One way Video / audio when using VCS expressway behind Fortinet Firewall

Jithin Jayanandan · ‎05-16-2013

Setup Diagram..

Fortinet Firewall Rules

1. Any ports/service between VCS control & expressway internal leg on internal f/w.

2. Any ports/service on external firewall for VCS expressway.

3. Natting with public IP on external f/w.

All internal VC endpoints are registered on VCS control

Issue:

One way audio / video when call is originated from any internal endpoints, external users able to hear & view us but nothing works vice versa.

No issue when calling from external internet based endpoints to any internal endpoints .

Tried all the options but none worked, only option left is to bypass the external firewall and connect expressway directly on internet or behind a router with basic NAT statement, as suspecting issue with the firewall

Need help if anyone has the same kind of deployment with same firewall make, any specific commands needed on fortinet f/w to disable the H323 ALG if its the culprit.

Waiting for your suggestions and input.

dpetrovi · ‎05-16-2013

Hi Jithin,

I can see you are asking a question about VCS. Unfortunately, this community is for CWMS and MeetingPlace products, and no VCS/Telepresence experts are viewing this community. Please, see if you can repost your question in Telepresence community to get the assistance needed:

https://supportforums.cisco.com/community/netpro/collaboration-voice-video/telepresence

Thank you.

-Dejan

Jithin Jayanandan · ‎05-16-2013

Thanks Dejan...will move this question to TP community..

sagsheth · ‎05-16-2013

Hi Jitin,

Is your expressway in dual NIC mode?

I see that you are NAT-ing private IP of expressway with Public IP on Fortigate??

Have you specified NAT-ed IP in VCS-E config?

Regards,

Sagar

ahmashar · ‎05-16-2013

which ports did you open on the external FW and internal FW?

get one of your endpoint to register on VCSE and make a test call between that endpoint and an internally registered endpoint. if goes well then the internal FW configured correct. if not, then make a test call from internet to VCSE registered endpoint and try to narrow down the problem.

Jithin Jayanandan · ‎05-17-2013

All ports are open between each devices..

Exactly tried all that options...thats how we got stuck with external firewall as the culprit..

VCSE registered endpoints are able to make successfull calls to internal endpoints and vice versa.

sagsheth · ‎05-17-2013

Jithin,

I presume this issue is with NAT-ing, Capture logs and check what ip is being sent in SDP

check for "C=" in SIP INVITE/200 OK

Regards,

Sagar

sagsheth · ‎05-17-2013

Also , please check in your expressway if IPv4 static mode is ON and NAT-ed IP is mentioned. Please see the snapshot below

Jithin Jayanandan · ‎05-17-2013

Correct the issue is with NATing ...i just need to understand whether anyone has same kind of setup with same firewall make with some sort of tweaking done on the firewall to resolve this issue (related to H323 awareness sort of service)

I know i should have consulted some fortinet expert to resolve this but did`nt find anything relevant from their website and their engineers. So thought of openeing a discussion thread on this topic here.

Sharing the firewall details...

Make – Fortinet

Model – 1000C

FortiOS ver - v4.0,build0646,121119 (MR3 Patch 11)

Ritchie Nasayao · ‎03-25-2014

we have similar issue in terms of the VCS control and VCS expressway peer addressing under SIP. firewall is fortigate 310b. both VCS are in the same switch and is within the internal leg of the firewall. we tried having virtual IP inside fortigate NAT-ed to public for both VCS. only the private IP is active in both VCS. the NAT-ed public IP of both has failed to be recognize by both. we have no dual NIC.

Patrick Sparkman · ‎03-25-2014

Is your Expressway a standalone VCS or part of a cluster? If it's a cluster, you might be running into this bug CSCun38958.