Hi all,

and thanks for the replies received.

@Andreas: analyzing the configuration of the external FW with whom I have found that problems, are enabled the following ALG:

SIP

RTSP

Q931

RAS

H245

Now I want to ask: I have to turn off ALL these or only some of them? Surely the SIP, but the others? I think yes. Can you give me feedback?

greetings

Tnx Andreas.

the fw that causes me problems, however, is that between the expressway and the external terminal (on the internet).

In fact, if I connect the terminal before the FW II have no problems.

The call through other FW on my network but these have the ALG disabled, the last one instead do not (have the status that I have reported).

I'll disable the ALG on external FW as you indicated me and I check (I hope) if everything works as if I called before the FW.

I'll let you know

Federico

Hi Andreas,

whitout the ALGs as above mentioned the call goes up (both direction). : )

I'm very happy.

But now i have another problem... when i have tried to replicate the configuration of lab-fw on the production-fw:

- the incoming call works well but the outcoming call don't work

on the vcs control i obtain this status: Channel unacceptable

you have any suggestions for me?

Hi Andreas,
I did check and test. The situation now is as follows:

I have tested the calls in both directions using a similar FW to that of production. Everything works perfectly.

I tested the calls with production FW and work only incoming calls. For outgoing ones we have: the call comes in, the message connected appear but then the pop-up freeze. It's like the FW lock up part of the flow, but on it there are no blocks.
On the expressway the status of the call is "Normal, unspecified", while on the Control status is "Channel unacceptable".

It’s to keep in mind that the traffic on the test FW and on the FW production perfectly follows the same path, but is divided only when it arrives on these FW. We have a video-out terminal that using the test FW and one using the production FW. So, I think, the only network error could be in the FW rules since the routes, for the choice of which FW must be used, are correct. But if the problem is on the FW rules we should see the blocks on the FW (which they aren’t).

The only differences (for now I identify) between the two FW are:

- On production FW Microsoft RPC ALG is active while on another one no (but I don’t think has to do with anything)
- On production FW is set, for the Untrusted zone, many screen (set Untrust screen ...); but it seems strange that this will lead to not work the only outgoing calls

Any idea? I want to enable the DEBUG log on Expressway and make a traffic capture today if I  can’t identify the problem. Maybe with this I find more information.

A greeting and thanks to all who answer me

Federico,

can you clarify what you mean by 'On production FW is set, for the Untrusted zone, many screen (set Untrust screen ...);'?

If you are planning to take logs, make sure to grab a diagnostics log (Network log level = DEBUG) from both the VCS-C and VCS-E, since we would need to compare the H323 messages as they are sent and received to understand whether or not the FW is altering any of the payload data for these messages.

Another good test to check for H323 ALG is to disable the H323 part of the traversal zone between VCS-C and VCS-E and ensure that the SIP part of the traversal zone uses TLS. Now when you place a call across the traversal zone (and through the FW), the SIP signaling will be encrypted and the FW will not be able to inspect/modify any traffic (in general at least, there are FW's which can inspect TLS as well but that's not very common) and calls will then normally work.

- Andreas

@Patrik: the traversal is properly activated and if I place the external video-terminal before the last FW everything works

properly. Surely I'll follow your advice if I don't get improvements disabling the ALG mentioned above.