09-12-2013 11:07 AM - edited 03-18-2019 01:47 AM
Hi All,
Have been breaking my head trying to figure this out, but here is the issue and hopefully someone might be able to help. We have a Tandberg C20 and Sonicwall 3200 for our firewall. On the Sonicwall, Persitant NAT, SIP Transformation and H323 are enabled. There is a NAT rule from the outside IP to the inside IP of the C20. There is a firewall rule from WAN to LAN to allow all the video conferencing protocols available to the C20. The C20 has Automatic NAT set and the IP address is the internal address.
Here is the question.... Whn I do an external call, it connects, but says No Incoming Video, this happens no matter where I call. On the Sonicwall, all the packets are showing as forwarded to the C20's IP address.
Any ideas?
Thanks.
Solved! Go to Solution.
09-17-2013 07:04 AM
HI All,
Thanks again for all the help! So here is what happend. It looks like the full range of ports wasn't open on the sonicwall. As this was setup for us beforehand, I thought it would be right
We had to expand the range of all the ports (as mentioned in a couple of posts above), disable all the SIP/H323 transforamtions on the Sonicwall, set the Mode to Auto for the NAT on the C20 and set the CallSetup Mode to Direct with Static PortAllocation.
It seems to be working now, so thanks for all the help!
09-12-2013 12:16 PM
Hi Max, welcome to Cisco Support Community! =)
Well, tell me something, is your C20 configured with NAT ip address (which is the external IP address configured in the NAT rule of your firewall)?
Regards
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
09-12-2013 12:58 PM
I had a similar issue with an Edge95 and a SonicWall....
H.323 video traffic experienced one-way video...
SIP worked without an issue
I turned off H.323 and kept SIP on.... packed up my tools and went home
09-12-2013 01:13 PM
Yeah! This is because H323 inspection does not work well in some firewalls. In this case, I suggest you to disable H323 inspection in the firewall and then configure static NAT address on the endpoint. In the firewall, you only keep the static 1 to 1 NAT configuration and the required ports opened, without any H323 inspection feature on the firewall. It normally resolves the issue.
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
09-12-2013 01:37 PM
Wow, thanks for the replies guys. So here are some screen caps of the configs I am using. I have disabled the h323 in the Sonicwall and it still has the same issue.
Here are the firewall ports that are open:
Here are the firewall logs:
And the NAT rules:
09-12-2013 01:41 PM
Well, tell me something, is your C20 configured with NAT ip address (which is the external IP address configured in the NAT rule of your firewall)?
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
09-12-2013 01:42 PM
Yes, its set to the same IP address that is on the NAT of the firewall or the X1 IP address...
09-12-2013 01:53 PM
Hey Max,
In this case, you will have to collect the traffic received by C20 to check if your firewall is really not performing any H323 inspection. Also, make sure that the required ports are properly opened in your firewall. These are the h323 ports:
* Port 1720
* Port 5555-6555
* Port 2326-2487
To collect the traffic received in C20 endpoint, you will basicly need to access the endpoint via linux CLI (using root account) and run a snnifer (tcpdump) to capture the traffic, then you will be able to export this capture file and open it in Wireshark in order to check if the RTP stream is really being received from the firewall. This guide provide instructions on how to do that (version TC 6 or later is required):
Starting on page 29 - http://www.cisco.com/en/US/docs/telepresence/endpoint/codec-c-series/tc6/troubleshooting_guide/tc_troubleshooting_guide_tc60.pdf
Try this to see what you get.
Regards
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
09-12-2013 02:26 PM
Paulo, I've done the capture and it looks like the RTP traffic is going out to my destination IP but it is not coming back in...
Everything on the Sonicwall as far as the h323 and sip translation is disabled.
09-12-2013 02:31 PM
Hi Max,
If RTP traffic is not being received by C20, you really have firewall/NAT issue. Are you able to see the RTP traffic from internet coming into your firewall? If yes, as you said above, why the traffic is not being sent to C20?? Are you sure that your NAT configuration is right? H323 inspection is really disable??
If the RTP traffic is not being received in your firewall, please, make sure that the required ports are properly opened. Consider the ports that Martin has posted as well.
Regards
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
09-12-2013 02:46 PM
Its more or less the same ports you mentioned, especially regards media,
he should more consider what I said about the setting of the external NAT ip on the endpoint ;-)
If the endpoint tells the remote site "hey send media to 192.168.23.42" it would do it which will most likely end in a black hole :-)
But yea, see if media is hitting your firewall on the outside.
Also always worth comparing what you see on the endpoint with the same trace made upfront the firewall.
With wireshark you can also check where your endpoint wants the media to be send to.
Good luck.
And Max: Please remember to rate helpful responses and identify helpful or correct answers.
Please remember to rate helpful responses and identify
09-12-2013 02:54 PM
Martin Koch wrote
he should more consider what I said about the setting of the external NAT ip on the endpoint ;-)
If the endpoint tells the remote site "hey send media to 192.168.23.42" it would do it which will most likely end in a black hole :-)
Yeah! But he already said above that the NAT address is properly configured on the endpoint, that's why I think that the remote endpoint is sending the media to the correct IP address. =)
Max, I am cheking the snapshot from your firewall configuration, it seems you have not allowed the whole range of RTP ports. You have allowed only 2326-2373, but the full range is 2326-2487. And you have done the same regarding H245 ports. Please, make sure that all the required ports are properly allowed on the firewall.
Regards
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
09-12-2013 03:34 PM
I do not trust anybody :-)
I would also try to see if changing it from auto du manual makes a difference.
Like I said sniffing on both sides and comparing if the firewall really is letting the packets
through untempered and checking what ip is set for signaling is worth a try.
But at least like you suggested, does the media traffic hit the firewall and if,
why does it not forward it is a good way which can be done upfront.
Please remember to rate helpful responses and identify helpful or correct answers.
Please remember to rate helpful responses and identify
09-12-2013 02:22 PM
First of all I would recomend to use a VCS-E and disable all ALG functions on the Firewall and also disable
the NAT stuff on the endpoint
Thats the best way to deploy a Cisco TelePresence sytem behind hat.
Do you use any kind of call controll or registrar? Some more info about the deployment would be handy.
The Auto detect NAT setting might be a bit confusing. You still need to configure the external IP,
it is only to detect if its an internal or external call but not which NAT address or what kind of NAT is used on the outside.
Also NAT is only for h323.
Also here, disable the h323 NAT stuff on the firewall, enter the external NAT address on the endpoint,
do a port forward with no higher intelligence from the configured external ip to the internal ip of the endpoint
and also allow the traffic out to use the same ports (if that needs to be configured in your firewall).
In addition to Paulos posting, the protocol for the ports is also important to know:
For H.323:
*Configurable by "RTP Ports Range Start" and "RTP Ports Range Stop"
Please remember to rate helpful responses and identify helpful or correct answers.
Please remember to rate helpful responses and identify
09-17-2013 07:04 AM
HI All,
Thanks again for all the help! So here is what happend. It looks like the full range of ports wasn't open on the sonicwall. As this was setup for us beforehand, I thought it would be right
We had to expand the range of all the ports (as mentioned in a couple of posts above), disable all the SIP/H323 transforamtions on the Sonicwall, set the Mode to Auto for the NAT on the C20 and set the CallSetup Mode to Direct with Static PortAllocation.
It seems to be working now, so thanks for all the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide