Hello:

We have having an issue with our Lync setup, specifically when external users are trying to make a phone call.   For example, if someone at home tries to call someone here at corporate thru Lync what is happening is:

1) Call is placed
2) Signal is getting to the phone and it rings
3) Callee tries to answer the phone and the audio is never established.

Running packet traces finds that the traffic at the point of answering is trying to go back out using the private address of the home user (ie if the users WAN address is 70.80.90.100 and their private address is 192.168.1.100) the traffic.  Obviously this doesnt work as its not routable and there is a Deny error in the Cisco confirming this.   In the Lync Edge Server setup I see the Audio/Video Edge service external FQDN and internal FQDN say not set.  Is this related?   Ive found an article that states these need to be set to "av.yourdomainname.org" for the external and the internal should be "srv-lyncedge.yourdomainname.org".   IM, desktop sharing, etc all seem to work fine.   The article also states that this is possibly a bug and should always be set to Not Set.  I have also gone into the Topology Builder and for the A/V Edge service i am seeing:

FQDN: av.yourdomain.org, NAT Enabled, IP 192.168.X.9, NAT-Enabled public IPv4 address 98.XXX.XXX.128 (which is outside of our assigned range, which starts at 98.xxx.xxx.129), Port 443, Protocol TCP.   

Thanks,

Joe

• Edited by Joseph Bucar 15 hours 33 minutes ago

Where do you see external FQDN and internal FQDN saying not set? 

If that NAT enabled IP is 98.XXX.XXX.128  and your range starts at .129, do you own the IP you're using?  Are you using a single IP for your external edge, or three public IPs?

Can you resolve av.yourdomain.org from the outside?

Can you resolve the lync edge pool name from the inside and does it point to the internal IP of the edge server?

Can clients communicate with the internal edge pool name on port TCP/443 and UDP/3478 or are there any firewall restrictions?

Can external clients communicate with 98.XXX.XXX.128 on TCP/443, UDP/3478, TCP/50000-59999 and UDP/50000-59999 per https://technet.microsoft.com/en-us/library/gg425891.aspx ? 

Anthony:

No we do not own that IP we are using.  .148 appears to be the AV External IP address and its possible the previous admin mistyped it.  We are using three public IPs. 

>> Can you resolve av.yourdomain.org from the outside?

Yes it pings from outside.

>> Can you resolve the lync edge pool name from the inside and does it point to the internal IP of the edge server?

Yes to both.

It would probably be more helpful as well to see the firewall deny message.  Ive tried to post an image but it says until my account is verified I cant.   From the Cisco Log:

172.xxx.xxx.103   53488    192.168.43.221 32436  Deny udp src inside: 172.xxx.xx.103/53488 dst outside:192.168.43.221/32436 by access-group "acl_in2out" 

Where .103 is the internal Lync Server IP and the 192 address is the actual private address of the external client.

Is some sort of NATing not happening?   

I have also now noticed on the Lync Edge server that the Lync Server Access Edge service will not start.  Every time I try to start it I get a 

The Lync Server Access Edge service terminated with service-specific error %%-1008124915.  Same for Web Conferencing Edge except the error number is %%-2147467259.

Thanks,

Joe 

• Edited by Joseph Bucar 12 hours 34 minutes ago

So, if you're using three IPs, those three private IPs should be laid out in the topology builder with the NAT for the AV edge specified as well.

What does AV resolve to and ping from the outside, is it the .128?

I wouldn't worry about ACLs in general right now, none of this will work until you get your edge properly configured.

If it's easier, post the results of ipconfig /all on your edge, and a screenshot of the edge config from your topology builder and we can take a look.

Anthony:

I am waiting verfication on my account so I cant post a screen shot now.   Is there some way I can get them to you?  

Thanks,

Joe

Hi,

From your description above, the external user try to connect to internal IP of the Edge Server, it can be the issue of route. Please double check the route firstly.

Please also check the certificate of the Edge Server external interface, make sure all Edge external services FQDN in the public certificate SAN list.

Best Regards,
Eason Huang