Inspect H323 effects on H239 traffic.

Unanswered Question
Sep 30th, 2009
User Badges:

We have had mixed success with the use of H239 while H323 inspection is enabled on an ASA running 8.0(4) code. The endpoints are a Polycom PVX behind the ASA (HostB) and another PVX endpoint which is not behind any firewall (HostA). Both endpoints are bridged through a Codian MCU which is also not behind a firewall. The MCU and HostA are on a lower security interface (outside) the HostB (inside). With H323 inspection enabled and the PVX software configured aware of it's NAT'd address, H239 content cannot be seen when initiated from HostA. The content channel opens, but no content is actually received. If HostB first opens a content channel to HostA and shares a desktop image then closes it off, HostA can then initiate an H239 connection and share content successfully.

With H323 inspection turned off, content works from both sides at all times. The access list in place between the two endpoints is permit ip HostA HostB placed inbound on the outside interface and permit ip any any placed inbound on the inside interface.

Has anyone had a similar issue with H323 inspection and H239 content? Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
platinum_jem Wed, 09/30/2009 - 19:02
User Badges:

Yup, i had the same problems with the H323 inspection in ASA. When doing H239, unexpected behaviour will occur. Sometimes content missing from either local or remote sites, voice/video missing in H323 calls.


Gave up trying to get it to work thru the packet inspection, even if you open up the firewall to allow the relevant traffic, somehow the packet inspection still breaks the H323 and H329.


I believe the reason behind this is different vendors have different interpretation of the H323 and H329 standards, and therefore when Cisco tries to apply packet inspection on these H323 packets, it tends to break the packet format and your calls go haywire.


Your most reliable option is to turn off the packet inspection in ASA and make use of the NAT feature in the Endpoints instead. I had it problem-free ever since i used this option.

RYAN BAYS Wed, 09/30/2009 - 19:14
User Badges:

Thanks for the reply. I knew this was the case in the PIX 6.0 code, but I was hoping after the upgrade to the ASA, they might have worked the kinks out.


On a positive note, I did find that for voice and video at least the inspection did seem to make the proper substitutions to allow a client behind the ASA who was not aware of its external address to communicate through the firewall. That is a step in the right direction from the last time I attempted to use H323 fixup. No dice on the H239 though.


I am afraid that H323 is another in the long list of inspection rules I will have to turn off because they do not work dependably. Bummer.

platinum_jem Wed, 09/30/2009 - 22:30
User Badges:

Hmm, what i did to stop packet inspection was just to go into the default inspection list


policy-map global_policy

class inspection_default

NO inspect H323



Actions

This Discussion