CallManager H.323 TCP/UDP Ports

Unanswered Question
Feb 13th, 2007

Can someone please verify what ports CallManager 4.1 uses for H.323 call control? I've found repeated documents that seem to contradict each other and packet captures I have performed. This link appears to be the most accurate:

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/sec_vir/udp_tcp/41plrev2.pdf

The only issue I have with the above 4.1 document is that it mentions TCP 1718 for Gatekeeper Discovery. According to my packet captures and every ITU document I can find, this should really be UDP 1718 (More precisely a multicast to UDP 224.0.1.41:1718, but apparently some legacy H.323 devices could use unicast on UDP 1718).

I have also found several documents that list the dynamic ports used for H.245 call control as either TCP 1024-4999 or TCP 11000 11999. If you turn on AutoQoS on the router, it creates an ACL with TCP 11000 11999. Where did these ranges come from? If you do a packet capture, the ports used for H.245 vary widely, but have never been in the 11000 11999 range. Most of the time the port falls above TCP 50000. The above document states all Ephemeral TCP ports as the port range, which is validated again by packet traces.

Is there a way to specify the H.245 port range in CallManager? It seems fairly inconvenient to open all ephemeral ports on an ACL or firewall if the router or firewall is not capable of 'fixup' or 'inspect'.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
PETER NEGUS Fri, 02/23/2007 - 06:57

I sympathise - the documentation is very confusing and contradictory. I was hoping that someone would reply to this post with the full truth. I can however comment on some items:

TCP 1024-4999: H225 specifies TCP port 1720 for call setup. CCM can use either a standard H225 trunk, or an Intercluster Trunk. As CCM can use multiple Intercluster Trunks one port is just not enough. Therefore Intercluster Trunks use the range 1024-4999.

H245 in other Cisco documentation uses the range 11000-65355, which is why you are seeing TCP 50000+.

Gatekeeper Discovery is definitely a UDP process and I suspect that TCP 1718 in the paper is wrong.

My unofficial port list for CCM is:

TCP 1024-4999 InterclusterTrunk call setup

TCP 1720 H225 call setup

TCP 11000-65535 H323

TCP 2428 MGCP ISDN backhaul

TCP 2000 Skinny (obsolete CCM versions use 2001 & 2002)

TCP 5060 SIP telephone

UDP 16384-32767 RTP

UDP 5060 SIP Trunk

UDP 2427 MGCP control

UDP 1718 Gatekeeper Discovery (not normally used)

UDP 1719 Gatekeeper RAS protocol

UDP 2748 CTI/JTAPI (IPCC Xpress and anything else that uses a CTI route point)

I am not aware of any way to set the H245 port range in call manager. However, there is a facility to specify that a specific trunk can use port 1720 in Call Manager services. You could also terminate the call manager and IP traffic on a session border controller (aka IPIP Gateway) and re-originate with pure 1720.

You may have noticed an NBAR "match protocol" command in the routers. You can use these to do pre-filtering for the firewall or for deeper inspection. For example, there is a match protocol H323, Skinny, MGCP etc.

Hopefully someone else will enlighten us on the H245 port range!

Actions

Login or Register to take actions

This Discussion

Posted February 13, 2007 at 2:15 PM
Stats:
Replies:1 Avg. Rating:
Views:2653 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 21,026
2 15,047
3 10,314
4 7,999
5 4,856
Rank Username Points
159
95
75
66
55