[cisco-voip] CUCM services log files paths

Ovidiu Popa ovi.popa at gmail.com
Wed Jun 15 20:44:35 EDT 2011


Hello everyone

After 10 hours online with several TAC engineers we guessed that the problem
was related to the LDAP integration.

The servers were in an isolated environment with no access to the Production
LDAP servers and thus any LDAP request generated a timeout.

And here comes the weird part. Since we were logging into RTMT with
application users we should not have been impacted by this problem but
nevertheless the CUCM disobeyed common sense and did LDAP request for the
application user login. Since these requests failed with a timeout, the
login was marked as failed (again it does not make sense).

The workaround was to enable loopback interfaces on our lab switches with
the IP addresses of the production LDAP servers. The ldap requests were
closed with TCP reset and not with a timeout. RTMT login was sucessful after
this workaround

Hope this helps someone in the future.

Regards,
Ovidiu





On Tue, Jun 14, 2011 at 1:26 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:

> Hello Wes
>
> It appears that we have a problem on the CUCM side:
>
> Client logs:
> 2011-06-14 10:45:48,453 [SplashThread] INFO  rtmt.control -
> validMLALogin():  inside isSecureEnabled
> 2011-06-14 10:46:48,968 [SplashThread] ERROR rtmt.control -
> validMLALogin(): caught java.lang.Exception,
> e=java.net.SocketTimeoutException: Read timed out
>
> CUCM Tomcat localhost_access_log
> [14/Jun/2011:10:46:34 +0200] 127.0.0.1 127.0.0.1 5jN]mfY0mV - 8080 GET
> /manager/list  HTTP/1.1 200 1234 2
> [14/Jun/2011:10:46:51 +0200] 10.35.113.129 10.35.113.129 - - 8443 GET
> /ast/ASTisapi.dll ?ListConfig HTTP/1.1 401 2113 81571
>
> The HTTP 401 Unauthorized is not a good sign for me. Of course my account
> is enabled for web access and I can log into RTMT in the production network
> using the same credentials.
>
> I currently have no input from my colleague for his tests (install with
> exactly the same passwords as the production network then restore the
> backup).
>
> Will follow-up asap.
>
> Regards,
> Ovidiu
>
>
>
>
>
> On Fri, Jun 10, 2011 at 10:22 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
>
>>  Yes that's perfect.
>>
>> Thank you Wes.
>>
>> Have a nice weekend, will update the thread next week.
>>
>> Regards,
>> Ovidiu
>>
>>
>> On 10/Jun/11 8:30 PM, Wes Sisk wrote:
>>
>> Fair enough.
>>
>> Is this what you had in mind?
>> https://supportforums.cisco.com/docs/DOC-16943
>>
>> Identity Management System (IMS) are logged in the following locations:
>> activelog tomcat/logs/security/log4j
>> activelog syslog/secure
>>
>> Regards,
>> Wes
>>
>> On 6/10/2011 12:45 PM, Ovidiu Popa wrote:
>>
>> Hello Wes
>>
>> Unfortunately I do not have access to my UCS until Tuesday so I will
>> update the thread at that time. One of my colleagues will do its own restore
>> and he will restore using the exact username/passwords. Hope that it will
>> work better that way.
>>
>> I would very much like to continue investigating my issues as I am curious
>> about the insides of CUCM. I still say that a list with the correlation
>> between CUCM services (network and feature) and their corresponding log
>> files paths is a valuable piece of information.
>>
>> Regards,
>> Ovidiu
>>
>> On 10/Jun/11 6:00 PM, Wes Sisk wrote:
>>
>> Ovidiu,
>>
>> Thanks for the background. That may prove to be the difference.
>>
>> MLA authentication is completely dependent on the database. That is why I
>> started with questions in that direction.  Restore replaces the database so
>> the entire MLA feature *shouldn't* be affected by anything in the OS.
>>
>> That said, MLA authentication is failing for some reason.  Is there
>> anything in security logs about authentication failure?  Perhaps the IMS
>> logs give indication:
>>
>> file list activelog syslog/*
>> file list activelog tomcat/logs/*
>>
>> Regards,
>> Wes
>>
>> On 6/9/2011 4:59 PM, Ovidiu Popa wrote:
>>
>> Wes,
>>
>>  Just wanted to add some details to the problem:
>>
>>  - Installed CUCM and CUC cluster on UCS
>> - Restored the Production backup on the new virtual machines
>> - Both CUCM and CUC have the same behaviour
>>
>>  While installing I did some tests and used the same application username
>> albeit with a different password than the production servers.
>> CCMADMIN login with the installation username/password worked before the
>> restore
>> CCMADMIN login with the production username/password worked after the
>> restore
>>
>>  I'm wondering if there is some information that is written in the CUCM
>> OS by the installation process and not replaced by the restore process :does
>> MLA have some configuration files in the CUCM OS e.g. passwords in tomcat
>> configuration files? Am I on the right track ?
>>
>>  Thanks,
>>
>>  Regards,
>> Ovidiu
>>
>>
>> On Thu, Jun 9, 2011 at 5:40 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
>>
>>> yes to both.
>>>
>>> On Thu, Jun 9, 2011 at 5:32 PM, Wes Sisk <wsisk at cisco.com> wrote:
>>>
>>>>  So TCP comes up and it attempts MLA login. Usually that means database
>>>> is offline.  Can you login to CCMAdmin/user pages?  Can your 'run sql....'
>>>> commands from the CLI?
>>>>
>>>> Regards,
>>>>  Wes
>>>>
>>>>
>>>> On 6/9/2011 11:04 AM, Ovidiu Popa wrote:
>>>>
>>>> Wes,
>>>>
>>>>  If got the popup that said the certificate is not trusted so TCP
>>>> should be good. After the popup I see in the wireshark some communications
>>>> and then it stops for exactly 1 minute (exactly as seen in the logs).
>>>>
>>>>  Regards,
>>>> Ovidiu
>>>>
>>>> On Thu, Jun 9, 2011 at 4:13 PM, Wes Sisk <wsisk at cisco.com> wrote:
>>>>
>>>>>  Ovidiu,
>>>>>
>>>>> This looks like a problem with TCP/IP connectivity form your client to
>>>>> the CUCM server.  What does a packet capture show?
>>>>>
>>>>> RTMT connects to servers on TCP port 8443.  You can view a list of
>>>>> required port connectivity in Unified OS Administration under Show->IP
>>>>> Preferences.
>>>>>
>>>>> Regards,
>>>>> Wes
>>>>>
>>>>>
>>>>>
>>>>> On 6/9/2011 7:03 AM, Ovidiu Popa wrote:
>>>>>
>>>>>  Hello everyone
>>>>>
>>>>>  Does someone know where we can find a list with the correlation
>>>>> between CUCM services (network and feature) and their corresponding log
>>>>> files paths?
>>>>>
>>>>>  I'm having problems logging into RTMT, it stops with the message that
>>>>> it cannot reach the cluster. The PC log files are not very specific and I
>>>>> wanted to see on the CUCM side what is the problem.
>>>>>
>>>>>  2011-05-30 12:30:42,000 [SplashThread] INFO  rtmt.control -
>>>>> validMLALogin():  inside isSecureEnabled
>>>>> 2011-05-30 12:31:42,515 [SplashThread] ERROR rtmt.control -
>>>>> validMLALogin(): caught java.lang.Exception,
>>>>> e=java.net.SocketTimeoutException: Read timed out
>>>>>
>>>>>  According to this
>>>>>
>>>>> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/8_5_1/rtmt/rtintro.html#wp1278618
>>>>> the Cisco Communications Manager servlet handles RTMT and the problem
>>>>> is what is the path for the logs for this service...
>>>>>
>>>>>  I wasn't able to find any information about these paths. It seems we
>>>>> should blindly trust RTMT to collect the files but they don't say what
>>>>> should we do when we need to debug RTMT itself?
>>>>>
>>>>>  Thanks for the input.
>>>>>
>>>>>  Regards,
>>>>> Ovidiu
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing listcisco-voip at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>>
>>>>
>>>
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110616/f0524386/attachment.html>


More information about the cisco-voip mailing list