09-19-2014 12:20 AM - edited 03-18-2019 03:25 AM
Hi,
I've been handed over the video environment here at my company. It's comprised of 65 Endpoints, 64 of which are on LAN or WAN with VCS Control registrations and one which is registering to the VCS Expressway (H.323 and SIP) This one system is working but it seems that the VCS Expressway is continually trying to retrieve information, keep-alive, heartbeat ???
It performs this request by apparently calling the system, the problem is something I am not familiar with and is starting to cuase problems as these calls are coming in during active conferences, totally disrupting the current flow and annoying the participants.
I've traced the IP's back to our VCS Expressway and tried to adjust connection settings to stop this behaviour, unfortunately without success.
The internet based system is an Edge 95 and the VCS Control / Express Versions are 7.22
Hope this sounds familiar to you and can help me stop this soon.
Thanks,
Randy
09-19-2014 02:17 AM
No, the VCS-E would not be calling your system.
Look in the call history on the VCS-E and let us know what you find first of all.
I would also seriously consider upgrading both VSC-C and VCS-E to the latest software version if you can.
Is the system registering with the VCS-E reachable on the internet with a public IP address or is it behind a firewall and/or NAT'ed behind a router etc?
If public, then disable SIP on it unless you really need it to work with both H.323 and SIP. And I assume this system has a strong admin and IP password set on it?
Also good idea to disable SIP UDP on the VCS-E unless you need it for a particular reason.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
09-19-2014 05:21 AM
Thanks for the quick response.
I have a download of 7.2.3 which seems to be the current 7.x version.
It's accessible per https on a public IP from a provider in Croatia. Password is strong and differs from our internally configured systems. The credentials to register on the VCS-E are also quite uncommon and strong.
Disabled SIP
When I connected to the system the call was up, but as you suspected not in the call logs on the VCS-E
This why I suspected it to be some sort of "keep-alive" or other form of "are you there" request from the VCS side of things. "Auto answer" is naturally also off in this case.
No one has recommended disabling SIP UDP messages since I took over, what kind of issues would be avoided or better potentially created by disabling the UDP messages. Actually, no one else has a clue how the system works, so I won't get any suggestions either.
Thanks,
Randy
09-19-2014 05:44 PM
You should really upgrade to x8.2.1 - and, you should also upgrade the end-point to F9.3.3 see
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl
Scroll down to "Software Versions and Fixes", expand this and go to "Obtaining Fixed Software" then see "Customers Without Service Contracts" if you don't have a service contract.
Also see https://tools.cisco.com/bugsearch/bug/CSCup25151
Also download the relevant admin guide(s) from here: http://www.cisco.com/c/en/us/support/unified-communications/telepresence-video-communication-server-vcs/products-maintenance-guides-list.html
The deployment guides and the authentication guides are also worth a look: http://www.cisco.com/c/en/us/support/unified-communications/telepresence-video-communication-server-vcs/products-installation-and-configuration-guides-list.html
Now, back to your issue - the "keep alives" will not interfere with any ongoing calls etc - you would not know that was even happening.
I suspect your external system is being subjected to sip scans, i.e. SIPVicious; https://code.google.com/p/sipvicious/ which is very common. Disabling SIP on the end-point should put an end to this.
Disabling SIP UDP on the VCS-E also assists with reducing the impact of such scans on your network, however, if you do have ISDN gateways in your environment, then there are additional steps you should take to prevent unauthorized access - see the VCS admin guide for more information. There are also numerous threads in this forum covering this.
Disabling SIP on the VCS-E also reduces the time it takes to establish a SIP call - see this post for a very good explanation, as well as a work-around if disabling SIP UDP is not an option: https://supportforums.cisco.com/document/11935236/vcs-how-avoid-sip-udp-timeout-without-disabling-udp
The only potential issue I have found with SIP UDP being disabled, is that you will not be able to call sites using its hostname, i.e. fisthank.lifesize.com - which we hardly ever do anyway, so it's really not an issue.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
10-13-2014 12:58 AM
The above detailed responce is greatly appreciated.
The calls to the internet based device have stopped after reconfiguring the settings.
Will look into the above notes/docs and see what I can adapt to make out environment a bit more secure and from a call flow perspective, optimize things.
Many thanks,
Randy
10-14-2014 10:14 PM
As Jens suggested (and +5 to him for that), the call that was in your screenshot was consistent with a SIPVicious scan - there's a fair few posts in these forums with similar issues. And one of the Popular Discussions is this one: https://supportforums.cisco.com/discussion/11865446/lot-calls-numbers-100-and-101-looks-self-calls.
Jens has linked lots of good information in his post - disabling the SIP UDP being a good start.
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Please remember to mark helpful responses and to set your question as answered if appropriate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide