Hello:

We have having an issue with our Lync setup, specifically when external users are trying to make a phone call.   For example, if someone at home tries to call someone here at corporate thru Lync what is happening is:

1) Call is placed
2) Signal is getting to the phone and it rings
3) Callee tries to answer the phone and the audio is never established.

Running packet traces finds that the traffic at the point of answering is trying to go back out using the private address of the home user (ie if the users WAN address is 70.80.90.100 and their private address is 192.168.1.100) the traffic.  Obviously this doesnt work as its not routable and there is a Deny error in the Cisco confirming this.   In the Lync Edge Server setup I see the Audio/Video Edge service external FQDN and internal FQDN say not set.  Is this related?   Ive found an article that states these need to be set to "av.yourdomainname.org" for the external and the internal should be "srv-lyncedge.yourdomainname.org".   IM, desktop sharing, etc all seem to work fine.   The article also states that this is possibly a bug and should always be set to Not Set.  I have also gone into the Topology Builder and for the A/V Edge service i am seeing:

FQDN: av.yourdomain.org, NAT Enabled, IP 192.168.X.9, NAT-Enabled public IPv4 address 98.XXX.XXX.128 (which is outside of our assigned range, which starts at 98.xxx.xxx.129), Port 443, Protocol TCP.   

Thanks,

Joe

• Edited by Joseph Bucar Wednesday, April 15, 2015 3:50 PM

Anthony:

No we do not own that IP we are using.  .148 appears to be the AV External IP address and its possible the previous admin mistyped it.  We are using three public IPs. 

>> Can you resolve av.yourdomain.org from the outside?

Yes it pings from outside.

>> Can you resolve the lync edge pool name from the inside and does it point to the internal IP of the edge server?

Yes to both.

It would probably be more helpful as well to see the firewall deny message.  Ive tried to post an image but it says until my account is verified I cant.   From the Cisco Log:

172.xxx.xxx.103   53488    192.168.43.221 32436  Deny udp src inside: 172.xxx.xx.103/53488 dst outside:192.168.43.221/32436 by access-group "acl_in2out" 

Where .103 is the internal Lync Server IP and the 192 address is the actual private address of the external client.

Is some sort of NATing not happening?   

I have also now noticed on the Lync Edge server that the Lync Server Access Edge service will not start.  Every time I try to start it I get a 

The Lync Server Access Edge service terminated with service-specific error %%-1008124915.  Same for Web Conferencing Edge except the error number is %%-2147467259.

Thanks,

Joe 

• Edited by Joseph Bucar Wednesday, April 15, 2015 6:49 PM