MGCP E1 backhaul issues traversing Checkpoint after FW upgrade.

Unanswered Question
Mar 4th, 2010
User Badges:

The ccm-manager backhaul process is hunting through the primary, secondary call agents, then dropping the backhaul. All started after the customer's provider upgraded their Checkpoint firewall. Initially the gateway wasn't showing as registered in Call Manager after the upgrade. But after they patched the firewall for a known MGCP bug that was black-holing traffic the gateway shows as registered. But we cannot place calls and have forced the gateways into SRST as the ccm-manager backhaul process seems to be sending packets but not receiving any. The firewall logs are seeing traffic to the CCM on TCP 2428 and returning on the random source port........as per the tcpdump on the FW interfaces........but we never see the packets received in the "sh ccm-manager backhaul". Debug of the ccm-manager backhaul packets shows them being sent. UDP port 2427 is being seen in both directions also.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jconi Thu, 03/04/2010 - 13:27
User Badges:

Hello Ian,


I had the same pb with MGCP GW and Checkpoints several times.

The GW receives the 200 OK mgcp msg after sending a RSIP, but it's not recognized by the GW as an MGCP msg. In the debug mgcp packets on the router, I only see RSIP. But in the wireshark, I see the RSIP and the 200 OK. However, the DSCP was reset to 0 by the FW, so this FW certainly modified the packets in a way that I never found.

I changed the network design for the GW when I faced this pb.

jp

IAN HOLMES Thu, 03/04/2010 - 20:38
User Badges:

JP,

     So did you solve this by bypassing the FW or was there some rules applied. I don't have a bypass option. I don't see how DSCP value change would be an issue.......as this is changed all the time by carriers, but were you suggesting if they made that change, maybe there are other changes within the packet or payload being done by Checkpoint ??


Cheers, Ian.

jconi Thu, 03/04/2010 - 23:32
User Badges:

I bypassed the FW.

I tried to reproduce the problem in my lab with a Checkpoint installed by a colleague, but the GW worked correctly.

For the problem I was suggesting that something was changed by the FW (not only the DSCP), that can cause the problem.

On the customer site, I could not do anything with the Checkpoint.

Maybe you can ask them to disable the SmartDefense (just temporarily), or uncheck some MGCP related boxes for packet inspection or other.

Good luck

jp

Actions

This Discussion

Related Content