Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
3
Replies

Why does endpoint "register" to VCS-E with port 33060 and not 1719?

Andrew WEISS
Level 1
Level 1

‎12-13-2013 07:13 AM - edited ‎03-18-2019 02:18 AM

We have a remote codec (C60) that is registered to our VCS-E via H460 and oddly enough the registration address is A.B.C.D:33060 and not A.B.C.D:1719.  Port 33060 is not even open on our firewall, thus clearly the codec is registering via RAS (UDP-1719)  but is showing as 33060 in the endpoint list of the VCS-E

There is a second C60 in the same location with exactly the same configuration that registered as expected A.B.C.C:1719.

Any ideas why or how to correct this issue?  This problem is purely cosmetic, since the codec functions as desired, however support teams will be confused when they see this.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Martin Koch
VIP Alumni
VIP Alumni

‎12-13-2013 11:35 AM

If you post something, please always mention the software versions used and more info about your deployment.

In this scenario it would be interesting if these devices are on public or transparent routed ips or if firewalls or NAT

are involved. Without that info how shall we say something.

If I understand it right A.B.C.D and A.B.C.C are the remote sites and not your VCS-E

Do you have a problem dialing in or out or on the registration? If not I do not really see where your issue is.

Its most likely some NAT router or ALG.

If its an ALG i would disable the ALG / all layer3 h323 awareness of the network.

Regards a firewall, the remote site will connect TO your vcs TO port 1719,

from WHERE it registes is >=1024, thats completly fine.

For one device some NAT routers will try to use the same port so if the request comes

from 1719 it will also be mapped on 1719 to the outside interface.

If multiple devices are behind the same NAT and especially when they try to connect to

the same VCS you will see that the second one will get a different port number.

There are also NAT routers which just randomize the ports or use other methods.

So alll nice and fine. It is only confusing if you do not know what to expect ;-)

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

0 Helpful

Andrew WEISS
Level 1
Level 1
In response to Martin Koch

‎12-13-2013 12:24 PM

Hi Martin,

Thanks for your answer.

I didn't mention NAT in my initial post, however I can confirm that we are using static NAT on the remote Firewall where the codecs are for one-for-one mappings (i.e. an RFC1918 address is statically natted to 1 unique public IP address).  The VCS-E address is not natted, but is sitting on a DMZ that has public IP addressing. 

Dynamic NAT is not supported by H460.18/19, ASSENT or SIP/ICE, meaning that an UDP-1719 RAS request will arrive on the frontal Firewall (i.e. the firewall protecting the VCS-E) with the same port number that it left with, i.e. 1719.  It better, since if it didn't it wouldn't be allowed through the Firewall.  A request to port 33060 would be dropped on the frontal l since it's not authorised/necessary for H460.

On the frontal firewall where the VCS-E is connected neither NAT nor PAT are used, meaning that a request from A.B.C.D:1719 and A.B.C.C:1719 are not altered in any way and it's not the VCS-E that's altering anything either, or perhaps it is?

Finally, since the frontal firewall has other working codecs coming into it on their way to the VCS-E, clearly all SIP/H323 INSPECTion /ALG  has already been disabled.  The same is true on the remote sites Firewall. 

Thus my question still strand, where does the 33060 come from?  H460 registration is done via RAS (1719) and not port 33060. But the 2nd codec is registed with it's IP address followed by :33060 and it functions perfect.  Crazy!

By the way, the software version of our VCS-E is 7.2. 

Kind regards,

Andrew




0 Helpful

Martin Koch
VIP Alumni
VIP Alumni
In response to Andrew WEISS

‎12-13-2013 01:48 PM

Just on my way out so I do not have time to browse through the standards,

but just from the logical part and from what I see and from what I want.

I want multiple clients being able to handle voip/tp calls from behind the same

nat address to the same "proxy".

With your definition that would not work until the router is a h323/sip aware ALG.

In your scenario only 1:1 nat would work, thats not true.

One example would be symmetric rtp, which is exactly used to get back into the network

when the signaling and original ports differ from what the vcs gets.

Or google for rport on sip signaling and also the port combinations for ice

host/rflx/relay can be completely different.

If the firewall is your nat router then I am not surprised, it does not need to be opened

if the firewall itself is picking this number to handle the nat request.

Do a network dump on each section of the ip path and then you will see what happens where.

Check out the firewall guide from Cisco for the VCS:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf

Did you ever consider that it has a reason that the src port  for RAS is >=1024?

Btw, if you use a c60 and a standard vcs you will most likely use ASSENT and not h.460.18

(but RAS behaves the same)

For me its not crazy, it looks fine!

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

0 Helpful
Customers Also Viewed These Support Documents