Hi,

The strange thing is i can call out fine. When a remote site calls in, the call is seen as incomming in the VSX log, but i cannot answer or auto answer doesn't pick up and the call is disconnected. My network Eng. consultant insists is the VSX- i think its a ASA issue. Packet traces don't show any h.323 packets. Any ideas??
Thx
F

can you put a copy of the VSX trace/log of an incoming (failed) call here so we can take a look?

Frank thanks for posting this. I have a similar situation in which I am attempting to reach a VSX outside of the network. The customer says it rings, however there is no option to answer. We have full communication, as in a full green ball, just no connection luck. I'll look for logs to help this thread as well and hope to get back to you soon.

thanks for the help, will post log shortly

JV-

Do you need actuall traces (Wireshark) because their rather large .pcap files??

here is a wireshark cap of a failed incomming call. Teh successful outgoing call log was too large. I will post a smaller capture of a good outgoing call .

Thx
F

here Wireshark pcap zipped

I don't have an ASA (wish I did) but does it have problems with the fixup protocol for h.323 and h.225 like the PIX did? I had to turn off fixup for those two protocols on my PIX to get both sides to see and hear each other.

I don't have an ASA (wish I did) but does it have problems with the fixup protocol for h.323 and h.225 like the PIX did? I had to turn off fixup for those two protocols on my PIX to get both sides to see and hear each other.


Fixup protocol? didn't know there was such a thing.
thx K,

I'll check it.
F

remove fixup h323 h225 1720??


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lELXCNRi6ROPjI9i encrypted
passwd lELXCNRi6ROPjI9i encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80

Actually the commands would be:

no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719

Good luck.

Actually the commands would be:

no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719

Good luck.

Of course... I'll let you know!

Damn!! The asa does not have these lines..

here is everything related to the h323 config:



static (inside,outside) 12.39.245.35 10.1.15.17 netmask 255.255.255.255

object-group service DM_INLINE_SERVICE_1
service-object tcp eq h323
service-object tcp eq www
service-object tcp range 3230 3235
service-object udp range 3230 3258


policy-map global-policy
class global-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http

Here is your H.225 CONNECT message from the unit receiving the call. You can see the H.245 address to respond to is 12.39.245.35. It would appear the far end is probably trying to continue the call using that address and the packets are not getting back to your video unit or the far end is not receiving the CONNECT message at all. The far end closes the connection due to no response. Did you want your endpoint to place the public address within your H.323 messages or let the firewall do it with INSPECT?

No. Time Source Destination Protocol Info
956 2007-12-07 09:06:14.760923 10.1.15.17 209.195.215.238 H.225.0 CS: connect

Frame 956 (184 bytes on wire, 184 bytes captured)
Ethernet II, Src: Viavideo_05:69:a7 (00:e0:db:05:69:a7), Dst: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Internet Protocol, Src: 10.1.15.17 (10.1.15.17), Dst: 209.195.215.238 (209.195.215.238)
Transmission Control Protocol, Src Port: 1720 (1720), Dst Port: 16734 (16734), Seq: 102, Ack: 285, Len: 130
TPKT, Version: 3, Length: 130
Q.931
H.225.0 CS
H323_UserInformation
h323-uu-pdu
h323-message-body: connect (2)
connect
protocolIdentifier: 0.0.8.2250.0.4 (itu-t(0) recommendation(0) h(8) h225-0(2250) version(0) 4)
h245Address: ipAddress (0)
ipAddress
ip: 12.39.245.35 (12.39.245.35)
port: 3230
destinationInfo
vendor
vendor
t35CountryCode: United States (181)
t35Extension: 0
manufacturerCode: 9009
H.221 Manufacturer: ViaVideo (0xb5002331)
productId: VSX 7000
versionId: Release 8.7 - 17Jul2007 11:59
terminal
..0. .... mc: False
...0 .... undefinedNode: False
conferenceID: 02b46efd-da00-1000-3eb5-0010f308acc9
callIdentifier
guid: 02b46efd-da00-1000-0b35-0010f308acc9
0... .... multipleCalls: False
1... .... maintainConnection: True
presentationIndicator: presentationAllowed (0)
presentationAllowed: NULL
screeningIndicator: userProvidedVerifiedAndFailed (2)
0... .... h245Tunneling: False

thx Joe- so there is a routing issue from my asa to my internal vsx?
any other ports i could open besides the ones listed above??

SOLVED!!

Can you believe, i needed to enable NAT is h323 compatible on the VSX under Network > IP settings.

uuuggghhhhh

thanks, everyone!!!!

good.....that setting tells the VSX that the external device doing the NAT'ing is H.323 enabled and it will handle translating the embedded IP addresses in the H.323 messages. When it wasn't turned on, the VSX was replacing the embedded IP addresses with the public address and may have been causing confusion with the external NAT device. there's always something new....

Hi,

Could someone repost the required Cisco ASA 5500 configuration lines to allow outside access (incoming calls) to a Polycom 7000s system.

From one forum member I see the following config statements for h.323 access:

static (inside,outside) 12.39.245.35 10.1.15.17 netmask 255.255.255.255

object-group service DM_INLINE_SERVICE_1
service-object tcp eq h323
service-object tcp eq www
service-object tcp range 3230 3235
service-object udp range 3230 3258


policy-map global-policy
class global-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http

And from another forum member I see mention of the following:

no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719

but, I do not see the access-list statement that connects the above object-group, or if there are any other fixup protocols that should be added or removed.

Could someone send me the full set of configuration commands that you would need to make this work?

Also what do the "inspect" statements do for h323? Are these necessary to make the ASA h323 compliant/aware?

Thanks everyone!

SOLVED!!

Can you believe, i needed to enable NAT is h323 compatible on the VSX under Network > IP settings.

uuuggghhhhh

thanks, everyone


This was the fix for me.

F

I saw a similar problem with VSX-7000-s and ip calls. The guys couldn't answer or make calls. But they could hear it "ringing" and the green ball and all that.

Ended up being the fat-fingered the subnets.