Hello everyone<div><br></div><div>After 10 hours online with several TAC engineers we guessed that the problem was related to the LDAP integration. </div><div><br></div><div>The servers were in an isolated environment with no access to the Production LDAP servers and thus any LDAP request generated a timeout.</div>
<div><br></div><div>And here comes the weird part. Since we were logging into RTMT with application users we should not have been impacted by this problem but nevertheless the CUCM disobeyed common sense and did LDAP request for the application user login. Since these requests failed with a timeout, the login was marked as failed (again it does not make sense).</div>
<div><br></div><div>The workaround was to enable loopback interfaces on our lab switches with the IP addresses of the production LDAP servers. The ldap requests were closed with TCP reset and not with a timeout. RTMT login was sucessful after this workaround</div>
<div><br></div><div>Hope this helps someone in the future.</div><div><br></div><div>Regards,</div><div>Ovidiu</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Tue, Jun 14, 2011 at 1:26 PM, Ovidiu Popa <span dir="ltr"><<a href="mailto:ovi.popa@gmail.com">ovi.popa@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div>Hello Wes</div><div><br></div><div>It appears that we have a problem on the CUCM side:</div><div><br></div><div>
Client logs:</div>
<div><div>2011-06-14 10:45:48,453 [SplashThread] INFO rtmt.control - validMLALogin(): inside isSecureEnabled</div>
<div>2011-06-14 10:46:48,968 [SplashThread] ERROR rtmt.control - validMLALogin(): caught java.lang.Exception, e=java.net.SocketTimeoutException: Read timed out</div><div><br></div><div>CUCM Tomcat localhost_access_log</div>
<div>[14/Jun/2011:10:46:34 +0200] 127.0.0.1 127.0.0.1 5jN]mfY0mV - 8080 GET /manager/list HTTP/1.1 200 1234 2</div><div>[14/Jun/2011:10:46:51 +0200] 10.35.113.129 10.35.113.129 - - 8443 GET /ast/ASTisapi.dll ?ListConfig HTTP/1.1 401 2113 81571</div>
</div><div><br></div><div><span>The </span>HTTP 401 Unauthorized<span> is not a good sign for me. Of course my account is enabled for web access and I can log into RTMT in the production network using the same credentials.</span></div>
<div><span><br></span></div><div>I currently have no input from my colleague for his tests (install with exactly the same passwords as the production network then restore the backup).</div><div><br>
</div><div>Will follow-up asap.</div><div><br></div><div>Regards,</div><div>Ovidiu</div><div><div></div><div class="h5"><div><br></div><div><span><br></span></div><div><span><br></span></div><br><br><div class="gmail_quote">
On Fri, Jun 10, 2011 at 10:22 PM, Ovidiu Popa <span dir="ltr"><<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#ffffff">
Yes that's perfect.<br>
<br>
Thank you Wes.<br>
<br>
Have a nice weekend, will update the thread next week.<br>
<br>
Regards,<br><font color="#888888">
Ovidiu</font><div><div></div><div><br>
<br>
On 10/Jun/11 8:30 PM, Wes Sisk wrote:
<blockquote type="cite">
Fair enough.<br>
<br>
Is this what you had in mind?<br>
<a href="https://supportforums.cisco.com/docs/DOC-16943" target="_blank">https://supportforums.cisco.com/docs/DOC-16943</a><br>
<br>
Identity Management System (IMS) are logged in the following
locations:<br>
activelog tomcat/logs/security/log4j<br>
activelog syslog/secure<br>
<br>
Regards,<br>
Wes<br>
<br>
On 6/10/2011 12:45 PM, Ovidiu Popa wrote:
<blockquote type="cite">
Hello Wes<br>
<br>
Unfortunately I do not have access to my UCS until Tuesday so I
will update the thread at that time. One of my colleagues will
do its own restore and he will restore using the exact
username/passwords. Hope that it will work better that way. <br>
<br>
I would very much like to continue investigating my issues as I
am curious about the insides of CUCM. I still say that a list
with the correlation between CUCM services (network and feature)
and their corresponding log files paths is a valuable piece of
information.<br>
<br>
Regards,<br>
Ovidiu<br>
<br>
On 10/Jun/11 6:00 PM, Wes Sisk wrote:
<blockquote type="cite">
Ovidiu,<br>
<br>
Thanks for the background. That may prove to be the
difference.<br>
<br>
MLA authentication is completely dependent on the database.
That is why I started with questions in that direction.
Restore replaces the database so the entire MLA feature
*shouldn't* be affected by anything in the OS.<br>
<br>
That said, MLA authentication is failing for some reason. Is
there anything in security logs about authentication failure?
Perhaps the IMS logs give indication:<br>
<br>
file list activelog syslog/*<br>
file list activelog tomcat/logs/*<br>
<br>
Regards,<br>
Wes<br>
<br>
On 6/9/2011 4:59 PM, Ovidiu Popa wrote:
<blockquote type="cite">Wes,
<div><br>
</div>
<div>Just wanted to add some details to the problem:</div>
<div><br>
</div>
<div>- Installed CUCM and CUC cluster on UCS</div>
<div>- Restored the Production backup on the new virtual
machines</div>
<div>- Both CUCM and CUC have the same behaviour</div>
<div><br>
</div>
<div>While installing I did some tests and used the same
application username albeit with a different password than
the production servers. </div>
<div>CCMADMIN login with the installation username/password
worked before the restore</div>
<div>CCMADMIN login with the production username/password
worked after the restore </div>
<div><br>
</div>
<div>I'm wondering if there is some information that is
written in the CUCM OS by the installation process and not
replaced by the restore process :does MLA have some
configuration files in the CUCM OS e.g. passwords in
tomcat configuration files? Am I on the right track ?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Regards,</div>
<div>Ovidiu</div>
<div><br>
<br>
<div class="gmail_quote">On Thu, Jun 9, 2011 at 5:40 PM,
Ovidiu Popa <span dir="ltr"><<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">yes to both.
<div>
<div>
<div><br>
<div class="gmail_quote">On Thu, Jun 9, 2011 at
5:32 PM, Wes Sisk <span dir="ltr"><<a href="mailto:wsisk@cisco.com" target="_blank">wsisk@cisco.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div text="#000000" bgcolor="#ffffff"> So
TCP comes up and it attempts MLA login.
Usually that means database is offline.
Can you login to CCMAdmin/user pages? Can
your 'run sql....' commands from the CLI?<br>
<br>
Regards,<br>
<font color="#888888"> Wes</font>
<div>
<div><br>
<br>
On 6/9/2011 11:04 AM, Ovidiu Popa
wrote:
<blockquote type="cite">Wes,
<div><br>
</div>
<div>If got the popup that said the
certificate is not trusted so TCP
should be good. After the popup I
see in the wireshark some
communications and then it stops
for exactly 1 minute (exactly as
seen in the logs).</div>
<div><br>
</div>
<div>Regards,</div>
<div>Ovidiu</div>
<div><br>
<div class="gmail_quote">On Thu,
Jun 9, 2011 at 4:13 PM, Wes Sisk
<span dir="ltr"><<a href="mailto:wsisk@cisco.com" target="_blank">wsisk@cisco.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div text="#000000" bgcolor="#ffffff"> Ovidiu,<br>
<br>
This looks like a problem
with TCP/IP connectivity
form your client to the CUCM
server. What does a packet
capture show?<br>
<br>
RTMT connects to servers on
TCP port 8443. You can view
a list of required port
connectivity in Unified OS
Administration under
Show->IP Preferences.<br>
<br>
Regards,<br>
Wes
<div>
<div><br>
<br>
<br>
On 6/9/2011 7:03 AM,
Ovidiu Popa wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>Hello everyone
<div><br>
</div>
<div>Does someone know
where we can find a
list with the
correlation between
CUCM services
(network and
feature) and their
corresponding log
files paths?</div>
<div><br>
</div>
<div>I'm having
problems logging
into RTMT, it stops
with the message
that it cannot reach
the cluster. The PC
log files are not
very specific and I
wanted to see on the
CUCM side what is
the problem. </div>
<div><br>
</div>
<div>
<div>2011-05-30
12:30:42,000
[SplashThread]
INFO rtmt.control
- validMLALogin():
inside
isSecureEnabled</div>
<div>2011-05-30
12:31:42,515
[SplashThread]
ERROR rtmt.control
- validMLALogin():
caught
java.lang.Exception,
e=java.net.SocketTimeoutException:
Read timed out</div>
</div>
<div><br>
</div>
<div>According to this</div>
<div><a href="http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/8_5_1/rtmt/rtintro.html#wp1278618" target="_blank">http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/8_5_1/rtmt/rtintro.html#wp1278618</a></div>
<div>the <span style="font-family:Arial,Helvetica,sans-serif;font-size:12px">Cisco
Communications
Manager servlet
handles RTMT and
the problem is
what is the path
for the logs for
this service...</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px"><br>
</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px">I
wasn't able to
find any
information about
these paths. It
seems we should
blindly trust RTMT
to collect the
files but they
don't say what
should we do when
we need to debug
RTMT itself?</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px"><br>
</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px">Thanks
for the input.</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px"><br>
</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px">Regards,</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px">Ovidiu</span></div>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
cisco-voip mailing list
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</blockquote>
<br>
</blockquote>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br>
</div></div></blockquote></div><br></div>