I'm having a problem where video conferences are timing out after 2 hours and 12 minutes consistently. I've located a number of solutions for adjusting the h323 timer on a PIX in order to solve this problem. My issue, is that I don't have a PIX, but a 3845 router running IOS
How can I perform the equivalent command on IOS that you would perform on a PIX, which is:
Just to confirm, what IOS firewall are you using? If you are using CBAC, 'ip inspect tcp idle-time ' may be what you are looking for. If you are using ZBF, the command would be 'tcp idle-time'. Consider the links below:
I do not think this is a tcp idle timeout issue? I am currently experiencing the same problems with an inter company Pix firewall which I do not have access to. what version IOS are you running?
I also ran into the same problem 6 years back - The VC would time-out after 1:59:59. Along with the session timing out because it had reached 2 hour mark, hitting the mute button on the VC unit also caused the session to drop. The FW at that time was a Checkpoint and an upgrade to SP3 fixed the issue.
The dafult TCP timeout setting of 1 hour is being talked about here is for an "idle connection"
please increase the tcp idle timeout to more than 2 hrs. this happens in stateful firewalls as in video conferencing every 2 hrs a packet(something like keep alive) is sent, i dont exactly remember the name but i think it happens on port 1720 or something like that. so if the timeout is less than 2 hrs the keep alive is droped and connection terminates
one option would be allowing the ports required for video conferencing in both directions
Polycom sends a H.225 packet at just after the two hour mark during an active call. If the H.225 port was closed by the firewall due to inactivity the Polycom will not get a response and drop the call. Set your H.225 timeout to something higher than 2.5 hours and all will be well.
By default the ASA/FWSM gets the following timeout lines.
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteBTW, the one I would be suspect of is the timeout conn 1:00:00 which by default closes a session after an hour.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...