Friday, December 3, 2010

Fast busy with OCS 2007 R2 Dial-in Conferencing after renewing certificates

This post is yet another component in OCS 2007 R2 that can be broken if you don’t restart your services after renewing the certificates. Seeing how I’ve already written other posts that are similar, you might ask: why make another post like this? My reasoning is that this may help someone out there who’s not familiar OCS 2007 R2 when he or she searches for the error messages found in the validation logs.

The following are screenshots and error messages that you’ll see in the validation logs:

clip_image001clip_image002clip_image003Validate that one can connect to the application.

Failure
[0xC3FC200D] One or more errors were detected

clip_image001[1]clip_image001[2]clip_image002[1]clip_image003[1]Application Host ulocs02.domain.com

DNS Resolution succeeded: 172.33.1.33
The remote server presented an expired certificate.: 172.33.1.33:5073 Error Code: 0x80090328 Outgoing TLS negotiation failed. Remote certificate expired; HRESULT=-2146893016
Suggested Resolution: The remote server certificate needs to be renewed or replaced with a valid certificate.

Failure
[0xC3FC200D] One or more errors were detected

clip_image001[3]clip_image001[4]clip_image002[2]clip_image003[2]Application Host ocspool2.domain.com

DNS Resolution succeeded: 172.33.1.33
The remote server presented an expired certificate.: 172.33.1.33:5073 Error Code: 0x80090328 Outgoing TLS negotiation failed. Remote certificate expired; HRESULT=-2146893016
Suggested Resolution: The remote server certificate needs to be renewed or replaced with a valid certificate.

Failure
[0xC3FC200D] One or more errors were detected

image

Snooper traces on the front end server show the following:

TL_INFO(TF_PROTOCOL) [2]0B24.102C::11/25/2010-15:39:36.648.006e88c8 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record

Instance-Id: 00D5AD98

Direction: outgoing;source="local"

Peer: 172.20.2.64:1099

Message-Type: response

Start-Line: SIP/2.0 504 Server time-out

From: "Terence Luk"<sip:tluk@domain.com>;tag=35830c1d37;epid=b7128e13bc

To: <sip:+6125@domain.com;user=phone>;tag=7934F6EF33928ED06C1CF46A346665C6

CSeq: 1 INVITE

Call-ID: 117acb6ea73d44fa86fc01bf63e6b74f

Proxy-Authentication-Info: Kerberos rspauth="602306092A864886F71201020201011100FFFFFFFFFD84CA40889D55E46C9A92C7D2083CF1", srand="8DD9ABB2", snum="485", opaque="66566559", qop="auth", targetname="sip/ulocs02.domain.com", realm="SIP Communications Service"

Via: SIP/2.0/TLS 172.20.2.64:1099;ms-received-port=1099;ms-received-cid=1516200

ms-diagnostics: 1010;reason="Certificate trust with next-hop server could not be established";source="ulocs02.domain.com";ErrorType="Refer security status for specific security status";HRESULT="0x80090328"

Content-Length: 0

Message-Body: –

$$end_record

image

TL_INFO(TF_PROTOCOL) [7]0B24.1030::11/25/2010-15:26:18.585.006a5f2e (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record

Instance-Id: 00D59A0C

Direction: outgoing;source="local"

Peer: ulmedi02.domain.com:3801

Message-Type: response

Start-Line: SIP/2.0 504 Server time-out

From: "UNIS LUMIN"<sip:+19058476800@domain.com;user=phone>;epid=2EB99BB36E;tag=d735b91b9

To: <sip:+6123@domain.com;user=phone>;tag=7934F6EF33928ED06C1CF46A346665C6

CSeq: 13076 INVITE

Call-ID: 329c3891-859d-4c5f-8125-3741e3413855

ms-application-via: backend_token;ms-server=ulocs02.domain.com;ms-pool=ocspool2.domain.com;ms-application=51FB453D-5B9F-45df-83B4-ADD1F7E604A8

Via: SIP/2.0/TLS 172.20.1.122:3801;branch=z9hG4bK47a7d4cc;ms-received-port=3801;ms-received-cid=15F4A00

ms-diagnostics: 1010;reason="Certificate trust with next-hop server could not be established";source="ulocs02.domain.com";ErrorType="Refer security status for specific security status";HRESULT="0x80090328"

Content-Length: 0

Message-Body: –

$$end_record

image

1 comment:

Majid said...

Thanks a lot