Video Calls through FWSM ring but cannot answer

royalle01 — Mon, 11 Mar 2019 19:27:57 GMT

Running FWSM Firewall Version 3.1(4)

The problem is that calls originating from the outside of the firewall to the inside will ring but you cannot answer. The internal video conference server is a Polycom HDX 7000. There are ANY/ANY rules to/from this server and the default application inspection policy is set for h323/ras/h225 as follows:

policy-map global_policy

class inspection_default

inspect ftp

inspect ils

inspect netbios

inspect rsh

inspect skinny

inspect sunrpc

inspect tftp

inspect xdmcp

inspect icmp

inspect icmp error

inspect h323 ras

inspect h323 h225

I don't think this is relevant, but we also have some custom inspection policies as follows:

class-map class_sqlnet4

match port tcp eq 1433

class-map class_sqlnet5

match port tcp range sqlnet 1541

class-map class_sqlnet6

match port tcp eq 3306

class-map class_sqlnet7

match port tcp eq 5090

class-map class_sqlnet8

match port tcp eq 1742

class-map class_h323_h2253

match port tcp eq 11720

class-map class_h323_h2252

match port tcp eq 2263

class-map class_sqlnet

match port tcp eq 1025

class-map class_sip_tcp

match port tcp eq sip

class-map class_h323_h225

match port tcp eq 1300

class class_h323_h225

inspect h323 h225

class class_h323_h2252

inspect h323 h225

class class_h323_h2253

inspect h323 h225

class class_sip_tcp

inspect sip

class class_sqlnet

inspect sqlnet

class class_sqlnet4

inspect sqlnet

class class_sqlnet5

inspect sqlnet

class class_sqlnet6

inspect sqlnet

class class_sqlnet7

inspect sqlnet

class class_sqlnet8

inspect sqlnet

I have been making test calls from a software client on my laptop to this video conf server. Calls that do not traverse the firewall complete as expected, but calls through the firewall ring but will not answer. The error message on the video conf server is:

Your call cannot be completed because the far system is not compatible with the H.323 communication standards used by this system.

The error message on the client is:

The far end system is capable of receiving the call but rejected it for some unknown reason.

And finally I have wireshark captures for both good (internal) and bad (external to internal) calls which I've uploaded... (I'm attaching several bad captures)

I've worked with Polycom support, but all they can really say is to verify the appropriate ports and ip inspection is configured, which I believe is good.

Thanks in advance for you help, this is becoming quite an issue here as more and more video apps are being rolled out...

Chris

Re: Video Calls through FWSM ring but cannot answer

Jennifer Halim — Wed, 29 Dec 2010 10:52:34 GMT

I would strongly recommend opening a TAC case so a Cisco engineer can investigate the issue.

Video Calls through FWSM ring but cannot answer

CJRealmuto — Sun, 12 Jun 2011 12:34:33 GMT

Hi, did you ever get an answer to this? I am having a similar problem.

Thanks,

Christal

topic Re: Video Calls through FWSM ring but cannot answer in Network Security

Video Calls through FWSM ring but cannot answer

Re: Video Calls through FWSM ring but cannot answer

Video Calls through FWSM ring but cannot answer