Testing VCS and EX90 over Internet

Unanswered Question
Mar 4th, 2012

Hello all,

I am looking for someone to test our VCS and EX90 setup. I believe everything is working on my side but I was haaving issues connecting to a few endpoints that had been working before.

If you want to schedule something, reply back to jesse@lightspeedtech.net. You can also call me via Jabber Video at jesse@lightspeedtech.net. You can also call our EX90 which will auto answer at 490@lightspeedtech.net.  We are GMT -5 here so if you dial in and see shadows and quiet we may not be there.

Thanks in advance.

Jesse

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Martin Koch Mon, 03/05/2012 - 00:37

There is some info lacking,

like:

* what exactly is failing / what are your issues and is there a pattern (like in/outbound calls, call setup, video, audio, specific endpoints only, ...)

* whats your setup: vcse, vcsc, ... where are your devices registered, ...

* which protocols do you use, or think you use

In general:

* check that your VCS config is ok

* check your logs / call / search history, ...

* check that all firewall ports are properly open and no ALG is active

jhindmarsh Mon, 03/05/2012 - 12:06

Calls are failing from our EX90 and/or Movi clients to our Cisco rep.  They can see us be we do not receive any video or audio.  They claim there is no issue with their setup as they use it all the time.   It makes no difference if they call us or we call them.   However, I am able to call a few other SIP endpoints publically available over the Internet and do receive audio and video.

We are using a VCS-C located on our DMZ (no NAT here - public IP)

The devices we are testing with are all registered to the VCS.

We are using SIP only, h.323 is disabled.

We verified SIP inspection is turned off on our ASA.

Thanks

Jesse

awinter2 Mon, 03/05/2012 - 15:00

Jesse,

sice you are using a VCS Control, this will not do any firewall traversal for your endpoints and thus not take any media, since this is a SIP-SIP call. Even if you were using a VCS Expressway, if there is no NAT between the endpoint and the VCS-E, the VCS-E would normally not take any media for SIP-SIP calls.

Does the EX90 at your location have a public IP address? If so, is your firewall configured to allow incoming and outgoing RTP media for this endpoint?

- Andreas

jhindmarsh Tue, 03/06/2012 - 12:00

The only device that has a public address is the VCSc in the DMZ.  I did this to allow registrations from public and private subnets.

I did more testing today and have finally come to a better understanding of the issue.  When making a call from a Movi client on the internal private network, out to another endpoint on the public internet, the call works as expected and the ASA is performing a fixup on the traffic from the internal private IP Movi clients, as long as the protocol is SIP on port 5060.

The testing I was doing with our Cisco rep was a little inconclusive since I cannot determine why when he calls me, it uses SIP/5060 to establish a connection with me but I use 5061 to establish a session with him.  When I call him, it tries to use 5061 and he receives my video/audio but I receive no audio/video from him.

I tried to disable TLS on our VCSc, but the Movi client did not work properly, became sluggish, and call setup times increased by quite a few seconds.  It would also register and unregister constantly.

In short, I am looking for the best of both worlds by having internal/external clients registered to the VCSc, while still allowing calls to/from external endpoints.  The correct answer is to install a VCSe in the Public DMZ while keeping the VCSc internal and on a private IP, but I am trying to see what is possible with what I have at the moment.

Martin Koch Tue, 03/06/2012 - 13:23

First of all for your deployment there is nothing better than using a VCS-E!

If you intend to use the VCS-C put all your devices on public IPs, disable any fixups/helper/algs/...

in the firewall and open RTP for the Video endpoints and RTP and SIP for the VCS-C.

But this breaks if your endpoint or movi client is behind nat or a wrong configured firewall,

then you are back to the "oh, we should have gotten a VCS-E in the first place" :-)

jhindmarsh Tue, 03/06/2012 - 13:34

From a quick and dirty licensing perspective, does it make sense to turn the VCS Starter into the Expressway appliance on the public firewall side and add a VCSc to the internal network? 

From your experience, what other licenses would you recommend having on either the VCSc or VCSe appliance?  We have full control over public and private IP addressing so the dual-nic option woul dnot be needed for NAT.

awinter2 Wed, 03/07/2012 - 01:16

Jesse,

I'm not sure which Starter Pack VCS you are referring to, since you previously only mentioned having a VCS-C.

If your endpoints are to be assigned private IP addresses, I would recommend moving the VCS-C to a private addressing space as well, place a VCS-E on a public IP address (Or optionally in a private DMZ using the dual NIC/static NAT option key) and set up a traversal zone between these two.

The VCS-C is not designed to do media/firewall traversal for endpoints, so as long as your endpoints do not have public IP addresses themselves, you should not expect this deployment to work.

If you do go down the VCS-C/VCS-E route, make sure to disable any SIP and H323 ALGs/fixup in your firewall (As Martin suggests) since this could interfere with the built-in traversal functionality of the VCS-E.

Regards

Andreas

jhindmarsh Wed, 03/07/2012 - 06:14

Sorry for any confusion.  What I have is the Cisco TelePresence Video Communication Server Starter Pack Express.  Based on what I was using it for and its capabilities, I referred to it as a VCSc which I am not learning is not correct. 

It comes with these options (which I am sure you already know, but I will put it here for the benefit of any future readers):

0 Non Traversal Calls, 5 Traversal Calls, 50 Registrations, 900 TURN Relays, Expressway, Encryption, FindMe, Starter Pack

It would seem a better fit since this device already has the Expressway option is to move it out to the public access side of the firewall.

If I were to order a VCSc, what other licensing is required to have the functionality I am looking for.

awinter2 Wed, 03/07/2012 - 06:44

Jesse,

if the Starter Pack VCS is assigned with a public IP address, I would recommend that you set up your environment so that there is NAT between your endpoints and the VCS (So that the endpoint traffic is NATed before it reaches the VCS), as this will ensure that the Starter Pack VCS takes media for both SIP and H323 calls.

With this in place, you should have no problems with one-way media and similar issues.

Regarding VCS Control licensing I recommend you reach out to your Cisco sales rep for more information.

Regards

Andreas

jhindmarsh Wed, 03/07/2012 - 06:48

Interesting.  What determines whether the VCS takes media and signaling, or just signaling?  From the packet captures I have run in out existing configuration, it looks like the VCS only handles signaling.

Actions

Login or Register to take actions

This Discussion

Posted March 4, 2012 at 8:54 PM
Stats:
Replies:11 Avg. Rating:
Views:882 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard