Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2492
Views
0
Helpful
1
Replies

H.323 Calls disconnecting by TCP idle timeout

mikegatti
Level 1
Level 1

‎11-21-2011 12:22 PM - edited ‎03-11-2019 02:53 PM

We are running "ip inspect" on a 3941 router with IOS version15.2(1)T1. We enabled inspection for H.323 :

ip inspect name iosfw h323

ip inspect name iosfw h323-nxg

ip inspect name iosfw h323-annexe

We are using the default TCP idle-timeout

3945-Router#sh ip inspect config | in tcp

max-incomplete tcp connections per host is 50. Block-time 2 minutes.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 120 sec

tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

    tcp alert is on audit-trail is off timeout 3600

After we establish a H.323 call I can see that the inspection process starts the idle timmer on port 1720/TCP and the call is disconnected after an hour with the following log:

%FW-6-DROP_PKT: Dropping h323 session x.x.x.x:17174 y.y.y.y:1720  due to  Segment matching no TCP connection with ip ident 7154 tcpflags 0x5004 seq.no 3486961044 ack 0

This is the sessios incrementing the Last Heard timer:

Session 1C1FB8C (x.x.x.x:17168)=>(y.y.y.y:1720) h323 SIS_OPEN

Created 00:04:07, Last heard 00:04:07

Bytes sent (initiator:responder) [255:323]

Out SID y.y.y.y[1720:1720]=>x.x.x.x[17168:17168] on ACL outbound

In  SID y.y.y.y[1720:1720]=>x.x.x.x[17168:17168] on ACL inbound  (9 matches)

I played around with the H323 timeout and the TCP idle-timout , this is how I found that the default TCP idle-timeout was causing the disconnect. If I set that timmer to 5min the call disconnects in 5 minutes.

Has anyone come across this problem and be willing to share how they have addressed it. I am continuing to troubleshoot the problem but thought I would post it out there to ask.

Thanks,

--MG

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎11-22-2011 01:07 PM

Hi Michael,

How often do the endpoints send keepalive packets across the TCP/1720 control channel? If the keepalives aren't sent at least once an hour, the idle timeout will kick in and tear down the control channel.

You'll just need to determine the interval of the keepalives and adjust the timeout accordingly.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card