After completing an upgrade to Expressway 8.8.1, it was noticed that Mobile and Remote Access (MRA) suddenly stopped working. After some searching and log files, it was found to be a DNS PTR record issue. The implemented “feature” that required the Expressway-E DNS PTR resolution had only been implemented as a requirement in version 8.8.1.
First, the issue was noticed on my iPhone when attempting to login (image below). In addition, my system failed to query external XMPP contacts.
Expressway Failed Login from iPhone
With the login successful internally and the Expressways just being upgraded, off to the logs. Upon digging around, I found the error text below.
2016-09-14T22:50:59.171-04:00 expressway-c XCP_JABBERD[19085]: UTCTime="2016-09-15 02:50:59,171" ThreadID="140012303779584" Module="Jabber" Level="WARN " CodeLocation="cvsservice.cpp:399" Detail="Certificate verification failed for host=192.168.2.98, additional info: Invalid Hostname expressway-e.destephen.c" 2016-09-14T22:50:59.172-04:00 expressway-c XCP_JABBERD[19085]: UTCTime="2016-09-15 02:50:59,172" ThreadID="140012303779584" Module="Jabber" Level="WARN " CodeLocation="ssl.c:505" Detail="The SSL Handshake failed for fd (19). SSL Error code: 1"
With this text, I knew nothing had changed with my certificates. Off to Google DuckDuckGo lead me to this site that commented about the release notes. Sure enough, in the release notes, it says that DNS reverse query records are required.
Expressway 8.8.1 Release Notes
With this, I knew that I had all my DNS configured previously. I attempted to dig the Expressway record for my deployment, expressway-e.destephen.com that should have resolved to 192.168.2.98. As expected, it was not working properly.
expressway-e.destephen.com DNS PTR Query
With the original configuration, there was no DNS record that was configured within my internal domian, destephen.local, that resolved to the expressway-e.destephen.com. I simply had a stub zone configuration within the Microsoft DNS servers that pointed to my destephen.com dns server. The fix was to add a new reverse lookup zone and a PTR record for the expressway-e.destephen.com address of 192.168.2.98.
First, the existing DNS configuration for my destephen.local DNS environment. There is no reverse lookup zone for the 192.168.2 range.
Existing DNS Environment for destephen.local
First step is to add the new Zone.
Adding a New Zone
Click Next to begin.
Adding a new Reverse Lookup Zone
We want to select a Primary Zone to support our needs.
Adding a new Reverse Lookup Zone
We want to enable the replication of this DNS Zone to other DNS servers, at least for my environment. This should be replicated to any DNS server that the Expressway-C is configured to query.
Adding a new Reverse Lookup Zone
IPv4 for the zone.
Adding a new Reverse Lookup Zone
Selecting the Network ID for the reverse lookup zone
Adding a new Reverse Lookup Zone
Selection of Secure Updates only for Microsoft DNS server only type environments, such as my own.
Adding a new Reverse Lookup Zone
Confirmation of the setup of the new Zone.
Adding a new Reverse Lookup Zone
With the new zone defined, we now need to create the new PTR address for expressway-e.destephen.com at 192.168.2.98. Note that 192.168.2.98 is my “inside” interface for the Expressway-E server.
Adding a new PTR Address
Insert the applicable details for your environment.
Adding a new PTR Address
Final configuration of the new Zone and the PTR entry.
Adding a new PTR Address
A dig -x from a destephen.local machine now successfully queries the expressway-e.destephen.com address.
Confirmation of PTR Configuration from OS X/Linux
Last but not least, a clearing of the DNS cache or restart of the Expressway-C server will allow the login of your MRA hosts and register XMPP contacts.
Thanks for reading!
Thanks for the post and the mention of log: “Module=”Jabber” Level=”WARN ” CodeLocation=”ssl.c:505″ Detail=”The SSL Handshake failed for fd (24). SSL Error code: 1″!
It helps me to resolve my issue.