Has anyone had a problem with H.323 videoconferences timing out after 2 hours, when running through a CheckPoint firewall?

We're using Polycom equipment: MGC-50, VS4000, VS512. The timeout settings on the Polycom devices are not the problem (calls don't time out when we put the devices outside our firewall).

We've set our firewall to accept H.323 traffic, and the calls connect fine, and they run fine for 2 hours. At exactly 2 hours, the calls simply drop, and we're not seeing any reason for it. There are no 2-hour timers set anywhere on the firewall, as far as we can tell.

We're running CheckPoint Firewall-1, version NG, Feature Pack 3.

Any thoughts would be welcome . . . .

I learned in my Tandberg certification course that the port 1720, which is the Call Control Port, needs to be set to not time out.

I am only conjecturing based on theory. I have no working knowledge of this as I have never set up a firewall myself. Could be something to look at though....

Checkpoint Firewall does have an authentication timeout.

Under Global properties -> remote access -> authentication timeout (or Global Properties -> Desktop Security -> Validation timeout), try setting it to 1440 minutes (24hrs)

George

This is a common problem.. both with checkpoint and ciscos. Its always a connection timeout value in the firewall.

Thanks for the responses. We finally resolved the issue. It turns out that our timeout settings were fine. We just had to upgrade the firewall software. Cisco hotfix HFA 318 reportedly fixes an issue with refreshing control connections. We upgraded to cumulative hot fix HFA 325, and it's better now. One thing we've discovered, however, is that the timeout will still occur if we reinstall the rulebase on the firewall during an IP video call.

This is a common problem.. both with checkpoint and ciscos. Its always a connection timeout value in the firewall.


Hi, is there a specific timeout value that should be adjusted for the cisco pix to solve this issue?

We have had same problem with timeouts but our calls lasted only for 5-10 minutes. FW administrator said that probleme is to be found elsewere, but at dont belive him...
What value should be corrected, and were to get this fixed? Cisco Pix. For now solved through building VPN tunnel...

I have to do some digging to find the command.. but its basically a TCP connection timeout. Because connections can close abruptly when things go bad.. the PIX automatically closes connections which seem idle after a period of time. In this case the PIX is closing the control connections of the call because they appear idle and the call clears.

It's purely a pix configuration when not using fixup.

I have found a timeout value in the PIX firewall that was causing the calls to drop. It was the H225 timeout. After disabling this by setting it to zero the calls continued past the 2 hour point and during a couple tests I had calls running for up to 12 hours.

Thanks for your responces

Kevin

We had an issue with two hour timeouts occurring on dial-in participants to our video zone. We discovered that the time out did not happen when we unregistered (H.225) to the GK.

Either the H.225 timer in the PIX is set incorrectly or the h.323 or H.225 fixup is not working properly.

For more information see this document: http://www.ncih.net/h323/fwinteraction.pdf
:thumbup: