05-21-2013 01:52 AM - edited 03-16-2019 05:25 PM
We have CUCM 8.6.2 behind the firewall and we have Ascom IP DECT phone integrated with that.
In Firewall, we see traffic from DECT to CUCM is denied when the destination IP is CUCM IP address and destination port is 4000.
source is DECT IP address with port 20020
We have not opened this port 4000 in firewall, that is why the traffic is denied.
However we would like to know who decided the port 4000 and why? is that CUCM or Ascom? I couldn't find anything from ccm logs during the particular time.
I suspect it is CUCM negotating port 4000 for media.
4000 - 4005 --> These ports are used as phantom Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) ports for audio, video and data channel when Cisco Unified CM does not have ports for these media.
Any help would be much appreciated.
Thanks in advance
05-21-2013 03:09 AM
Port 4000 is usually used by CUCM for MOH..
This is a sample trace of CUCM using port 4000 for MOH. If you are using h323 gateway you will see this is the h245 q931 logs.
v=0
o=CiscoSystemsCCM-SIP 919861 3 IN IP4 10.115.140.94
s=SIP Call
c=IN IP4 10.100.140.76---------------------MOH server
t=0 0
m=audio 4000 RTP/AVP 0
a=X-cisco-media:umoh
a=rtpmap:0 PCMU/8000
a=ptime:20
a=sendonly
Please rate all useful posts
"opportunity is a haughty goddess who waste no time with those who are unprepared"
05-21-2013 07:05 AM
I guess, the ANN will also use 4000. is that correct?
also, is there way we can change this media port from 4000 to standard range (16384-32767)?
05-21-2013 07:57 AM
Suresh,
I guess so, from memory I think it does. Havent done a test recently
Please rate all useful posts
"opportunity is a haughty goddess who waste no time with those who are unprepared"
05-22-2013 04:56 AM
As I said earlier, we have the CUCM behind the firewalls and the port 4000 is not opened in FW. but still the endpoints are hearing the MoH from CUCM. how is that possible?
05-22-2013 04:59 AM
I suggest you check the CUCM traces..What I know is that thats the port used to play MOH
Please rate all useful posts
"opportunity is a haughty goddess who waste no time with those who are unprepared"
05-22-2013 05:19 AM
>> This is the snippet of the traces going to the SIP phone
12:30:32.865 |//SIP/SIPUdp/wait_SdlSPISignal: Outgoing SIP UDP message to 10.21.15.39:[2123]:
[917301819,NET]
ACK sip:72022@10.21.15.39:2123;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 113.112.89.19:5060;branch=z9hG4bK912ac5d33aa8bb5
From: "Suresh" <00006>;tag=305789291~e4066516-2467-4c7d-ae0c-e82ad64dd0c5-4071121900006>
To: <72022>;tag=377970207472022>
Date: Tue, 21 May 2013 10:30:32 GMT
Call-ID: 4eeea300-19b14c87-8f04cf1-13317099@113.112.89.19
Max-Forwards: 70
CSeq: 104 ACK
Allow-Events: presence
Content-Type: application/sdp
Content-Length: 174
v=0
o=CiscoSystemsCCM-SIP 305789291 7 IN IP4 113.112.89.19
s=SIP Call
c=IN IP4 113.112.88.22
t=0 0
m=audio 4000 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=ptime:20
a=sendonly
>> can the cucm change the port number for MoH? and will it fallback to known port if one port is blocked?
05-22-2013 06:11 AM
This confirm that this is the port that CUCM is playing MOH on. I am not aware of any way that CUCM will change the port. Onething to note is that this is a unidorectional media. CUCM is just sending media and the phone listening. I suggest you look at your firewal traces and see what is happening to this call..Does the firewall block the port 4000? Have a look..the answer might lie there
Please rate all useful posts
"opportunity is a haughty goddess who waste no time with those who are unprepared"
06-15-2018 02:29 PM
Hi, I know the thread is old but I like to understand.
Here I could say, yes my ACL blocks clinet UDP high src port to CUCM 4000 dst port.
Why the client sends if it is MoH?
Paul
06-15-2018 11:14 PM
Hi Paul,
Actually the communication never happens on port 4000.
This is just a dummy port number sent across from CUCM to other side to make the SIP SDP complete.
Example : This is part of SIP SDP sent from CUCM to other side which is put on hold .
m=audio 4000 RTP/AVP 0
a=X-cisco-media:umoh
a=sendonly
Here Sendonly means that the communication would unidirectional ; just from the MOH server to the other end. Since the other end need not send any RTP to the MOH server, there is no need to send the destination port number of MOH to other side ; in fact such port is never opened.
Hope that helps..
11-03-2020 01:19 AM
I also want to tell something..
after the negotiation with sip offer based demmy port, the real source port that moh is speak with is one of the rtp range 16384-32766
so what is the big deal to write the real port insread of the fake port?
how the far end will know whos udp port going to speak with him?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide