Solved: Sure. What we did was that we

Chenzhe Zhang · ‎09-09-2015

Hi Folks,

Can you shed some light on this please?

H.323 inbound call (dial by IP) -> External F5 -> Fortinet Firewall -> Internal F5 -> Internal Firewall -> VCS-E -> VCS-C -> MCU autoattendent

The call drops after 5 mins into the call, every single time. We tried H.323 call to an internal endpoint, it drops as well. Sounds like there is a timeout value set some where on he firewall or F5?

Any suggestions is appreciated!

regards

Chenzhe

monster.speaks · ‎09-09-2015

I hope this helps:

http://www.cisco.com/c/en/us/td/docs/telepresence/infrastructure/articles/mcu_ip_gw_vcr_isdn_telepresence_server_calls_disconnect_fixed_time_kb_23.html

Duration limits applied to network connections by firewalls. For example, a Cisco PIX firewall may have a timeout command of the form:
timeout conn 1:00:00 udp 0:02:00 h225 1:00:00 h323 2:00:00<
(i.e. a list of recognized protocol names each followed by a timeout in hours, minutes and seconds). This example imposes a 2-hour limit on H.323 connections; however, it also imposes limits on other protocols which would also affect a video call (UDP and H225). Many different network protocols are involved in an IP video call. A timeout applied to any of them could result in the call being torn down.

View solution in original post

monster.speaks · ‎09-09-2015

Hi,

There are H.323 inspection that has to be checked on the firewall, try disabling them and calls should work fine.

Chenzhe Zhang · ‎09-09-2015

Thanks for the quick reply, and I will look into that.

Just wondering if the H323 inspection was the root cause, why only after 5 mins into the call? Should it not stop the call at the very beginning?

regarads

Chenzhe

Acevirgil de Ocampo · ‎09-09-2015

Disable ALG for H323 application on the firewall. ALG could be the cause.

Regards,

Acevirgil

Chenzhe Zhang · ‎09-09-2015

I will try disabling them on all firewalls. Please see attached the screen shot, so will I just un-tick H323 related inspections, correct?

Thank you!

Acevirgil de Ocampo · ‎09-09-2015

Yes. Un-ticking H323 inspections in your firewall will allow any H323 related packets to pass and allowing H323 traffic without inspection of the packets. Enabling ALG for H323 in some cases will modify the payload of the H.323 messages.

Regards,

Acevirgil

Chenzhe Zhang · ‎09-09-2015

Thanks for the quick reply. I am just trying to get my head around this, since we are seeing consistent call drops after 5 mins, do you think the inspection somehow breaks up the call every time after 5 mins? Or maybe the call shouldn't be able to establish at the beginning?

monster.speaks · ‎09-09-2015

I hope this helps:

http://www.cisco.com/c/en/us/td/docs/telepresence/infrastructure/articles/mcu_ip_gw_vcr_isdn_telepresence_server_calls_disconnect_fixed_time_kb_23.html

Duration limits applied to network connections by firewalls. For example, a Cisco PIX firewall may have a timeout command of the form:
timeout conn 1:00:00 udp 0:02:00 h225 1:00:00 h323 2:00:00<
(i.e. a list of recognized protocol names each followed by a timeout in hours, minutes and seconds). This example imposes a 2-hour limit on H.323 connections; however, it also imposes limits on other protocols which would also affect a video call (UDP and H225). Many different network protocols are involved in an IP video call. A timeout applied to any of them could result in the call being torn down.

Chenzhe Zhang · ‎09-10-2015

Thank you for the help, I will organize the change and see how we get on.

Chenzhe Zhang · ‎11-04-2015

The issue is resolved. It was a timeout setting on the internet facing firewall - Fortigate FW. The troubleshooting involved doing packet captures on both interfaces of each F/W device one by one, and looking for the device that would have a difference in the number of keep alive messages received.

Wai wai · ‎11-04-2015

Hi Chenzhe,

Apologize to hijack your thread but I encountered the exactly some issue with you, the video call consistently keep dropped at every 5 minutes with H.323 protocol (dial-in or dial-out),

I have a firewall with ALG enable for both H.323 and SIP service protocol, find it strange that only H.323 call have this issue but not for SIP call, SIP protocol video call run perfectly fine.

Did disabling the firewall ALG for H.323 solve your issue?

Thanks in advance

Chenzhe Zhang · ‎11-04-2015

Hi Wai wai,

Yes, the issue is resoved, please see my reply in the very bottom.

And no, disabling the ALG was not required, my understanding is that it should only be disabled if you couldn't get a call going at all. If there is an consistant pattern that the call drops at certain time, it has to be a timer somewhere.

Wai wai · ‎11-04-2015

Hi Chenzhe,

Would you mind share to me that what kind of timeout setting that you have change/tweak at your Internet firewall to make the H.323 call works? was it somehing like service (TCP/UDP) timeout setting?

Thanks

Chenzhe Zhang · ‎11-04-2015

Sure. What we did was that we went to the firewall rules for incoming H323 and H245, both signallin and media, and up'd the timeout value to 2 hours.

monster.speaks · ‎11-06-2015

can you mark this post as answered..

Thanks

H323 inbound call drops after 5 mins every time