I've recently inherited a mid sized voice and video network. I'm a little confused on the call flow for a traversal call. I have video endpoints registered to a VCS-C on the internal network. The VCS-C is trunked to a VCS-E via the travesal zone with both sip and h323:
If i make a video call from my endpoint to one that is registered on a remote gatekeeper, I can see that the search rules on the VCS-C and VCS-E search correctly for the call through the traversal zones, but the RTP media stream attempts to go directly from endpoint to endpoint. The same thing happens in reverse; if i initiate the call from the remote endpoint to my internal endpoint, the search correctly finds the endpoint via the traversal zone, however the RTP stream always attempts to go from endpoint to endpoint.
This happens whether my endpoint is registered as sip or h323.
Since the media stream is trying to go endpoint to endpoint, the only way i can complete the video call is if i open up access on the firewall between the two endpoints. I though that with a traversal call, the media was supposed to flow through the expressway itself.
Am i missing something in my understanding of "firewall traversal", or is this a misconfiguration on my part?
are you positive that the zone between the VCS-C and VCS-E is a traversal zone, i.e a traversal client zone on the VCS-C and traversal server zone on the VCS-E, and that the zone is not a neighbor zone?
What type of firewall do you have in between the VCS-C and VCS-E? Does this firewall have H323 and SIP ALG capabilities, and if so, are these enabled?
Yes, positive that the VCS-C and VCS-E are peered via a traversal zone (client/server).
The firewall is a Cisco ASA. By ALG, do you mean fixup protocol capabilities?
Does ASA firewall NAT the communication between VCS-C and VCS-E?
What is dialing format for calling remote Endpoint (i.e., email@example.com, 1234, 10.1.1.1)?
Do you have DNS zone in VCS Control where VCS-C may resolve far end domain itself instead of VCS-E to handle it?
No, there is not NAT involved anywhere. This is more of a B2B design, with the VCS-E just bringing in a separate network, but with routable addresses.
I should add that the VCS-E is peered to the remote GK with H323, so all video calls to the remote endpoints are done with E164 numbers and not SIP URI's.
yes ALG would be similar to the 'inspect' command on your ASA.
For the traversal zone, you should make sure that all traffic between VCS-C and VCS-E are not subject to 'inspect sip' and 'inspect h323' service policies.
Also please check your PM's as I have sent you a message.