cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4465
Views
0
Helpful
15
Replies

C20 and Sonicwall

mpolishevsky
Level 1
Level 1

Hi All,

Have been breaking my head trying to figure this out, but here is the issue and hopefully someone might be able to help. We have a Tandberg C20 and Sonicwall 3200 for our firewall. On the Sonicwall, Persitant NAT, SIP Transformation and H323 are enabled. There is a NAT rule from the outside IP to the inside IP of the C20. There is a firewall rule from WAN to LAN to allow all the video conferencing protocols available to the C20. The C20 has Automatic NAT set and the IP address is the internal address.

Here is the question.... Whn I do an external call, it connects, but says No Incoming Video, this happens no matter where I call. On the Sonicwall, all the packets are showing as forwarded to the C20's IP address.

Any ideas?

Thanks.

1 Accepted Solution

Accepted Solutions

mpolishevsky
Level 1
Level 1

HI All,

Thanks again for all the help! So here is what happend. It looks like the full range of ports wasn't open on the sonicwall. As this was setup for us beforehand, I thought it would be right

We had to expand the range of all the ports (as mentioned in a couple of posts above), disable all the SIP/H323 transforamtions on the Sonicwall, set the Mode to Auto for the NAT on the C20 and set the CallSetup Mode to Direct with Static PortAllocation.

It seems to be working now, so thanks for all the help!

View solution in original post

15 Replies 15

Paulo Souza
VIP Alumni
VIP Alumni

Hi Max, welcome to Cisco Support Community!   =)

Well, tell me something, is your C20 configured with NAT ip address (which is the external IP address configured in the NAT rule of your firewall)?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

I had a similar issue with an Edge95 and a SonicWall....

H.323 video traffic experienced one-way video...

SIP worked without an issue

I turned off H.323 and kept SIP on....   packed up my tools and went home

Yeah! This is because H323 inspection does not work well in some firewalls. In this case, I suggest you to disable H323  inspection in the firewall and then configure static NAT address on the endpoint. In the firewall, you only keep the static 1 to 1 NAT configuration and the required ports opened, without any H323 inspection feature on the firewall. It normally resolves the issue.

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

mpolishevsky
Level 1
Level 1

Wow, thanks for the replies guys. So here are some screen caps of the configs I am using. I have disabled the h323 in the Sonicwall and it still has the same issue.

Here are the firewall ports that are open:

Here are the firewall logs:

And the NAT rules:

Well, tell me something, is your C20 configured with NAT ip address (which is the external IP address configured in the NAT rule of your firewall)?

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Yes, its set to the same IP address that is on the NAT of the firewall or the X1 IP address...

Hey Max,

In this case, you will have to collect the traffic received by C20 to check if your firewall is really not performing any H323 inspection. Also, make sure that the required ports are properly opened in your firewall. These are the h323 ports:

* Port 1720

* Port 5555-6555

* Port 2326-2487

To collect the traffic received in C20 endpoint, you will basicly need to access the endpoint via linux CLI (using root account) and run a snnifer (tcpdump) to capture the traffic, then you will be able to export this capture file and open it in Wireshark in order to check if the RTP stream is really being received from the firewall. This guide provide instructions on how to do that (version TC 6 or later is required):

Starting on page 29 - http://www.cisco.com/en/US/docs/telepresence/endpoint/codec-c-series/tc6/troubleshooting_guide/tc_troubleshooting_guide_tc60.pdf

Try this to see what you get.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo, I've done the capture and it looks like the RTP traffic is going out to my destination IP but it is not coming back in...

Everything on the Sonicwall as far as the h323 and sip translation is disabled.

Hi Max,

If RTP traffic is not being received by C20, you really have firewall/NAT issue. Are you able to see the RTP traffic from internet coming into your firewall? If yes, as you said above, why the traffic is not being sent to C20?? Are you sure that your NAT configuration is right? H323 inspection is really disable??

If the RTP traffic is not being received in your firewall, please, make sure that the required ports are properly opened. Consider the ports that Martin has posted as well.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Its more or less the same ports you mentioned, especially regards media,

he should more consider what I said about the setting of the external NAT ip on the endpoint ;-)

If the endpoint tells the remote site "hey send media to 192.168.23.42" it would do it which will most likely end in a black hole :-)

But yea, see if media is hitting your firewall on the outside.

Also always worth comparing what you see on the endpoint with the same trace made upfront the firewall.

With wireshark you can also check where your endpoint wants the media to be send to.

Good luck.

And Max: Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

Martin Koch wrote

he should more consider what I said about the setting of the external NAT ip on the endpoint ;-)

If the endpoint tells the remote site "hey send media to 192.168.23.42" it would do it which will most likely end in a black hole :-)

Yeah! But he already said above that the NAT address is properly configured on the endpoint, that's why I think that the remote endpoint is sending the media to the correct IP address.  =)

Max, I am cheking the snapshot from your firewall configuration, it seems you have not allowed the whole range of RTP ports. You have allowed only 2326-2373, but the full range is 2326-2487. And you have done the same regarding H245 ports. Please, make sure that all the required ports are properly allowed on the firewall.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

I do not trust anybody :-)

I would also try to see if changing it from auto du manual makes a difference.

Like I said sniffing on both sides and comparing if the firewall really is letting the packets

through untempered and checking what ip is set for signaling is worth a try.

But at least like you suggested, does the media traffic hit the firewall and if,

why does it not forward it is a good way which can be done upfront.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

Martin Koch
VIP Alumni
VIP Alumni

First of all I would recomend to use a VCS-E and disable all ALG functions on the Firewall and also disable

the NAT stuff on the endpoint

Thats the best way to deploy a Cisco TelePresence sytem behind hat.

Do you use any kind of call controll or registrar? Some more info about the deployment would be handy.

The Auto detect NAT setting might be a bit confusing. You still need to configure the external IP,

it is only to detect if its an internal or external call but not which NAT address or what kind of NAT is used on the outside.

Also NAT is only for h323.

Also here, disable the h323 NAT stuff on the firewall, enter the external NAT address on the endpoint,

do a port forward with no higher intelligence from the configured external ip to the internal ip of the endpoint

and also allow the traffic out to use the same ports (if that needs to be configured in your firewall).

In addition to Paulos posting, the protocol for the ports is also important to know:

For H.323:

  • Q.931 call Setup: Port 1720 (TCP)
  • H.245(Static): Port Range 5555-6555 (TCP)
  • H.245(Dynamic): Port Range 11000-20999 (TCP)
  • Video*: Port Range 2326-2485 (UDP)
  • Audio*: Port Range 2326-2485 (UDP)
  • Data/FECC*: Port Range 2326-2485 (UDP)

         *Configurable by "RTP Ports Range Start" and "RTP Ports Range Stop"

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

mpolishevsky
Level 1
Level 1

HI All,

Thanks again for all the help! So here is what happend. It looks like the full range of ports wasn't open on the sonicwall. As this was setup for us beforehand, I thought it would be right

We had to expand the range of all the ports (as mentioned in a couple of posts above), disable all the SIP/H323 transforamtions on the Sonicwall, set the Mode to Auto for the NAT on the C20 and set the CallSetup Mode to Direct with Static PortAllocation.

It seems to be working now, so thanks for all the help!