Monday, December 09, 2013

Cisco Jabber on iPhone through ASA VPN bug

When you are the 'network person', you need to troubleshoot the network to prove the network is not the problem.  I'm writing about this bug because I couldn't find anything online about it and Cisco TAC says it has not been published yet.

Problem

Cisco Jabber 9.5 on the iPhone works on the network internally but not through the ASA VPN.

Confirm it actually does work internally: check
Everything else works through VPN, on the phone: check
Simple ping to CUPS server on the phone: check
Can bring up web page of CUPS server via DNS through the phone: check
No over-engineered filters or acl's in place hindering traffic: check

I'm not much of a voice tech so I had one of the voice engineers check the configs on CallManager.  Says everything is good to go.

I ran a capture on the ASA and see traffic going back and forth to the client as expected.  Not sure if it's the correct ports, but whatever I see bidirectional traffic.

Sadly, I opened a TAC case.  Worked with both the application team and ASA team.  Ran captures on the ASA again, iPhone Anyconnect Client and also on the CUPS server.

The Apps person found this error:

OnLoginError: LERR_JABBER_UNREACHABLE:

TAC Suggested the phone client couldn't not resolve the name of the CUPS server through the VPN.  This didn't make sense to me since I could resolve the name (hostname, and FQDN).

Resolution:

Luckily, they had a fix on the CUPS server that would actually resolve the issue:
Change the xmpp server name to the IP address.

Step1. Login CUP server as admin. Click menu "System"  -  "Cluster Topology".
Check the picture below.



Step2.  After Step1, You will see the CUP servers listed in the Subcluster.  The CUP nodes are shown as xmpp server names, in this example as “cups1” and “cups2.” Click the node. You can change the name to the IP address.  In the picture below the node name was cups1, and I changed it to "10.201.216.201".




After you change the node name to the IP address, you can now test over VPN.  This change was not service impacting, but it may be best to perform this change after business hours.  You never know.

The bug id is not yet public: CSCul54468
According to Cisco, this should be fixed in Q4 2013 but posting here in case anyone runs in to this problem during troubleshooting.

Side note: If you are curious on the ping client I used on the iPhone, it was iSys.



3 comments:

Porter Daniel said...


<a href="http://www.bestanonymousvpn.com>Greg</a> says,

Thanks for letting us know about all the vital information of Cisco Jabber on iPhone through ASA VPN bug. I'm quite sure that in such allocation will helps all the iphone user to know that how to solve their problem during the of using VPN through Iphone. Thanks once again

jowdjbrown said...

We have all received at least just one cellphone every single, suitable? We have in all probability bought about a few or 4 presently, which counts giving your outdated Nokia 3310 for your Mum a couple of a long time ago.But now the world has improved, and from Apple to Samsung to HTC into a host of up-and-coming names, picking your next greatest smartphone is a difficult job.This really is where by we allow it to be quick: we completely test countless prime smartphones and have discovered the 10 best you are able to shell out your hard earned money on. cell phones prices

Rajendra Narwariya said...

Nokia 3310 Launching at MWC 2017 : Check Price in India, Specs, Release Date & How to Buy

The nice post