Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1663
Views
0
Helpful
5
Replies

VCS-E firewall traversal RTP flow confusion

jennykim99
Level 1
Level 1

‎10-18-2012 01:15 AM - edited ‎03-17-2019 11:59 PM

I've recently inherited a mid sized voice and video network.  I'm a little confused on the call flow for a traversal call.  I have video endpoints registered to a VCS-C on the internal network.  The VCS-C is trunked to a VCS-E via the travesal zone with both sip and h323:

my_endpoint------VCS-C---FW--VCS-E----------remote-h323-GK---remote_endpoint

If i make a video call from my endpoint to one that is registered on a remote gatekeeper, I can see that the search rules on the VCS-C and VCS-E search correctly for the call through the traversal zones, but the RTP media stream attempts to go directly from endpoint to endpoint.  The same thing happens in reverse; if i initiate the call from the remote endpoint to my internal endpoint, the search correctly finds the endpoint via the traversal zone, however the RTP stream always attempts to go from endpoint to endpoint.

This happens whether my endpoint is registered as sip or h323.

Since the media stream is trying to go endpoint to endpoint, the only way i can complete the video call is if i open up access on the firewall between the two endpoints.  I though that with a traversal call, the media was supposed to flow through the expressway itself.

Am i missing something in my understanding of "firewall traversal", or is this a misconfiguration on my part?

Labels:
0 Helpful
5 Replies 5

awinter2
Level 7
Level 7

‎10-18-2012 01:22 AM

Hi,

are you positive that the zone between the VCS-C and VCS-E is a traversal zone, i.e a traversal client zone on the VCS-C and traversal server zone on the VCS-E, and that the zone is not a neighbor zone?

What type of firewall do you have in between the VCS-C and VCS-E? Does this firewall have H323 and SIP ALG capabilities, and if so, are these enabled?

- Andreas

0 Helpful

jennykim99
Level 1
Level 1
In response to awinter2

‎10-18-2012 01:34 AM

Yes, positive that the VCS-C and VCS-E are peered via a traversal zone (client/server).

The firewall is a Cisco ASA.  By ALG, do you mean fixup protocol capabilities?

0 Helpful

Tomonori Taniguchi
Cisco Employee
Cisco Employee
In response to jennykim99

‎10-18-2012 01:45 AM

Does ASA firewall NAT the communication between VCS-C and VCS-E?

What is dialing format for calling remote Endpoint (i.e., codec@domain.com, 1234, 10.1.1.1)?

Do you have DNS zone in VCS Control where VCS-C may resolve far end domain itself instead of VCS-E to handle it?

0 Helpful

jennykim99
Level 1
Level 1
In response to Tomonori Taniguchi

‎10-18-2012 02:58 AM

No, there is not NAT involved anywhere.  This is more of a B2B design, with the VCS-E just bringing in a separate network, but with routable addresses.

I should add that the VCS-E is peered to the remote GK with H323, so all video calls to the remote endpoints are done with E164 numbers and not SIP URI's.

0 Helpful

awinter2
Level 7
Level 7
In response to jennykim99

‎10-18-2012 02:12 AM

Hi Jenny,

yes ALG would be similar to the 'inspect' command on your ASA.

For the traversal zone, you should make sure that all traffic between VCS-C and VCS-E are not subject to 'inspect sip' and 'inspect h323' service policies.

Also please check your PM's as I have sent you a message.

- Andreas

0 Helpful
Customers Also Viewed These Support Documents