes:
10/15/2010|09:43:59.017 1070:1074 INFO ::
BYE
sip:invmaocsvm01.involtadc.local@involta.com;gruu;opaque=srvr:MediationServer:j95tfsQns1SJPmQCLBmKJQAA;grid=6be3895740704756becd4835abf3a6f3 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.214:51956
Max-Forwards: 70
From: <sip:jward@involta.com>;tag=81082ce6b2;epid=8371fd6545
To: <sip:93192132014;phone-context=defaultprofile@involta.com;user=phone>;tag=6261e5e284;epid=8BF6B67ACE
Call-ID: 576b29afdcdb453dae40fe02c64f82b0
CSeq: 3 BYE
Route: <sip:sip.involta.com:443;transport=tls;opaque=state:Ci.R50a00;lr;ms-route-sig=cboYWBFnyyKCivHBU9wrNiqDO8wOwZE86vDqGIZ9WXauj3rMwc1hwU_gAA>
Route: <sip:invmaocsvm01.involtadc.local:5061;transport=tls;opaque=state:F;lr;received=10.128.10.57;ms-received-cid=2BA02>
User-Agent: UCCAPI/4.0.7457.0
OC/4.0.7457.0 (Microsoft Lync 2010 (RC))
ms-client-diagnostics:
23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote";CallerMediaDebug="audio:ICEWarn=0x80012b,LocalSite=10.0.0.214:19766,LocalMR=72.50.230.245:3478,RemoteSite=10.128.10.57:53045,RemoteMR=10.128.11.36:59699,PortRange=1025:65000,RemoteMRTCPPort=59699,LocalLocation=1,RemoteLocation=2,FederationType=0"
Proxy-Authorization:
TLS-DSK qop="auth", realm="SIP Communications Service", opaque="0ADD0480", targetname="invmaocsvm01.involtadc.local", crand="4f54e6d7", cnum="29", response="3097f05673e4e6ad0a790408c6feb521da55bdf8"
Content-Length: 0
10/15/2010|09:43:59.018 1070:1074 INFO :: End of Sending Packet - 72.50.230.243:443 (From Local Address: 10.0.0.214:51956) 1414 bytes
October 15th, 2010 6:29pm
Also, I did a packet trace on the client machine and it appears that it is talking to my public av edge ip up until the receiver of the call answers and then the external client tries to start talking to the FE directly (via private IP's) which are not routable.
Bob
October 15th, 2010 6:38pm
HI, by searching of this problem, that may be IPSec mismatch is causing call disconnects for off corp user only on external calls, is Either IPSec is enabled on both sides or exemptions on both sides for IPSec to work fine. would you please
October 18th, 2010 5:56am
I have double checked and we do not have IPSec enabled on the server. If I VPN into the office everything works again (assuming because I am now able to get to the local IP's).
Thanks,
Bob
October 18th, 2010 5:06pm
I just did some further looking (at firewall and packet sniffers) and found that when I make a voice call from outside the network everything starts off by going to the AV service, but once the call gets answered it switches to the Front End server trying
to talk directly to the external client, which breaks as no firewall rules allow for this traffic to come back from the client to the server.
Client IP (udp/32683) -> Firewall IP (udp/23819)
Firewall IP (udp/13894) -> Client IP (udp/32682)
We use the IP of the firewall as the global NAT (any server that does not have a static NAT appears as this IP).
Thanks,
Bob
October 18th, 2010 8:55pm
I have done some further digging and on the admin site, if I go to:
Topology -> Double Click on Edge Server -> Double Click on EdgeServer service
I see taht "Audio/Video Edge service external FQDN:" and "Internal interface FQDN:" are both "Not set" and I wonder if this could be causing my issue? If so where would these get set at?
Thanks,
Bob
October 18th, 2010 11:53pm
Hi, "Internal interface FQDN:" should be the FQDN of Edge server, and "external FQDN of A/V Edge service:" should be set for A/V external FQDN which you are going to publish, would you please try?
October 19th, 2010 7:28am
I have been looking through the configuration, where would I publish these?
THanks,
Bob
October 19th, 2010 2:13pm
What I mean is the external FQDN that you want to publish to external network (or internet).
October 20th, 2010 6:26am
What he's referencing is in the admin panel, Topography > Select the Edge Server to view the properties...this is what we're seeing:
http://imgur.com/ujVGX.png
October 20th, 2010 6:39am
Hi, Bob, is the problem resolved?
October 21st, 2010 12:43pm
No, the issue still exists, if you look at this screen shot:
http://imgur.com/ujVGX.png
You can see that both of those settings still show up as "Not Set"
Bob
October 21st, 2010 3:36pm
You may configure them and then "publish" on Topology Builder, the settings in Lync control Panel will be changed after replicating was finished.
October 22nd, 2010 6:15am
I have the A/V server setup in the Topology Builder, but when I apply it the two settings in the above screen shot do not change from "Not Set". Bob
October 23rd, 2010 1:01am
Would you please check Edge server configurations in the Topology Builder, but not A/V server; After then pulish again.
October 25th, 2010 6:31am
It still does not appear to be working, when someone external places a call through Lync it appears to start working then stops, here is what I have found through several packet captures:
External Client places call, goes through edge server to front end
Once the recipent of the call answers the front end tried to start talking directly to the external client (skipping over the edge, which then breaks the call)
Please let me know what I can provide to help troubleshoot this.
Thanks,
Bob
October 26th, 2010 12:02am
I may have the same problem. Currently running OCS R2 including Edge (everything working). Now with separate Lync SE server I cannot use voice from remote user.
Seems like in Lync there are settings missing or wrong:
Access edge external FQDN: not set
A/V Edge service external FQDN: not set
And ApplicationServer does not start anymore
Thanks,
Johann
October 30th, 2010 12:12am
I have the exact same issue.
Any fix so far?
Regards
JP
November 3rd, 2010 5:39am
Anyone ?
Ben?
I know RTM is just couple of days from GA, but it is really important to finalize the RC deployment...
Thanks for any help..
Regards
JP
November 3rd, 2010 10:40pm
Nothing new on our end. We were able to populate those fields by editing the .xml after doing an export config, then re-importing and it still doesn't resolve the issue.
November 3rd, 2010 11:43pm
Hi
Not sure where you changed those info in the xml file?
I have search the XML, and did not found any place to change those info.
Cheers
JP
November 4th, 2010 4:22am
Internal interface FQDN field: <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="invmaocsvm03" />
AV Edge External FQDN: <Port Owner="urn:component:MediaRelayEdge" Usage="TURNServer" InterfaceSide="External" InterfaceNumber="3" Port="443" Protocol="Tcp" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="av.domain.com" />
Previously the ConfiguredFqdn was just empty quotes. This is in the DocItemSet.xml file. Make sure when you re-zip the files, it's just the 2 files and not the folder or the import will not like the file.
November 4th, 2010 11:48pm
I have the same problem with RTM build used in coexistence with legacy Edge server and OCS R2 pool. External users always get local IP address in SDP. Any news on that?
November 19th, 2010 3:07pm
We still have not received any updates about the issue and we are still seeing it as well.
Bob
November 20th, 2010 12:58am
I have now changed Voice Route to point to legacy mediation server to bypass new colocated lync mediation server. Semms to work; need some more testing.
November 20th, 2010 2:10am
November 24th, 2010 5:50pm
I have done some further digging and on the admin site, if I go to:
Topology -> Double Click on Edge Server -> Double Click on EdgeServer service
I see taht "Audio/Video Edge service external FQDN:" and "Internal interface FQDN:" are both "Not set" and I wonder if this could be causing my issue? If so where would these get set at?
Thanks,
Bob
I too am having this same issue, and when I just checked these settings they were also set to "Not set"
Have you had any luck getting your to work yet?
December 4th, 2010 5:44am
I had a similar issue with my setup and was able to get it working.
First off all: make sure you NAT ports 50000 - 59999 UDP to your A/V Edge IP and make sure that the NAT IP is correctly configured in Lync.
The fact that you can share desktop and files means that 50000-59999 TCP is forwarded correctly.
The difference between the two workloads is that app sharing uses TCP while voice/video is using UDP. You say video is working fine? Can you do a wireshark trace on the external side of the Edge server and see if there are UDP connections being set
up on the Edge's port range 50k-59999?
I would also recommend to try moving the A/V Edge to another port than the default port 443. On my side my router was not forwarding this port because it was using it for it's own administration web page. You can do this by modifying the port in topology
builder, publish the topology and then issue "Invoke-CsManagementStoreReplication" on the Lync server. Then check the edge event log if the A/V server received the new settings and restart it's service to make it listen on the new port.
Good luck
December 4th, 2010 11:14am
This seems like a bug to me.. I am noticing the exact same issue on my Edge server. has anyone been able to resolve this yet?
January 5th, 2011 7:39pm
Same here. We still have a OCS 2007 Edge running for legacy users not moved over to Lync, but we are seeing the same issues with external users. I thought maybe that once I move everyone over and get rid of the legacy implementation, that things
will start working, but based on what I see above, this will not be the case.
I hope someone find a resolution for this soon.
January 5th, 2011 8:05pm
We figured it out as it applies to our setup last night. We previously didn't have an internal dns entry for av.involta.com that pointed to the public IP address for it. Because that didn't exist, the front end was trying to talk out directly through the
firewall. We also added the av public IP address to the NAT enabled IP address field on the edge server general section. As soon as we published, reran the deployment wizard on both the front end and edge, works like a champ. Hope that helps!
January 5th, 2011 8:14pm
Here is the problem, we are using a single FQDN for all services (was hoping to make things simpler). If I check the topology builder, the FQDN shows correctly for all services as the single one we picked, but the Control Panel does not reflect it
for some reason. Our sip address is also our webconf and AV service address. I wonder if this is why it is not showing up correctly. We have a dns entry internal for that adddress, but it points to the internal IP, not the external.
I will change it over and see if it helps.
January 5th, 2011 8:38pm
Has anyone found a resolution to this problem? I am having the same problem and can only get it working if I use TCP, instead of TLS, from my voip gateway to the Lync Front-End/Mediation.
January 11th, 2011 7:25pm
Hi BOB, did you fix this issue?
I got the same trouble.
any suggestion?
thanks in advance.
January 12th, 2011 11:52pm
Yes, yeahbuddyia works with me, his solution above is the one that got us working.
Bob
January 13th, 2011 1:01am
Great BoB
IT´S WORKING
Thanks a lot.
January 13th, 2011 1:34am
Any Resolution to this problem?
I've the same problem with my lync edge server.
January 13th, 2011 12:35pm
We had the same issue except it presented as "Call failed to establish due to a media connectivity failure where one endpoint is of unknown type
" in our deployment all users are external (we are a hosting Lync/OCS) what is really strange is why R2 Front Ends work fine without the internal DNS entry but Lync Servers don't. This has the feeling of a bug or at note in the deployment docs calling
this out as a requirement for coexistence. All I did was add av.myucworkspace.com to my internal DNS pointed to the external av IP on the R2 Edge.
January 21st, 2011 8:29pm
My problem was related to a route issue within the DMZ. After correcting my route issue all is well.
January 21st, 2011 9:04pm
Bob , it was any change in your configuration reflected after you add the av FQDN ? I mean on the propierties view , the internal FQDN and External av FQDN were populated?
I have the same issue and I had add the av FQDN on my Host File in the FE. But calls seems to keep failing and no change in my propierties view on my lync console.
Tanx in advanced
January 26th, 2011 12:45am
Hey ¡ I´ve already fix my problem, my edge server has nat addresses , i´m not using a DMZ , all of the ip´s are internal address. The server is in workgroup , and the NIC used for external services has the register to DNS
option in auto. So my FE was looking for a erroneous IP at the moment of looking the internal interface of my edge server. Fix the the DNS registry, flush the dns , remove the auto register option ,and all start working great. The edge is behind
of an isa server 2006 , seems to work OK , for now. I´ll provide further comments.
Greets¡
PD
The view service detail stay on not set for external av an internal fqdn, Weird......
January 27th, 2011 12:51am
Dear All,
I still get error even register the dns record for Av.domain.com on the Internal DNS.
how to fix this problem?
Thanks
March 29th, 2011 2:00pm
Internal interface FQDN field: <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="invmaocsvm03" />
AV Edge External FQDN: <Port Owner="urn:component:MediaRelayEdge" Usage="TURNServer" InterfaceSide="External" InterfaceNumber="3" Port="443" Protocol="Tcp" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="av.domain.com" />
Previously the ConfiguredFqdn was just empty quotes. This is in the DocItemSet.xml file. Make sure when you re-zip the files, it's just the 2 files and not the folder or the import will not like the file.
in my case there is no Configuredfqdn="" at all, looks like this:
<Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal"
InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" />
my entries on the server if I look at topology is also empty. Any advise?
May 3rd, 2011 2:41pm
Internal interface FQDN field: <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="invmaocsvm03" />
AV Edge External FQDN: <Port Owner="urn:component:MediaRelayEdge" Usage="TURNServer" InterfaceSide="External" InterfaceNumber="3" Port="443" Protocol="Tcp" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="av.domain.com" />
Previously the ConfiguredFqdn was just empty quotes. This is in the DocItemSet.xml file. Make sure when you re-zip the files, it's just the 2 files and not the folder or the import will not like the file.
in my case there is no Configuredfqdn="" at all, looks like this:
<Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal"
InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" />
my entries on the server if I look at topology is also empty. Any a
May 3rd, 2011 4:28pm
Quick note.
I got fedup with this issue and moved my edge to the extreme edge of our network.
Now all is working 100%.
Sip nat Traversal, non sequencal IP's, you tell me.
Outside of CISCO now, sequencal IP's and all is working.
I suggest a quick "test" by bypassing the network hardware might save your hours wasted on troubleshooting when it may be network/firewall giving you hastles.
July 20th, 2011 8:04pm
We figured it out as it applies to our setup last night. We previously didn't have an internal dns entry for av.involta.com that pointed to the public IP address for it. Because that didn't exist, the front end was trying to talk out directly through
the firewall. We also added the av public IP address to the NAT enabled IP address field on the edge server general section. As soon as we published, reran the deployment wizard on both the front end and edge, works like a champ. Hope that helps!
i am having the same issue as
external users are not able make audio/video calls. and i am having confusion with how to import certificate for av services on edge server .. as i have already installed two certificate , 1 from internl CA for edge server and other Public CA certificate
having san entries but not av.domain.com as it wasn't required...
Can u help me ..its urgent..
Also on internal DNS av.domain.com will be created using public ip or dmz IP which is NaTTed to Public IP
August 10th, 2011 6:19pm
In our organization we ran into a similar problem and we found out the reason being that our Edge Pool was not being associated with anything inside of our topology builder. Make sure that you have all of your pools setup correctly for your edge services.
http://s12.postimage.org/3le7f4bj1/Jacob_Tech_Dude.png
August 22nd, 2012 11:04pm
One more possible solution, which helped in our case. We have Front End and Mediation server co-located in the same server. I have understood, that Mediation Server
should automatically use the same Edge with FrontEnd automatically, i.e. it
should be ok to have an empty value here:
PS C:\Users\admin> Get-CsService -MediationServer
Identity : MediationServer:LyncPool01.domain.com
Registrar : Registrar:LyncPool01.domain.com
EdgeServer : EdgeServer:lyncedgetr01.domain.com
SipServerPort : 5070
...
Well, at least in our case it was not ok. I added the Edge for Mediation Server manually, and it started to work:
Set-CsMediationServer -Identity "LyncPool01.domain.com" -EdgeServer "EdgeServer:lyncedgetr01.domain.com"
June 28th, 2013 4:57pm