Blog

You are currently viewing TROUBLESHOOTING CISCO JABBER LOGIN PROBLEMS

TROUBLESHOOTING CISCO JABBER LOGIN PROBLEMS

TROUBLESHOOTING CISCO JABBER LOGIN PROBLEMS

Cisco Jabber is one of the most critical tools in the modern and mobile workforce collaboration. Clients are using its instant messaging, voice and video calls, voice messaging, desktop sharing, conferencing and presence. Any disruption in the availability of these services is resulting into sever business disruption. Let us understand about troubleshooting Cisco Jabber login issues.

Introduction: This document outlines the Cisco Jabber login issues the typical troubleshooting steps in two different scenarios:

  1. Basic checks
  2. Logging in using Mobile & Remote Access via Cisco Expressway
  3. Logging in while being in internal/corporate network

First thing to do while facing sign-in issues with Cisco Jabber is this:

If you fail to sign in, following steps can be followed:

  •  Confirm if the device and the operating system you are trying to use is supported.
  •  Confirm if you have access to your corporate network from the network of Wi-Fi that you are using.
  •  Once the access to your corporate network is confirmed from the network you are using, check with your system administrator if your collaboration edge environment is setup properly.
  •  Check if your VPN connection is active (If VPN is required). If the VPN is not connected, contact your system administrator
  •  While using Phone Services, check the network connection between your device and the corporate network as per the steps mentioned below:
  1.  Open Internet browser.
  2.  Try to connect the administration pages for your corporate calling system by using the following URL in your Internet browser: https://your company's Cisco Unified Communications Manager server address. Example: https://209.165.200.224 If you do not have the address for your company's Cisco Unified Communications Manager server, get it from your system administrator and try the above mentioned steps.
  3.  If you cannot access the administration pages for your corporate calling system, try again from a different network access point. If you still cannot access the administration pages for your corporate calling system, contact your system administrator to find out if there is a network issue.
  •  If you are using Cisco Unified Communications Manager IM and Presence Service Service Release 9.1 or earlier, check that you can sign in with your user account as follows:
    1. Enter the URL using the following format: https://presence server name/ccmuser. If you cannot access the server, contact your system administrator to find out if
    there is a network issue.
    2. Sign in with your username and password. If the sign-in fails, please confirm your username and password with your system administrator.
  •  If you are using Cisco Unified Communications Manager IM and Presence Service Service Release 10.0, check that you can sign in using your user account as follows:
    1. Enter the URL using the following format: https://ccm server name/ccmuser. If you still cannot access the server, contact your system administrator to find out if there is a network issue.
    2. Sign in with your username and password.
    If the sign-in fails, please confirm your username and password with your system administrator.
  • If you are using Cisco Unified Communications Manager IM and Presence Service Service, check the network connection between your device and the server as follows:
    1. Open a ping utility to ping the Cisco Unified Communications Manager IM and Presence Service server.
    2. Enter the Fully Qualified Domain Name of the server in the following format:
  • presence server name.domain.com If you cannot ping the server, contact your system administrator.

Android

If you cannot sign in, try the following troubleshooting tips:

  •  Check that you are using a supported device and operating system. For information about supported devices and operating systems, see the Cisco Jabber for Android Release Notes for your release.
  • Check that you are using the correct release of Cisco Jabber for Android. You can download the latest release of Cisco Jabber for Android from the Google Play Store.
  •  Check that your VPN is connected (if VPN is required). If your VPN is not connected and you are not using Expressway Remote and Mobile Access, contact your system administrator for configuration details.
  • If you are using HTTP basic SAML SSO authentication and the sign-in fails when switching users with the Reset Jabber functionality:
    1. Reset Cisco Jabber.
    2. Force Quit the application fully in Android OS.
    3. Log in.
  •  If you are using Phone Services, check the network connection between your device and the corporate network as follows:
    1. Open your web browser.
    2. Try to access the administration pages for your corporate calling system by entering the following URL in your web browser: http://cisco_unified _communications_manager_node_name_or_ip_address/ucmuser. Contact your system administrator if you do not have the address for your company's Cisco Unified Communications Manager node.
    3. If you cannot access the administration pages for your corporate calling system, try again from a different network access point. If you still cannot access the administration pages for your corporate calling system, contact your system administrator to find out if there is a network issue.
  •  If you are using Cisco Unified Communications Manager IM and Presence Service, check the network connection between your device and the node as follows:
    1. Open a ping utility to ping the Cisco Unified Communications Manager IM and Presence Service node.
    2. Enter the Fully Qualified Domain Name or IP address of the node in one of the following formats:
  • presence_node_name.domain.com
  • ip_address.domain.com

If you cannot ping the node, contact your system administrator.

  •  If you are using a tablet, contact your system administrator to ensure that it is set up for use. Some
    tablet services require extra configuration that may not have been performed.
  •  If you still cannot set up Cisco Jabber for Android, send a problem report to your system administrator.
    Ref : https://help.webex.com/en-us/WBX9000017516/Cisco-Jabber-Sign-in-Issues

LOGGING IN USING MOBILE & REMOTE ACCESS VIA CISCO EXPRESSWAY
Once the pointers mentioned in the previous sections are taken care of, let us go through the first scenario of Logging in using Mobile & Remote Access via Cisco Expressway. Problem:
Cisco Jabber login error ‘Cannot communicate with the server’ when trying to communicate using mobile and remote access using Cisco Expressway

In this scenario, it is assumed that the user is able to login using inside the corporate LAN and focus our troubleshooting efforts on Expressway pair servers.
Step 1: Verify the DNS and firewall related configurations

A. Verify that the collab-edge.tls.company.com SRV type DNS record is present.
Please note that it is important to set the type to SRV. In this example below, we use a well-known public DNS server.

B. Verify that the returned FQDN of the Expressway-Edge server from the SRV record is resolving to an IP address.

C. Verify that the Cisco Expressway-Edge server's FQDN name matches exactly the value created in the collab-edge SRV record.

D. Verify that the corporate firewall has a rule for port 8443 that forwards traffic to the DMZ LAN interface of the Expressway-Edge server.

STEP2. Verify that the traversal-zone between Cisco Expressway Edge and Core servers are <<Active>>.

A. Verify the Expressway-Edge server.

B. Verify the Cisco Expressway-Core server.

C. Verify that Unified Communications status on Cisco Expressway-Core is
enabled and configured.

If both the main configuration and the Cisco Expressway-Edge and Core servers are active then
proceed to step 3 and start digging in to the log files.
STEP 3.  Check the log files of Expressway.
a. Start by checking the Network logs and filter using <<trafficserver>>.
This will help you see how the get_edge_config process between the Edge and Core servers
is happening.

b. Now begin a diagnostic log and reproduce your problem.
Make sure to check <<take tcpdump while logging>> which will generate a pcap file as well.
Note: there is an alarm active once you start your diagnostic log and it will disappear
automatically when you stop the diagnostics. There is also a <<download>> option available
after diagnostic logging is complete. These logs are the first thing that the Cisco TAC will
require from you, if you open a case with Cisco in regards to Expressway.

c. Analyze the logs.
The following identify the two most common errors to look for in your diagnostic logs.

a. Error: <<SIP/2.0 405 Method Not Allowed>>
If this error is found in the Core logs, it is in response to SIP registration request
failure.
Resolution: The error is usually due to an existing SIP trunk between Expressway-C
and CUCM using port 5060/5061 (the trunk is not used for MRA, but usually is
created for another feature of Expressway – B2B dialing). In order to correct the
issue, you will have to change the SIP port on the SIP Trunk Security Profile that is
applied to the existing SIP trunk configured in CUCM. You can use 5065 instead.
b. Error: <<edgeconfigprovisioning: Level="WARNING" Service="UDSManager"
Detail="User cluster not found">>
If this error is found and you have multiple Unifed CM clusters defined in
Expressway-Core.
Resolution: In this case ILS (Intercluster Lookup Service) must be set up on all of the
clusters. This is because the Expressway has to authenticate a client against its home
Unified CM cluster, and to discover the home cluster it sends a UDS (User Data
Service) query to any one of the Unified CM nodes over ILS.

After you have completed the above three steps you should have been able to identify and resolve
your Jabber "cannot communicate with the server" error.
Ref:
https://info.stack8.com/blog/troubleshooting-jabber-login-errors-via-cisco-expressway

LOGGING IN WHILE BEING IN INTERNAL/CORPORATE NETWORK
There are two steps in troubleshooting Jabber Login, namely Cisco Unified Communications
Manager Server (CUCM) Login and IM and Presence Server (IMP) Login
The typical flow of events is
 CUCM Service Discovery –
 CUCM User Authentication –
 CUP-SOAP Login –
 CUP-XMPP Login

 CUCM Login involves Service discovery to identify the CUCM server to which Jabber should login.
 Jabber user Authentication with CUCM to retrieve the Service profile details which contains IMP
server , Voicemail , Conferencing ,CTI server details and also Device Configuration file for Phone
services.
 Once CUCM Login is successful, Jabber will login to IMP server to authenticate and retrieve the
contact list and other IM services.
 IMP Login has two stages namely SOAP Login which deals with User authentication and then
XMPP Login which deals with XMPP session creation and Stream Management.

HOW TO COLLECT LOGS
Primarily, clear the cache on PC and collect the clean Jabber Problem Report (PRT). These are the
steps to do the same
1. Sign out and exit the Jabber application.
2. Delete all the existing logs located at
%AppData%\Local\Cisco\Unified Communications\Jabber\
%AppData%\Roaming\Cisco\Unified Communications\Jabber\
3. Restart Jabber and recreate the problem by logging in.
4. Collect the Problem report (From Jabber Help Menu, Select Report a problem option to
launch problem reporting tool and follow instructions).

Keywords to Search in Logs
IMPStackCap::Login::OnLoginError
ServiceDiscoveryHandlerResult

STAGES TO TROUBLESHOOT
Stage 1. CUCM Service Discovery
Error on screen Cause What to check in Jabber log
Cannot find your services
automatically. Click advanced
settings to set up manually

This error is seen when _cisco-uds or
_cuplogin SRV records are not
configured in the DNS server csf::dns::mapFromWindowsDNSResult

Sample Log Snippet
017-03-19 17:55:00,422 WARN  [0x000050ac] [src\dnsutils\win32\win32DnsUtils.cpp(52)] [csf.dns]
[csf::dns::mapFromWindowsDNSResult] – *—–* DNS query _cisco-uds._tcp.appslab.com. has
failed: DNS name doesnot exist.  (9003).
2017-03-19 17:55:00,438 WARN  [0x000050ac] [src\dnsutils\win32\win32DnsUtils.cpp(52)] [csf.dns]
[csf::dns::mapFromWindowsDNSResult] – *—–* DNS query _cuplogin._tcp.appslab.com. has failed:
DNS name does not exist. (9003).
Steps to Resolve
Step 1. First start nslookup (on a windows client ) start the command prompt and then
enter nslookup.
Step 2. Next set the query type to SRV
set type = SRV
Step 3. After that insert the SRV record we need to check
_cisco-uds._tcp.example.com
Step 4. This returns the DNS A records pointing to the CUCM servers. This is an example
of the Successful _cisco-uds SRV record. If no records returned, contact your DNS
Administrator to configure the SRV records

Stage 2. CUCM User Authentication
Error on screen Cause What to check in Jabber log
Your username or
password is not
correct

This error is seen when the credentials
entered is wrong or user is locked in
CUCM/LDAP "FAILED_UCM90_AUTHENTICATION"

Sample Log Snippet
2017-01-09 08:59:10,652 INFO [0x00001740] [vices\impl\DiscoveryHandlerImpl.cpp(460)] [service-
discovery] [CSFUnified::DiscoveryHandlerImpl::evaluateServiceDiscoveryResult] –
ServiceDiscoveryHandlerResult return codeFAILED_UCM90_AUTHENTICATION
Steps to Resolve
Step 1. Ensure that the User you try to login as is configured as Enduser in CUCM by
going to CUCM Administration -Enduser page.
Step 2. Verify if credentials are correct and user is active by logging into CUCM Self care
Portal .This image refers to scenario where the  LDAP is unable to authenticate the user either
because the user is not a valid user or password supplied is incorrect.
Step 3. If this issue is seen for all users you need to verify if the LDAP syncronisation and
LDAP Authentication settings on CUCM Administration -System > LDAP is correct.
Error on screen Cause What to check in Jabber log

Cannot communicate
with the server

Jabber is unable to resolve/reach the
CUCM FQDN/HOSTNAME that it
received during the Service discovery "FAILED_UCM90_CONNECTION"

Sample Log Snippet
2017-08-28 12:04:00,282 INFO [0x00004290] [vices\impl\DiscoveryHandlerImpl.cpp(452)] [service-
discovery] [CSFUnified::DiscoveryHandlerImpl::evaluateServiceDiscoveryResult] –
ServiceDiscoveryHandlerResult return codeFAILED_UCM90_CONNECTION
Steps to Resolve
Step 1. Test if you are able to open this URL in the browser on the PC https://<CUCM
IP/FQDN> :8443/cucm-uds/version
Unsuccesful                                                                                                     Successful

Step 2. If the response is unsuccessful, please verify if DNS is configured correctly to
resolve them and also if no Network Elements like Firewall/ASA is blocking port 8443.

Step 3.This URL must be tested for all CUCM Servers in the cluster. In order to know the
list of Servers, navigate to CUCM Administration -System > Server.

Error on screen Cause

What to check in Jabber
log

Cannot
communicate with
the server

This error is seen when the userid entered in
Jabber doesnt match with userid configured in
CUCM "FAILED_USER_LOOKUP"

Sample Log Snippet
2016-08-18 13:14:49,943 INFO [0x000036e4] [vices\impl\DiscoveryHandlerImpl.cpp(367)] [service-
discovery] [DiscoveryHandlerImpl::evaluateServiceDiscoveryResult] – ServiceDiscoveryHandlerResult
return codeFAILED_USER_LOOKUP
Steps to Resolve
Step 1. Test if you are able to open this URL in the browser on the PC https://CUCM:8443/cucm-
uds/clusterUser?username=<userid>
Step 2. Check if the userid that is being entered in Jabber matches the userid in CUCM End user
page.
Tip: Jabber has UPN discovery enabled by default and hence get the userid prepopulated from LDAP UPN
field. Check if UPN is same as configured in CUCM, if you need to disable UPN discovery ,set
UPN_DISCOVERY_ENABLED=false during installation
Stage 3. SOAP Login (IM and Presence Login)
Error on screen Cause What to check in Jabber log
Your username or
password is not correct

This error is caused due to
user Authentication failure "LERR_CUP_AUTH"

Sample Log Snippet
2017-01-14 15:55:09,615 INFO  [0x00000dc0] [ts\adapters\imp\components\Login.cpp(99)]
[imp.service] [IMPStackCap::Login::OnLoginError] –
****************************************************************
2017-01-14 15:55:09,615 INFO  [0x00000dc0] [s\adapters\imp\components\Login.cpp(100)]
[imp.service] [IMPStackCap::Login::OnLoginError] – OnLoginError: (data=0) LERR_CUP_AUTH <12>:
201-01-14 15:55:09,615 INFO  [0x00000dc0] [s\adapters\imp\components\Login.cpp(101)]

[imp.service] [IMPStackCap::Login::OnLoginError] –
****************************************************************
Steps to Resolve
Step 1. Check if user is assigned to a Presence Node and there are no duplicates for the user (IM
and presence Administration > Diagnostics > System troubleshooter) .

Step 2. Check if the High Availability (HA) state is Normal and no Failover has occured. If you have
tried assigning user during abnormal HA state, Users are not assigned to any IMP node and login
fails and now you need to recover the HA state first and re-assign the user.
Step 3. Ensure that the credentials are valid.
1. In case of LDAP user, verify if user is able to login to CUCM Selfcare portal.
2. If ccmenduser page login fails, check the LDAP Authentication settings in CUCM and also verify the
same settings are replicated to IMP
run sql select * from ldapauthentication
run sql select * from ldapauthenticationhost
3. Check if the account is not locked in LDAP
4. If user was recently enabled for Presence, restart Cisco Sync Agent service on IMP Publisher.

Step 4. Check the server is having a high TOMCAT CPU consumption
 show process load
 utils diagnose test

Step 5. Set these services log to DEBUG and then recreate the Login issue and collect the logs
 Client Profile Agent
 Cisco Tomcat
 Event Viewer-Application Log
 Event Viewer-System Log

Error on screen Cause What to check in Jabber log
Cannot
communicate with
the server

This error is caused due to Issues
with IMDB or TCP connectivity to IMP

"LERR_CUP_UNREACHABLE" ,
"LERR_CUP_TIMEOUT"

Sample Log Snippet
2017-11-08 16:03:20,051 DEBUG [0x00003a0c] [s\adapters\imp\components\Login.cpp(127)]
[IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] –
************************************************
2017-11-08 16:03:20,051 INFO  [0x00003a0c] [s\adapters\imp\components\Login.cpp(128)]
[IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] – OnLoginError:
LERR_CUP_UNREACHABLE
2017-11-08 16:03:20,051 DEBUG [0x00003a0c] [s\adapters\imp\components\Login.cpp(129)]
[IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] –
*************************************************
Steps to Resolve
Step 1. Check if IMP FQDN/Hostnames are resolvable from client PC.
Step 2. Check if you can open this URL in browser https://<IMP SERVER
FQDN/IP>:8443/EPASSoap/service/v105
Successful                                                                                                                     Unsuccessful
Step 3. Verify that firewall/VPN is not blocking the connectivity to IMP server ( Port 8443,5222)
Step 4. Verify if this service runs in IMP server: Cisco Client profile Agent
Step 5. Set these services log to DEBUG, recreate the Login issue and then collect the logs if
above steps doesn’t resolve the problem.
 Cisco XCP Router
 Cisco XCP connection Manager
 Cisco XCP Authentication Service
 Client Profile Agent

Tip: If the problem persists for only one user, you can try to unassign and re-assign the user for presence
in CUCM. If it’s a system wide problem, collect the logs and check the services status
Error on screen Cause What to check in Jabber log
Cannot communicate
with the server

Usually this error is caused
due to Issues with IMDB "LERR_CUP_INTERNAL_ERROR"

Sample Log Snippet

2017-11-08 16:03:20,051 DEBUG [0x00003a0c] [s\adapters\imp\components\Login.cpp(127)]
[IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] –
************************************************
2017-11-08 16:03:20,051 INFO  [0x00003a0c] [s\adapters\imp\components\Login.cpp(128)]
[IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] – OnLoginError:
LERR_CUP_INTERNAL_ERROR
2017-11-08 16:03:20,051 DEBUG [0x00003a0c] [s\adapters\imp\components\Login.cpp(129)]
[IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] –
*************************************************
Steps to Resolve
Step 1. Perform Mandatory checks
Step 2. Verify if following services are running in IMP server
 Cisco XCP Router
 Cisco XCP connection Manager
 Cisco XCP Authentication Service
 Cisco Presence Login Datastore

Step 3. Check if this Field notice is applicable
Field Notice: FN – 64267 – Cisco Unified Communications Manager IM & Presence causes Cisco
Jabber login failures – Software Upgrade Recommended
Step 4. Set these services log to DEBUG, recreate the Login issue and then collect the logs if
above steps doesnt resolve the problem.
 Cisco XCP Router
 Cisco XCP connection Manager
 Cisco XCP Authentication Service
 Client Profile Agent
 Cisco Presence Login Datastore
 Event Viewer-Application Log
 Event Viewer-System Log

Step 5. Reboot the cluster to recover the situation.

Stage 4. XMPP Login (IM and Presence Login)
Error on screen Cause What to check in Jabber log
Cannot
communicate with
the server

Commonly seen when Jabber
cannot create a session and bind
itself in IMP server

LERR_JABBER_AUTH <17>: Authentication error with
server e.g. resource bind, TLS, create session or SASL error"

Sample Log Snippet
2017-10-27 10:56:47,396 DEBUG [0x00007fff8b3d7340]
[s/adapters/imp/components/Login.cpp(127)] [IMPServices] [OnLoginError] –
****************************************************************
2017-10-27 10:56:47,396 INFO  [0x00007fff8b3d7340] [s/adapters/imp/components/Login.cpp(128)]
[IMPServices] [OnLoginError] – OnLoginError: LERR_JABBER_AUTH <17>: Authentication error with
server e.g. resource bind, TLS, create session or SASL error
2017-10-27 10:56:47,396 DEBUG [0x00007fff8b3d7340]
[s/adapters/imp/components/Login.cpp(129)] [IMPServices] [OnLoginError] –
****************************************************************
Steps to Resolve
Step 1. Check if the cup-xmpp Certificates are valid.

Step 2. Check if the Port 5222 is open.

Step 3. Set the following services log to DEBUG and then recreate the Login issue and collect the
logs before step 4  if Root cause to be identified as Reboot of the server is the only fix known so
far
 Cisco XCP Router
 Cisco XCP connection Manager
 Cisco XCP Authentication Service
 Client Profile Agent
 Event Viewer-Application Log
 Event Viewer-System Log
Step 4. Reboot the server to resolve the issue.
Error on screen Cause What to check in Jabber log
Cannot communicate with the
server

Seen when IMP is not resolvable or
reachable due to Network problems like

"LERR_JABBER_UNREACHABLE "

firewall

Sample Log Snippet
2014-12-15 12:07:31,600 INFO  [0x00001670] [ts\adapters\imp\components\Login.cpp(96)]
[imp.service] [IMPStackCap::Login::OnLoginError] –
****************************************************************
2014-12-15 12:07:31,600 INFO  [0x00001670] [ts\adapters\imp\components\Login.cpp(97)]
[imp.service] [IMPStackCap::Login::OnLoginError] – OnLoginError: (data=0)
LERR_JABBER_UNREACHABLE <16>:
2014-12-15 12:07:31,600 INFO  [0x00001670] [ts\adapters\imp\components\Login.cpp(98)]
[imp.service] [IMPStackCap::Login::OnLoginError] –
****************************************************************
Steps to Resolve
Step 1. Check if IMP FQDN/Hostnames are resolvable.

Step 2. Verify that firewall/VPN is not blocking the connectivity to IMP server ( Port 8443,5222).

Step 3. Verify if these services are running in IMP server and restart them once.
 Cisco XCP Router
 Cisco XCP connection Manager
 Cisco XCP Authentication Service

Step 4. Perform Mandatory checks.
Step 5. Set thse services log to DEBUG, recreate the Login issue and then collect the logs if above
steps doesnt resolve the problem.
 Cisco XCP Router
 Cisco XCP connection Manager
 Cisco XCP Authentication Service
 Client Profile Agent
 Event Viewer-Application Log
 Event Viewer-System Log

Step 6. In case of all users experiencing the same error, a server Reboot can be done for quick
recovery.
Mandatory Checks

Step 1. Check if user is assigned to a Presence Node (navigate to IM and Presence
Administration > System > Topology) and there are no duplicates for the user(navigate to IM
and Presence Administration > Diagnostics > System troubleshooter)
Step 2. If High Availability is enabled, navigate to CUCM Administration > Server > Presence
Redundancy Group and check if they are in Normal state. This is the image of how Normal state
looks. For more information about High Availability can be found here.
Abnormal State

Normal State

Step 3. Check High Availability Replication status.
a.utils dbreplication runtimestate

b.run pe sql ttlogin select count(*) from typesysreplication

or
utils imdb_replication status ( 10.5.2 SU2a and above)
https://www.cisco.com/c/en/us/support/docs/unified-communications/jabber/212471-
jabber-login.html#anc5

For any details and queries related to certification and training, please get in touch with us at
www.octanetworks.com