MGCP registration through Checkpoint

Unanswered Question
Dec 12th, 2008

I am setting up a new CUCM7 environment which will be shared by various divisions of the Company. As such the Server environment is in a DMZ. We are trying to place the Gateways inside the firewalls (on the same networks as the phones) and have created a rule to allow all traffic bi-directionally between the Gateways, our Publisher and 2 Subscribers. For some reason we cannot get the gateways to register via MGCP. I do not see any traffic being blocked in the firewall log, and have placed a sniffer on the segment of the gateway and servers. The Sniffer trace on the server side shows an MGCP request initiated by the gateway to each of the subscribers, as well as a response from the servers. On the Client side, we cannot see the response. I have as a test placed a gateway in the same network as the servers, I can place a call from a phone registered to that gateway from inside our network, and can hear voice initiated from that phone, but cannot recieve voice from the far end phone. It seems like there is a problem with UDP, but where?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
iptuser55 Fri, 12/12/2008 - 06:48

What Checkpoint version are you using, there are some issues with anything other the R65. Are you using the packet inspection to allow through MGCP or the actual ports? We had to upgrade to R65 plus a service pack - not sure what one. The logs do not show any drops also some GW`s failed while others went through even though they used the same rules. Do a DEBUG MGCP PACKET and no MGCP, MGCP what do you see? In our case we saw the force restarts but not reply from back CUCM

dwgray0422 Thu, 12/18/2008 - 06:39

I am using NGX R65. It turns out that even though I did not turn Smart Defense on, the Checkpoint was scanning the MGCP packets, and stopping them (without logging). I have turned on smart defense and turned off service scanning for all IPT traffic. I created custom objects for the MGCP (SIP, and SCCP) services and am no longer using the predefined objects. The CM environment is working beautifully.

Nicholas Matthews Fri, 12/12/2008 - 12:43

The ports you'll want to make sure are open:

nicmatth-sip#sh ip nbar port | i mgcp

port-map mgcp udp 2427 2727

port-map mgcp tcp 2427 2428 2727

As well as UDP 16384 - 32767.

The MGCP registration ports will be one of the above. Check 'debug mgcp packet' for any 5xx messages to see if it's just failing without any correlation to the firewall.

Make sure that the top line of 'show ccm' matches what you have in CCM. Don't forget the domain name!

If you still have audio problems, use the 'mgcp bind media source interface x/x' and make sure that the IP phone subnet has reachability to that subnet.

martin.schoonbroodt Tue, 08/03/2010 - 15:01

Hello All,

I've the same issue with a CheckPoint firewall running in version R70. In fact, all the GWs passing throughthe FW can't register into the CUCM.

Any ideas? Normally UDP and TCP, 2427 and 2428 are open on the FW. My CUCM cluster is in version 7.1.5a. Here below an overview of the GW configuration, status and debugs.

TFTP is working properly. I tried without IP DOMAIN NAME but without success...

pfrr2820ch123ogvrs#show ccm-manager
MGCP Domain Name: pfrr2820ch123ogvrs.dzp.vrnet
Priority        Status                   Host
Primary         Backup Ready   
First Backup    Registering with CM
Second Backup   Backup Ready   

Current active Call Manager:    None
Backhaul/Redundant link port:   2428
Failover Interval:              30 seconds
Keepalive Interval:             15 seconds
Last keepalive sent:            15:02:15 CET Jul 21 2010 (elapsed time: 1w5d)
Last MGCP traffic time:         11:08:33 CET Aug 3 2010 (elapsed time: 00:00:24)
Last failover time:             11:08:33 CET Aug 3 2010 from (
Last switchback time:           11:08:03 CET Aug 3 2010 from (
Switchback mode:                Graceful
MGCP Fallback mode:             Enabled/ON
Last MGCP Fallback start time:  16:48:35 CET Aug 2 2010
Last MGCP Fallback end time:    None
MGCP Download Tones:            Disabled
TFTP retry count to shut Ports: 2

Configuration Auto-Download Information
Current version-id: 1280763234-7084499e-1a5e-4668-8af7-fe887e7f1c21
Last config-downloaded:00:00:00
Current state: Waiting for commands
Configuration Download statistics:
        Download Attempted             : 1
          Download Successful          : 1
          Download Failed              : 0
          TFTP Download Failed         : 0
        Configuration Attempted        : 1
          Configuration Successful     : 1
          Configuration Failed(Parsing): 0
          Configuration Failed(config) : 0
Last config download command: New Registration
FAX mode: disable
Configuration Error History:
pfrr2820ch123ogvrs#show run
voice-port 0/0/0:15
ccm-manager switchback immediate
ccm-manager redundant-host
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server
ccm-manager config
mgcp call-agent 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax rate 14400
mgcp fax t38 inhibit
mgcp profile default



Aug  3 11:34:50.024 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug  3 11:34:50.028 CET: MGCP Packet received from>
500 367388071

Aug  3 11:34:50.028 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug  3 11:35:20.008 CET: MGCP Packet sent to>
RSIP 367388073 [email protected] MGCP 0.1
RM: forced

Aug  3 11:35:20.008 CET: MGCP Packet sent to>
RSIP 367388075 [email protected] MGCP 0.1
RM: restart

Aug  3 11:35:20.024 CET: MGCP Packet received from>
200 367388073

Aug  3 11:35:20.024 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug  3 11:35:20.028 CET: MGCP Packet received from>
500 367388075

Aug  3 11:35:20.028 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug  3 11:35:50.008 CET: MGCP Packet sent to>
RSIP 367388077 [email protected] MGCP 0.1
RM: graceful

Aug  3 11:35:50.008 CET: MGCP Packet sent to>
RSIP 367388079 [email protected] MGCP 0.1
RM: restart

Aug  3 11:35:50.024 CET: MGCP Packet received from>
200 367388077

Aug  3 11:35:50.024 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug  3 11:35:50.028 CET: MGCP Packet received from>
500 367388079


iptuser55 Wed, 08/04/2010 - 00:28

We`re have almost given up on checkpoint and moving to Cisco ASA. No-one seems to be getting an handle on it in our company nor does Checkpoint. If you hard code the ports does that not go against the feature of using the CheckPoint MGCP "profile"- excuse the wording not a FW guy. Our problem would be some MGCP GW`s would work others  fail - all going to the same CUCM or our Analogues would fail - MGCP just showing registering. In some cases we have to H323 for now. We running R65 but if R70 is failing as well .....

Tracy Larson Mon, 08/09/2010 - 11:33

Just curious, in your mgcp config for this gateway in call manager: is the mgcp domain name configured "pfrr2820ch123ogvrs.dzp.vrnet" or just "pfrr2820ch123ogvrs" ?

martin.schoonbroodt Tue, 08/10/2010 - 02:49

I entered the completed name with the domain name.

The solution was found last week. In fact, as far as I understood, the FW admin had to define dynamic ports for MGCP UDP packets.

Of course, we had to create two new objects in the services of the Checkpoint - MGCP_UDP 2427 and protocol type none and MGCP_TCP 2428 and here again no protocol type.

I'll ask a confirmation to the FW admin to get here a complete solution.


This Discussion