Upgrading to VCS/Expressway X8.8 and Jabber MRA Broke? Here’s why…

VCS/Expressway X8.8 changes it’s behavior versus prior versions.  8.8 does a reverse lookup of the IP addresses it’s communicating with to make sure it matches the hostname between C and E.

From the Release notes:

DNS entries: Do you have forward and reverse DNS lookups for all infrastructure

systems that the Expressway interacts with? If the Expressway cannot resolve hostnames and IP addresses of systems,your complex deployments (eg.MRA) could stop working as expected after you upgrade.

Oddly enough, the two systems that I’ve been involved in the upgrade to 8.8.1 with, both had the Unified Communications traversal zone with show Active, and hard phones (8800 and DX 650) will register and work properly, but Jabber clients will be unable to login and Jabber will throw an error when trying to login through MRA:

"Unable to Communicate with Server."

Running the debugging logs on Expressway-C you see the following error: 

"Certificate verification failed for host=x.x.x.x, additional info: 
Invalid Hostname expressway-e.domain.com"

The fix is to make sure that Expressway-C can do a reverse DNS lookup on the IP address of Expressway-E. Then flush the DNS cache of C to make sure it re-queries DNS properly.

The debugging log will give you the address and hostname it is trying to do the lookup on.

In a dual-NIC Expressway-E deployment the PTR recrod should point to the private IP address that C talks to.  In a single-NIC NAT hairpin deployment, I’ve seen it talk on the private and public IP.  So check that debug log.