In my experience with Cisco Telepresence solutions, I have seen some issues related to SIP UDP timeout, mainly in environments with VCSE involving calls to internet. Some time ago I found a solution to fix that kind of issue without disabling SIP UDP in VCS (which is highly recommended by Cisco, but it is not possible in some cases because of interoperability issues). In this document I describe how to workaround with SIP UDP timeout issues when it is not possible to totally turn off SIP UDP. If you can disable SIP UDP, I don't recommend you to follow this document, you should go ahead and simply disable SIP UDP to avoid UDP timeout issues.

About SIP UDP timeout

In scenarios with VCS Control integrated with VCS Expressway via traversal zone, it is very common to have internal SIP endpoints calling external H323 endpoints by dialing IP address. In this kind of situation, VCS Expressway will have to interwork the call in order to allow SIP to H323 interoperability. But there is a issue in this kind of situation, because when VCSe receives the call invite from internal SIP endpoints, as the source endpoint is using SIP, VCSe will try to connect to the external endpoint firstly using SIP, then, if SIP fails, VCS will attempt to connect using H323, then the call will proceed properly because the remote endpoint is a H323 endpoint. However, when VCSe tries to connect using SIP, it will try SIP TLS, TCP and then UDP (if all the protocols are enable in the global SIP configuration), and here is the problem, when it tries UDP, VCS waits 30 seconds waiting for SIP UDP timeout before trying to use H323. The result will be, the user will wait about 30 seconds before his device starts ringing. Most users simply give it up.

How to avoid SIP UDP timeout

As I stated before, the best and highly recommended way to avoid SIP UDP timeout is simply disabling SIP UDP globally in VCS Expressway. However, if you need to keep SIP UDP enable for interoperability issues, then you can apply the following workaround to your environment:

1. Create a second traversal zone with only H323 protocol enable (it requires one additional port to be opened on the firewall)
2. Create a custom search rule for SIP protocol with destination Any IP address toward this new traversal zone

The result of this configuration will be, every time an internal SIP endpoint tries to dial an external IP address, VCS Control will interwork the call before sending it to VCS Expressway, so VCSE will receive a H323 setup instead of a SIP INVITE, then it will first attempt to call using H323, so that it won't have to wait for SIP UDP timeout.

If you know how to do that, just go ahead and apply this workaround to your environment. If you don't know or need suggestion, I am placing below an example configuration.

Creating a second Traversal Zone

You can establish a second traversal zone between VCS Control Expressway, however, as the traversall server (VCSe) identifies the traversal client by using the port number, you will have to define another H323 port (rather than 6001) for this new traversal zone. In my example, I will use the port number 6002 to establish the new zone.

It is import to point that you will need to open this 6002 port in the firewall as well, allowing the traffic from VCS Control to VCS Expressway, just like you did for the common traversal zone using the properly ports.

Traversal Zone configuration VCS Control

Make sure that only H323 protocol is enable on this second traversal zone.

Traversal Zone configuration VCS Expressway

Make sure that only H323 protocol is enable on this second traversal zone.

Creating a custom search rule for SIP protocol

You have to create a custom search rule in VCS Control. This search rule must to be pointed to Traversal zone 2. The rule will match only SIP endpoints when they dial any external IP address:

IMPORTANT: This search rule must to have priority over any another search rule towards the common Traversal Zone, otherwise, the call from SIP endpoints with destination IP address may not match this rule and the workaround is not going to work.

Furthermore, it is important to point that, if you have search rules with destination Any IP Address pointing to your local zone in VCS Control, the above search rule must not have priority over these search rules towards local zone. Therefore, make sure you set a correct priority value for the search rule above, so that you can force interworking only for calls from internal SIP endpoints towards external H323 endpoints dialing IP address.

Important considerations

• Again, try to disable SIP UDP protocol in VCS Expressway if possible, this is the better way to fix SIP UDP timeout issues. Only apply this method described here if you cannot disable SIP UDP protocol.
• VCS version x7.2 and later and required to implement this workaround
• Be aware that you will have to open an additional port on the firewall for the second traversal zone. And make sure that you choose a port number that is not being used for any current traversal zone in your VCS's
  • This is not a official Cisco recommendation, this is a workaround suggested by a Cisco Telepresence specialist partner (me)
• From VCS x7 and later, SIP UDP protocol is disable by default
• Do not route any other search rule to the Traversal Zone 2, only the search rule suggested in this documment

Paulo Souza

Please rate useful documments and live comments if you have any doubt or suggestion.