Solved: Re: Unable to call with Cisco Expressway (One-way)

YagBaca95622 · ‎04-27-2020

Hi Collaboration Community,

I have very minimal knowledge on the collaboration field so please kindly help me on this one.
(Our Voice team has been t-shooting this for over 2 months know and now got me involved)

We have the following set-up:
Site A (Cisco DX70) ------ DC (Cisco Expressway) ------ Site B(Cisco TelePresence MX300 G2).

Here is the scenario:
We are able to call from Site B to Site A without any issues.
However, When initiating a call from Site A to Site B, There is no ring at all.
As per our Voice team, They tried to bypass the Cisco Expressway and managed to call without any issue.

After looking on the Expressway logs and doing a packet captures, I found the following:
1. Able to get up to "terminalCapabilitySet" using H.245
2. Site A sends another SYN packet with the same port numbers [TCP port numbers reused]

3. Site B then sends a H.225 CS: releaseComplete.

4. Both device sends a TCP termination request.

Can anyone can provide hints, help or point me to the right technology docs to resolve this issue?

Thank you in advance!

Ayodeji Okanlawon · ‎05-01-2020

Based on the logs there is no H245 signalling negotiation. The call fails at the connect stage..

++ Connect from Called party with h245 signalling IP t use sent to Expressway-C ++

2020-05-01T17:10:13.393+09:00 Expressway-C tvcs: UTCTime="2020-05-01 08:10:13,393" Module="network.h323" Level="DEBUG": Src-ip="10.106.51.201" Src-port="1720"
Received H.225 PDU:
Q931
{
Message Type: Connect
Call reference flag: Message sent to originating side
Call reference value: 0x4426
Info Element : Bearer Capability
{
----
h323-uu-pdu
{
h323-message-body connect :
{
protocolIdentifier { 0 0 8 2250 0 6 },
h245Address ipAddress :
{
ip '0A6A33C9'H,
port 11097
},
---
},
terminal
{
nonStandardData
{
----
},
conferenceID '02B28B8FB8381B86059300A742A2D036'H,
callIdentifier
{
guid 'AE2F657B939D43EAA44330FBD67A9A13'H
},
---

++ Expressway-C sends the Connect to the DX70 ++

2020-05-01T17:10:13.395+09:00 Expressway-C tvcs: UTCTime="2020-05-01 08:10:13,395" Module="network.h323" Level="DEBUG": Dst-ip="10.147.135.202" Dst-port="11363"
Sending H.225 PDU:
Q931
{
Message Type: Connect
Call reference flag: Message sent to originating side
Call reference value: 0xe089
Info Element : Bearer Capability
{
---
Info Element : Display
{
Display Information = Himawari
}
----
{
h323-uu-pdu
{
h323-message-body connect :
{
protocolIdentifier { 0 0 8 2250 0 6 },
h245Address ipAddress :
{
ip '0A6B28C7'H,------------->10.107.40.199
port 19590

++ DX70 rather than sending CONNECT_ACK, sends a releaseComplete immediately ++

2020-05-01T17:10:13.633+09:00 Expressway-C tvcs: UTCTime="2020-05-01 08:10:13,633" Module="network.h323" Level="DEBUG": Src-ip="10.106.51.201" Src-port="1720"
Received H.225 PDU:
Q931
{
Message Type: Release Complete
Call reference flag: Message sent to originating side
Call reference value: 0x4426
Info Element : Cause
{
Location: Usr
Cause Value: Normal call clearing
}
Info Element : User User
{
Length = 20
}
}
value H323-UserInformation ::=
{
h323-uu-pdu
{
h323-message-body releaseComplete :
{
protocolIdentifier { 0 0 8 2250 0 6 },
callIdentifier
{
guid 'AE2F657B939D43EAA44330FBD67A9A13'H

++ I would check that the port advertised in the CONNECT message can be reached from the DX80 ++

Please rate all useful posts

View solution in original post

Ayodeji Okanlawon · ‎05-06-2020

The port advertised for H245 signalling is this..19590

The DX 70 will use the following ports for h245 signalling..

11000 20999...

You can check this under system settings> h323 port allocation. You can also check the MX 300 port configurations..

Is there a firewall between them? If there is no firewall..Then check the ports allowed for h245 on the DX 70..

Please rate all useful posts

View solution in original post

Ayodeji Okanlawon · ‎04-27-2020

Hi,

Please enable expressway c and expressway e diagnostic logs. Ensure you select take tcp dump when enabling the logs.

Then reproduce the issue and attach the log file here. Please include call details ie calling,called and time of call

Please rate all useful posts

YagBaca95622 · ‎05-01-2020

I'm sorry for the delayed response.
They just gave me permission to access the devices a few moments ago.

Call details:
Start: 2020-05-01T17:10:11.373+09:00
Caller: Site A (Cisco DX70)
Receiver: Site B(Cisco TelePresence MX300 G2).
IP's are provided right on the top of the file.

Additional info:
This is an internal call and will not need to access Expressway-E

Thanks in advance

Ayodeji Okanlawon · ‎05-01-2020

Based on the logs there is no H245 signalling negotiation. The call fails at the connect stage..

++ Connect from Called party with h245 signalling IP t use sent to Expressway-C ++

2020-05-01T17:10:13.393+09:00 Expressway-C tvcs: UTCTime="2020-05-01 08:10:13,393" Module="network.h323" Level="DEBUG": Src-ip="10.106.51.201" Src-port="1720"
Received H.225 PDU:
Q931
{
Message Type: Connect
Call reference flag: Message sent to originating side
Call reference value: 0x4426
Info Element : Bearer Capability
{
----
h323-uu-pdu
{
h323-message-body connect :
{
protocolIdentifier { 0 0 8 2250 0 6 },
h245Address ipAddress :
{
ip '0A6A33C9'H,
port 11097
},
---
},
terminal
{
nonStandardData
{
----
},
conferenceID '02B28B8FB8381B86059300A742A2D036'H,
callIdentifier
{
guid 'AE2F657B939D43EAA44330FBD67A9A13'H
},
---

++ Expressway-C sends the Connect to the DX70 ++

2020-05-01T17:10:13.395+09:00 Expressway-C tvcs: UTCTime="2020-05-01 08:10:13,395" Module="network.h323" Level="DEBUG": Dst-ip="10.147.135.202" Dst-port="11363"
Sending H.225 PDU:
Q931
{
Message Type: Connect
Call reference flag: Message sent to originating side
Call reference value: 0xe089
Info Element : Bearer Capability
{
---
Info Element : Display
{
Display Information = Himawari
}
----
{
h323-uu-pdu
{
h323-message-body connect :
{
protocolIdentifier { 0 0 8 2250 0 6 },
h245Address ipAddress :
{
ip '0A6B28C7'H,------------->10.107.40.199
port 19590

++ DX70 rather than sending CONNECT_ACK, sends a releaseComplete immediately ++

2020-05-01T17:10:13.633+09:00 Expressway-C tvcs: UTCTime="2020-05-01 08:10:13,633" Module="network.h323" Level="DEBUG": Src-ip="10.106.51.201" Src-port="1720"
Received H.225 PDU:
Q931
{
Message Type: Release Complete
Call reference flag: Message sent to originating side
Call reference value: 0x4426
Info Element : Cause
{
Location: Usr
Cause Value: Normal call clearing
}
Info Element : User User
{
Length = 20
}
}
value H323-UserInformation ::=
{
h323-uu-pdu
{
h323-message-body releaseComplete :
{
protocolIdentifier { 0 0 8 2250 0 6 },
callIdentifier
{
guid 'AE2F657B939D43EAA44330FBD67A9A13'H

++ I would check that the port advertised in the CONNECT message can be reached from the DX80 ++

Please rate all useful posts

YagBaca95622 · ‎05-06-2020

Hi @Ayodeji Okanlawon, Experts,

Thank you for the analysis.
Just to make sure that I got it right. (Please correct me if I'm wrong)

1. Site A (Cisco DX70) initiates the call to Site B(Cisco TelePresence MX300 G2)

DX70 sends Message Type: Setup to the Expressway
Expressway responds to DX70 with Message Type: Call Proceeding
Expressway sends a Message Type: Setup to Site B(Cisco TelePresence MX300 G2)
Site B response to the Express way with Message Type: Alerting
Expressway forwards that Message Type: Alerting to DX70
DX70 responds with Call-routed="YES"
Site B sends Message Type: Connect to the Expressway
Expressway forwards that Message Type: Connect to DX70
DX70 does not respond with CONNECT_ACK
After some time (in ms), Site B sends a Message Type: Release Complete
Then the call Fails...

2. There are 4 ports on the Connect message

Connect message from Site B Src-port="1720" to the Expressway
Just below that message there is a "value H323-UserInformation" with port 11097
Connection Forward message from the Express way Dst-port="11363" to Site A DX70
Just below that message there is a "value H323-UserInformation" with port 19590

Which port should we look at and how exactly should we check that in the DX70?
Thanks again in advance,

Ayodeji Okanlawon · ‎05-06-2020

The port advertised for H245 signalling is this..19590

The DX 70 will use the following ports for h245 signalling..

11000 20999...

You can check this under system settings> h323 port allocation. You can also check the MX 300 port configurations..

Is there a firewall between them? If there is no firewall..Then check the ports allowed for h245 on the DX 70..

Please rate all useful posts

JJ77 · ‎04-27-2020

Hi,

From your problem description, it seems the issue could be on your firewall ingress port (site A to Site B)

Please get your firewall rules checked with reference to the below document (the rules need to be carefully reviewed considering ingress and outgress port).

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X12-5.pdf

YagBaca95622 · ‎05-01-2020

Hi,

Thank you for the support.
That is the very first thing that I did after they passed the problem to me.

There are no FWs in the path, just a few ACLs without deny statements and an IP ANY ANY at the end.

Anything else, what I might have missed?