Forum Discussion
Skype for Business hybrid - Issues between on-premise and Teams only users
Hi everyone,
I successfully configured Skype for Business hybrid between my on-premises Skype for Business environment and Skype for Business Online/Microsoft Teams and I migrated my first user into Teams with "Move-CsUser" command. However we have sereval issues when a purely on-premise user wants to cooperate with a migrated Teams Only user:
Calling from on-premise to Teams is working fine but when a Teams user calls a Skype for Business user, the connection will be unstable. The audio call builds up without any problem, the problems are starting when some "action" is starting (for example when a party turns on his/her camera, the call will be disconnected within 30 seconds).
Presence is on-way only so Teams users see the presence of SfB users but SfB users see Teams users as Offline.
I captured a SIP error when a call was disconnected, let me show you:
TL_INFO(TF_PROTOCOL) [2]1808.1034::10/08/2022-14:24:58.702.00000286 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(264))[1aabcb79-c13b-5ab0-861a-bfff80e0d52c] $$begin_record
Instance-Id: 337
Direction: incoming;source="external edge";destination="internal edge"
Peer: sipfed.online.lync.com:5061;ip-address=52.112.192.139
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "" <sip:email address removed for privacy reasons>;epid=8a491aa5aa;tag=1a882c7292
To: "on_prem_user"<sip:email address removed for privacy reasons>;epid=8A684AB9BC;tag=2650fd94b
Call-ID: 413c925c-4b95-42c7-8e4a-3d191b3f6e92
CSeq: 1 BYE
Via: SIP/2.0/TLS 10.11.19.10:49950;branch=z9hG4bKCD1C9668.444BB43E0A1595DA;branched=FALSE;ms-internal-info="caH1kdKhQQbHPP4FE5G3t11vljWVJOIhFm0rSK52Yx8CU-tEtEI7jUKQAA";received=XXX.XXX.XXX.XXX;ms-received-port=49950;ms-received-cid=5DCA1300
Via: SIP/2.0/TLS 10.11.11.40:61791;branch=z9hG4bK7D980A6C.576D89AA0A1B75DA;branched=FALSE;ms-received-port=61791;ms-received-cid=600
Via: SIP/2.0/TLS 10.11.11.41:49940;branch=z9hG4bK65240C76.EB7556FD0A1595DA;branched=FALSE;ms-received-port=49940;ms-received-cid=11DC00
Via: SIP/2.0/TLS 192.168.125.139:49803;received=XXX.XXX.XXX.XXX;ms-received-port=58708;ms-received-cid=900
Content-Length: 0
ms-diagnostics: 1010;reason="Certificate trust with another server could not be established";expected-fqdn="sfbedge.mydomain.com";certName="a-lgw-uswe-02.lgw.skype.com";cause="Possible server configuration issue";info="The peer certificate does not contain a matching FQDN";source="sipfed.online.lync.com";source-server="RD38563D7FA25E"
ms-split-domain-info: ms-traffic-type=SplitIntra
ms-telemetry-id: 1AABCB79-C13B-5AB0-861A-BFFF80E0D52C
Server: RTC/7.0How could I resolve the issue? I checked as many thing as I can: firewall (all neccessary ports are open inbound and ourbound), certificates, etc.
Thank you in advance,
Balint
52 Replies
- Microsoft has an open issue on this in 365 portal. An update that went wrong. Probably solved by an fix on december the 2nd.
- The issue is still open but everything works for us today.
Next update december 27.
I'm seeing the same thing here, starting at the same time. I have a case opened with the Teams team and the SfB product team. Hopefully we'll be able to get some eyes on this soon from MS.
- good luck - five days with premier support and they have no clue...
- Are you comfortable in sharing your case numbers? Perhaps we can pass them along to the respective teams to help prove the issue. I can't get passed the consultants wanting to just close the case and blaming the on-prem.
My case with Teams is 33673862 and my case with SfB product support is 33681221 if that can help you push on your end!
ms-diagnostics: 1010;reason="Certificate trust with another server could not be established";expected-fqdn="sfbedge.mydomain.com";certName="a-lgw-uswe-02.lgw.skype.com";cause="Possible server configuration issue";info="The peer certificate does not contain a matching FQDN";source="sipfed.online.lync.com";source-server="RD38563D7FA25E"
This indicates an issue with your certificates and the 30 seconds dropped calls usually indicates an issue with A/V certificate. So check your A/V certificate, remember a new certificate should be assigned using -roll as the already issued tokens are valid for up to 8 hours.
Also check if your firewall does any deep inspection on the A/V connections, this could also be an issue with the same symptoms.
/Kenneth ML
KennethML In the meantime, I tried to continue the troubleshooting, and I found out the following:
It seems that the Skype for Business client disconnects the call because we don't get any answer for our OK mesage.
Let me show you these screenshots:
Do you have any ideas about why don't we get ACK for the 200 OK? I checked the network with no luck and I don't have any more ideas.
- Interesting. I haven't seen this behaviour previously and I don't see it at a customer site (yet).
It could still indicate a problem with setting up the media path as the ACK should be sent when media path is established (late media).
There were no such changes on our site. What also makes me curious:
ms-diagnostics: 1010;reason="Certificate trust with another server could not be established";expected-fqdn="external.edgefqdn.com";certName="c-lgw-euno-02.lgw.skype.com";cause="Possible server configuration issue";info="The peer certificate does not contain a matching FQDN";source="sipfed.online.lync.com";source-server="RD38563D80164B"expected-fqdn=is our external edge name but certName="c-lgw-euno-02.lgw.skype.com" is something on the MS side.
there we no changes on our site - except for 10/22 Windows Updates and the October SfB19 Update. The Updates were done on Wednesday last week - but the issue appeared today.
- It is a bit strange, I agree, but I know there usually is an explaination.
The diagnostic string tells us following:
source="sipfed.online.lync.com" = This message is from external party
expected-fqdn="external.edgefqdn.com" = This is your Edge server external AV interface. Right??
Did you verify the AV cert or do you assume it is fine??
/Kenneth ML
mbalint987 hello, we are having the exact same issue as you described, I can’t work out what’s causing it, please tell me you managed to fix and and if you did could you tell me how?
Alias17273Unfortunately I had to give up. 😕 I didn't find any useful information about this issue and because this is only a lab environment, I don't have to resolve this issue. It would be fine but it seems I cannot resolve this on my own.
mbalint987 ah fair enough, lucky for you 🙂 we have this in a production environment 😞
I'm going to raise a ticket with MS and if I fix it I’ll make sure I’ll reply here to let you know the fix
