Cisco Cisco TelePresence Video Communication Server Expressway
IM and Presence Service Realm Changes
Provisioning failures can occur when the IM and Presence Service realm has changed and the realm data on the VCS
Control has not been updated.
Control has not been updated.
For example, this could happen if the address of an IM and Presence Service node has changed, or if a new peer has
been added to an IM and Presence Service cluster.
been added to an IM and Presence Service cluster.
The diagnostic log may contain an INFO message like "
Failed to query auth component for SASL mechanisms
"
because the VCS Control cannot find the realm.
Go to Configuration > Unified Communications > IM and Presence Service nodes and click Refresh servers and
then save the updated configuration. If the provisioning failures persist, verify the IM and Presence Service nodes
configuration and refresh again.
then save the updated configuration. If the provisioning failures persist, verify the IM and Presence Service nodes
configuration and refresh again.
No Voicemail Service ("403 Forbidden" Response)
Ensure that the Cisco Unity Connection (CUC) hostname is included on the HTTP server allow list on the VCS Control.
"403 Forbidden" Responses for Any Service Requests
Services may fail ("403 Forbidden" responses) if the VCS Control and VCS Expressway are not synchronized to a
reliable NTP server. Ensure that all VCS systems are synchronized to a reliable NTP service.
reliable NTP server. Ensure that all VCS systems are synchronized to a reliable NTP service.
Client HTTPS Requests are Dropped by VCS
This can be caused by the automated intrusion protection feature on the VCS Expressway if it detects repeated
invalid attempts (404 errors) from a client IP address to access resources through the HTTP proxy.
invalid attempts (404 errors) from a client IP address to access resources through the HTTP proxy.
To prevent the client address from being blocked, ensure that the HTTP proxy resource access failure category
(System > Protection > Automated detection > Configuration) is disabled.
(System > Protection > Automated detection > Configuration) is disabled.
Unable to Configure IM&P Servers for Remote Access
'Failed: <address> is not a IM and Presence Server'
This error can occur when trying to configure the IM&P servers used for remote access (via Configuration > Unified
Communications > IM and Presence servers).
Communications > IM and Presence servers).
It is due to missing CA certificates on the IM&P servers and applies to systems running 9.1.1. More information and
the recommended solution is described in
the recommended solution is described in
Invalid SAML Assertions
If clients fail to authenticate via SSO, one potential reason is that invalid assertions from the IDP are being rejected by
the VCS Control.
the VCS Control.
Check the logs for "Invalid SAML Response".
One example is when ADFS does not have a claim rule to send the users' IDs to the VCS Control. In this case you will
see "No uid Attribute in Assertion from IdP" in the log.
see "No uid Attribute in Assertion from IdP" in the log.
The VCS is expecting the user ID to be asserted by a claim from ADFS that has the identity in an attribute called
uid
.
You need to go into ADFS and set up a claim rule, on each relying party trust, to send the users' AD email addresses
(or sAMAccountNames, depending on your deployment) as "uid" to each relying party.
(or sAMAccountNames, depending on your deployment) as "uid" to each relying party.
Document Revision History
The following table summarizes the changes that have been applied to this document.
46
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide
Document Revision History