We are running "ip inspect" on a 3941 router with IOS version15.2(1)T1. We enabled inspection for H.323 :

ip inspect name iosfw h323

ip inspect name iosfw h323-nxg

ip inspect name iosfw h323-annexe

We are using the default TCP idle-timeout

3945-Router#sh ip inspect config | in tcp

max-incomplete tcp connections per host is 50. Block-time 2 minutes.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 120 sec

tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

    tcp alert is on audit-trail is off timeout 3600

After we establish a H.323 call I can see that the inspection process starts the idle timmer on port 1720/TCP and the call is disconnected after an hour with the following log:

%FW-6-DROP_PKT: Dropping h323 session x.x.x.x:17174 y.y.y.y:1720  due to  Segment matching no TCP connection with ip ident 7154 tcpflags 0x5004 seq.no 3486961044 ack 0

This is the sessios incrementing the Last Heard timer:

Session 1C1FB8C (x.x.x.x:17168)=>(y.y.y.y:1720) h323 SIS_OPEN

Created 00:04:07, Last heard 00:04:07

Bytes sent (initiator:responder) [255:323]

Out SID y.y.y.y[1720:1720]=>x.x.x.x[17168:17168] on ACL outbound

In  SID y.y.y.y[1720:1720]=>x.x.x.x[17168:17168] on ACL inbound  (9 matches)

I played around with the H323 timeout and the TCP idle-timout , this is how I found that the default TCP idle-timeout was causing the disconnect. If I set that timmer to 5min the call disconnects in 5 minutes.

Has anyone come across this problem and be willing to share how they have addressed it. I am continuing to troubleshoot the problem but thought I would post it out there to ask.

Thanks,

--MG