Search This Blog

Monday, December 16, 2013

External lync user can not start audio with internal user

Recently I was troubleshooting a case where externally connected internal Lync user could not establish audio call with internal client. From client log we see

INVITE (message shows 5 candidates, we also see that hotspot firewall blocks UDP, so this client will have only limited choise of TCP to establish media flow. Number of IP4 candidates should be 6+ in ideal situation),

SIP Trying

SIP OK (we get SIP responce from another end and list of candidates from the other side), we can now exchange IM chats

SIP ACK and then suddenly SIP BYE. No audio call is esablished.

IN SIP BYE we observe an error:

ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote";CalleeMediaDebug="audio:ICEWarn=0x4000322,LocalSite=,LocalMR=xxx:50452,RemoteSite=,RemoteMR=yyy:50175,PortRange=49152:49191,LocalMRTCPPort=50452,RemoteMRTCPPort=50175,LocalLocation=1,RemoteLocation=2,FederationType=0,NetworkName=test,Interfaces=0x14,BaseInterface=0x4,BaseAddress="

if we lookup ICEWarn=0x4000000 in the resource kit:

we could see that problem is coming from egde firewall:

TCP-TCP connectivity checks failed over the TURN Server.
This is indicating that TURN TCP-TCP connectivity check was tried and it failed. The failure indicates that port 443 was not opened on the firewall. If one of the TURN servers was 2007 A/V Edge Server. The administrator needs to open ports from 50,000 through 59,999 TCP to all external Audio/Video Edge services in the environment. This flag isn’t expected and may result in an ICE protocol failure.

Then I have to check if 443 is open, but since I have no access to the Cisco ASA, I use telnet to test the port. The problem with windows telnet is that I can not change IP source address. On the edge if you run telnet 443 you will use address of first IP address (Access). That was ok. But to test thirst IP (AV) i had to download ncat
and then run from edge cmd  (
ncat -s IP_ADDR_AV_EDGE 443
and it was immediately rejected meaning that this direction the port is closed.

When escalated incident was solved by ASA admin, audio calls started flowing.

For more detailed information on connection scenarios refer to

UPDATE: it may happen that firewall is ok, but the VM was migrated to a ESX host that has different VLAN setup and this may prevent traffic also.

No comments: