Re: H.323 Sound Issues

Rod.Blackie · ‎11-26-2012

I've a strange problem.

we have a c20 system that is registered to a vcs-c running 7.2 we have a firewall (palo alto) and a vcs-e that sits on the internet. We have one ACL rule from the vcs-c to vcs-e to permit any traffic. This seems a standard set up.

When we call a remote MXP 95 system via the interent (this system is registered to a vcs-c running 7.1) using H.323 at least 90% of the time we hear no audio.

When we place the same call to the same system using SIP there is never any problems - audio and video work.

The remote system calls our system using H.323 with no problems.

Anyone any ideas how to help with the sound issues?

Thanks

Rod

Martin Koch · ‎11-26-2012

Check that there are no h323 awareness/ ALG /nat helper/... enabled in the firewall and that all needed ports are open

that also counts for the remote site.

Nachricht geändert durch Martin Koch: just underlined / made some word bold, ...

Please remember to rate helpful responses and identify

Rod.Blackie · ‎11-26-2012

Hi Martin

As far as I know the Palo Alto firewall has support for H.323 and no additional configuration is required.

I think my problem might be because my VCS-C speaks to my VCS-E using PAT which isn't handling the inbound voice traffic? is this something you've or anyone else has come accross?

Thanks

Rod

Martin Koch · ‎11-26-2012

Thats the wrong thought, as your firewall has h323 support it is bad and has to be disabled!

The VCSs have to relay on what they send and receive, if some device thinks its more clever and mangles with

the signaling it will break communication and cause strange symptoms like you experience now.

Disable the h323 features on the firewall and allow the required communication - see vcs admin guide as well as the firewall guide:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf

Please remember to rate helpful responses and identify

Rod.Blackie · ‎11-26-2012

Martin,

Thanks for the reply.

Our VCS-E does not have any firewall between it and the internet. The VCS-E sits on a public IP address. All calls to and from the VCS-E to the internet do not have any firewall traversal.

Our VCS-C sits on our inside network and connects via the firewall to the public facing VCS-E allowing all ports from the VCS-C to the VCS-E

I meant the firewall supports H.323 - its not like cisco kit with fixup inspeciton - by default no inspection is applied to H.323 traffic.

Thanks

Rod

Martin Koch · ‎11-26-2012

You know, I just googled: palo alto nat h323

and the first hit I got was this document:

http://media.paloaltonetworks.com/documents/whats-new.pdf

Quote:

H.323 ALG Enhancements – The H.323 VoIP application-level gateway (ALG) has been enhanced to support dynamic prediction of media sessions (pinhole opening) based on the signaling data, as well as payload modification when performing address translation on the traffic allowing NAT/PAT traversal for H.323 VoIP traffic.

no further comment

Please remember to rate helpful responses and identify

rodblackie · ‎11-26-2012

Hi Martin

Don't you think the PA marketing gimmick is correct re how they deal with H.323?

I will figure out how to deactivate this feature and let you know if its successful

Thanks for your input so far.

Sent from Cisco Technical Support iPad App

rodblackie · ‎11-28-2012

Martin

You were correct. The PA firewall application inspection was the cause of the problem. To resolve the issue I created an application override policy on the firewall for all the H.323 ports for vcs-c to vcs-e communication. This stopped the application inspection and the sound problems dissapered.

Thanks again for pointing me in the right direction.

Rod

Sent from Cisco Technical Support iPad App

Dallan Wagner · ‎10-08-2013

Rod, I believe we are having the same issue. Can you explain to me how you did the application override?