Problem ASA and Videoconference

anunes1987 · ‎09-15-2010

I'm needing some help related to one videoconference that i was setting up.

When i make the call for the videoconf the remote user says that he answer the call but for me keeps only ring , and when he make the call we can see everything but the remote user don't see me no sound nor video.

The only different thing that i got in the logs

Was one Deny TCP (no connection) from xxx to xxx flags SYN ACK on interface xxx (i don't have the log for this one i know this is the error)

And

4 Sep 15 2010 11:18:57 313005 No matching connection for ICMP error message: icmp src INTERNET:201.31.X.X dst -DMZ01:189.43.X.X (type 3, code 3) on INTERNET interface. Original IP payload: udp src 189.43.X.X/49152 dst 192.168.X.X/55844.

I have a static nat 10.21.1.250 to 189.43.X.X

Do you guys have any ideia what might be causing it?

Thanks in Advance

mvsheik123 · ‎09-15-2010

Hi,

Have you opened the necessary ports on the ASA for videoconference? If you can post ASA config, someone will be able to help.

Thanks

MS

anunes1987 · ‎09-15-2010

Follows the running config attached.

Thanks for your help in advance

Marcin Latosiewicz · ‎09-15-2010

Amanda,

Both messages indicate that first packets seen by the firewall are not initial packets...

Is there by any chance problem with routing?

type 3 code 3 is destination port unreachable.

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

Marcin

anunes1987 · ‎09-15-2010

Thought about it but they are able to conect here and i can hear and

seeing video... ...

I found ond einformation on the net someone meybe can confirm if is really it

"(no connection) errors are generally caused when an IP device attempts to respond to a previously opened TCP/IP connection after the connection has 'timed out' in the firewall's stateful connection table.

This can happen for numerous reasons. The most common is that the connection timeout on the firewall is set to low. This can happen more specifically across slower LAN or WAN links or if a server is slow to respond to requests.

For example a client sends a SYN request to a server. The server takes to long to respond and the timeout set on the firewall closes the stateful connection because it has not detected at SYN-ACK response from the server within the timeout period set on the firewall. Therefore when the server finally sends the SYN-ACK packet, the firewall has already 'timed-out' the connection and so cannot match the packet sequence in its stateful connection table. As there is no match in the stateful table, the firewall reports the return packet as (no connection) and drops the traffic."

Marcin Latosiewicz · ‎09-15-2010

Amanda,

The description is correct in general. It can happen when connection has timedout OR has otherwise been removed (RST for example).Note default TCP timeout is 1 HOUR.

Is the video conferencing relying on h323 for communication? I see inspection is on, that's already a good ;-)

What I would suggest - open up access-list for ALL traffic incomfing from that particular location on the ASA (the IP address you indicated as 201.31.X.X).

Please note that it will NOT affect any stateful aspects, just general pinholes not open scenario, BUT it will make a good test.

Marcin

greensubmarine2009 · ‎09-15-2010

delete the "inspect h323",and try again.