Solved: VOIP / H323 Connections Being dropped after 40 Seconds

networking · ‎01-31-2007

Hello!

We've just installed a pair of failover 515Es to a site, and since the install, their remote IP Telephony users can't get a call to last more than about 40-50 seconds.

Here are some logs for an example connection:

The Server is behind the firewall on 10.133.8.205

The IP Phone is Outside on 10.134.2.173

%PIX-6-302015: Built inbound UDP connection 8592979 for outside:10.134.2.173/32514 (10.134.2.173/32514) to inside:10.133.8.205/32548 (10.133.8.205/32548)

%PIX-6-302020: Built ICMP connection for faddr 10.134.2.173/0 gaddr 10.133.8.205/0 laddr 10.133.8.205/0

%PIX-6-302004: Pre-allocate H323 UDP backconnection for faddr 10.134.2.173/32514 to laddr 10.133.8.205

%PIX-6-302004: Pre-allocate H323 UDP backconnection for faddr 10.134.2.173/32515 to laddr 10.133.8.205

%PIX-6-302021: Teardown ICMP connection for faddr 10.134.2.173/0 gaddr 10.133.8.205/0 laddr 10.133.8.205/0

%PIX-6-302015: Built outbound UDP connection 8592994 for outside:10.134.2.173/32515 (10.134.2.173/32515) to inside:10.133.8.205/32549 (10.133.8.205/32549)

%PIX-6-302016: Teardown UDP connection 8592994 for outside:10.134.2.173/32515 to inside:10.133.8.205/32549 duration 0:00:39 bytes 1400

%PIX-6-302016: Teardown UDP connection 8592993 for outside:10.134.2.173/32515 to inside:10.133.8.205/0 duration 0:00:41 bytes 0

%PIX-6-302016: Teardown UDP connection 8592992 for outside:10.134.2.173/32514 to inside:10.133.8.205/0 duration 0:00:41 bytes 0

%PIX-6-302016: Teardown UDP connection 8592991 for outside:10.134.2.173/0 to inside:10.133.8.205/32548 duration 0:00:41 bytes 0

Can Anyone please advise what might be the problem?

Cheers,

Nick

swharvey · ‎01-31-2007

Hello Nick,

What version of OS are you running on your 515E PIX's? I can't speak directly to your H323 problem, but I will share an odd problem we encountered on our ASA5520's running 7.2(2) and SCCP (skinny) VoIP. We found that if the inspect skinny eq 2000 was inabled, our call control would randomly break causing the remote phones that connected via vpns that terminated on the ASA's to reboot.

By disabling inspection of the Skinny port our problem stopped. You may want to investigate the H323 inspection configuration for your particular problem.

Ultimately if that resolves the problem, I suggest opening a TAC case as it is best to have the inspection enabled for VoIP traffic.

Good luck!

-Scott

View solution in original post

swharvey · ‎01-31-2007

Hello Nick,

What version of OS are you running on your 515E PIX's? I can't speak directly to your H323 problem, but I will share an odd problem we encountered on our ASA5520's running 7.2(2) and SCCP (skinny) VoIP. We found that if the inspect skinny eq 2000 was inabled, our call control would randomly break causing the remote phones that connected via vpns that terminated on the ASA's to reboot.

By disabling inspection of the Skinny port our problem stopped. You may want to investigate the H323 inspection configuration for your particular problem.

Ultimately if that resolves the problem, I suggest opening a TAC case as it is best to have the inspection enabled for VoIP traffic.

Good luck!

-Scott

networking · ‎02-01-2007

Hi Scott,

We are running 7.0(2)

I will try what you have suggested & disable H323 Inspection

networking · ‎02-01-2007

Blimey, Looks like that worked!

Thanks Scott.

I'm going to arrange some downtime to get the OS upgraded to the newest release (7.2.1.24 I Think) and see if that fixes the issue.

Can anyone advise if anything will go drastically wrong if we don't use h323 Inspection?

swharvey · ‎02-01-2007

Glad to hear it. If possible I highly suggest you upgrade to 7.2(2), which I believe is the latest release. Cisco fixed some major bugs with that version, and may very well have addressed the h323 inspection problem you are experiencing.

I'm not an expert by any means on the inspection engine functions, but from what I understand, enabling h323 protocol inspection (or any protocol inspection) does a deeper packet analysis to confirm the integrity of the traffic it is inspecting. I don't believe it is a critical issue not inspecting your h323, but where possible, having inspection on adds an additional layer of security.

Good luck with your upgrade and if my suggestions helped please rate!

Thanks,

-Scott

networking · ‎02-02-2007

Hi Scott,

We are going to be setting up another pair of Firewalls on the resilient Link for this site, so will get the latest OS on that pair and take it from there.

Thanks for your help.

Nick