Cisco Cisco Expressway
Expressway certificate / TLS connectivity issues
If the Expressway's server certificate or trusted CA certificates have been modified, you must restart the
Expressway before those changes will take effect.
Expressway before those changes will take effect.
If you are using secure profiles, ensure that the root CA of the authority that signed the Expressway-C
certificate is installed as a CallManager-trust certificate (
certificate is installed as a CallManager-trust certificate (
Security > Certificate Management
in the
Cisco
Unified OS Administration
application).
Expressway returns "401 unauthorized" failure messages
A "401 unauthorized" failure message can occur when the Expressway attempts to authenticate the
credentials presented by the endpoint client.The reasons for this include:
credentials presented by the endpoint client.The reasons for this include:
n
The client is supplying an unknown username or the wrong password.
n
ILS (Intercluster Lookup Service) has not been set up on all of the Unified CM clusters. This may result in
intermittent failures, depending upon which Unified CM node is being used by Expressway for its UDS
query to discover the client's home cluster.
intermittent failures, depending upon which Unified CM node is being used by Expressway for its UDS
query to discover the client's home cluster.
Call failures due to "407 proxy authentication required" or
"500 Internal Server Error" errors
"500 Internal Server Error" errors
Call failures can occur if the traversal zones on Expressway are configured with an Authentication policy of
Check credentials. Ensure that the Authentication policy on the traversal zones used for mobile and
remote access is set to Do not check credentials.
Check credentials. Ensure that the Authentication policy on the traversal zones used for mobile and
remote access is set to Do not check credentials.
Call bit rate is restricted to 384 kbps / video issues when
using BFCP (presentation sharing)
using BFCP (presentation sharing)
This can be caused by video bit rate restrictions within the regions configured on Unified CM.
Ensure that the Maximum Session Bit Rate for Video Calls between and within regions (
System
> Region Information > Region
) is set to a suitable upper limit for your system, for example 6000 kbps.
Endpoints cannot register to Unified CM
Endpoints may fail to register for various reasons:
n
Endpoints may not be able to register to Unified CM if there is also a SIP trunk configured between Unified
CM and Expressway-C. If a SIP trunk is configured, you must ensure that it uses a different listening port
on Unified CM from that used for SIP line registrations to Unified CM. See
CM and Expressway-C. If a SIP trunk is configured, you must ensure that it uses a different listening port
on Unified CM from that used for SIP line registrations to Unified CM. See
n
Secure registrations may fail ('Failed to establish SSL connection' messages) if the server certificate on
the Expressway-C does not contain in its Subject Alternate Name list, the names of all of the Phone
Security Profiles in Unified CM that are configured for encrypted TLS and are used for devices requiring
remote access. Note that these names — in both Unified CM and in the Expressway's certificate — must
be in FQDN format.
the Expressway-C does not contain in its Subject Alternate Name list, the names of all of the Phone
Security Profiles in Unified CM that are configured for encrypted TLS and are used for devices requiring
remote access. Note that these names — in both Unified CM and in the Expressway's certificate — must
be in FQDN format.
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.5)
Page 46 of 50
Appendix 1: Troubleshooting