Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1476
Views
0
Helpful
2
Replies

Video Calls through FWSM ring but cannot answer

royalle01
Level 1
Level 1

‎12-27-2010 09:20 AM - edited ‎03-11-2019 12:27 PM

Running FWSM Firewall Version 3.1(4)

The problem is that calls originating from the outside of the firewall to the inside will ring but you cannot answer. The internal video conference server is a Polycom HDX 7000. There are ANY/ANY rules to/from this server and the default application inspection policy is set for h323/ras/h225 as follows:

policy-map global_policy

class inspection_default

  inspect ftp

  inspect ils

  inspect netbios

  inspect rsh

  inspect skinny

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect icmp

  inspect icmp error

  inspect h323 ras

  inspect h323 h225

I don't think this is relevant, but we also have some custom inspection policies as follows:
class-map class_sqlnet4
match port tcp eq 1433
class-map class_sqlnet5
match port tcp range sqlnet 1541
class-map class_sqlnet6
match port tcp eq 3306
class-map class_sqlnet7
match port tcp eq 5090
class-map class_sqlnet8
match port tcp eq 1742
class-map class_h323_h2253
match port tcp eq 11720
class-map class_h323_h2252
match port tcp eq 2263
class-map class_sqlnet
match port tcp eq 1025
class-map class_sip_tcp
match port tcp eq sip
class-map class_h323_h225
match port tcp eq 1300
class class_h323_h225
  inspect h323 h225
class class_h323_h2252
  inspect h323 h225
class class_h323_h2253
  inspect h323 h225
class class_sip_tcp
  inspect sip
class class_sqlnet
  inspect sqlnet
class class_sqlnet4
  inspect sqlnet
class class_sqlnet5
  inspect sqlnet
class class_sqlnet6
  inspect sqlnet
class class_sqlnet7
  inspect sqlnet
class class_sqlnet8
  inspect sqlnet
I have been making test calls from a software client on my laptop to this video conf server. Calls that do not traverse the firewall complete as expected, but calls through the firewall ring but will not answer. The error message on the video conf server is:
Your call cannot be completed because the far system is not compatible with the H.323 communication standards used by this system.
The error message on the client is:

The far end system is capable of receiving the call but rejected it for some unknown reason.

And finally I have wireshark captures for both good (internal) and bad (external to internal) calls which I've uploaded... (I'm attaching several bad captures)

I've worked with Polycom support, but all they can really say is to verify the appropriate ports and ip inspection is configured, which I believe is good.

Thanks in advance for you help, this is becoming quite an issue here as more and more video apps are being rolled out...

Chris

Labels:
77722-poly-bad3.pcap.zip
77723-poly-bad4.pcap.zip
77721-poly-good.pcap.zip
77724-poly-bad5.pcap.zip
77725-poly-bad6.pcap.zip
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-29-2010 02:52 AM

I would strongly recommend opening a TAC case so a Cisco engineer can investigate the issue.

0 Helpful

CJRealmuto
Level 1
Level 1

‎06-12-2011 05:34 AM

Hi, did you ever get an answer to this?  I am having a similar problem.

Thanks,

Christal

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card