Can someone please verify what ports CallManager 4.1 uses for H.323 call control? I've found repeated documents that seem to contradict each other and packet captures I have performed. This link appears to be the most accurate:
The only issue I have with the above 4.1 document is that it mentions TCP 1718 for Gatekeeper Discovery. According to my packet captures and every ITU document I can find, this should really be UDP 1718 (More precisely a multicast to UDP 188.8.131.52:1718, but apparently some legacy H.323 devices could use unicast on UDP 1718).
I have also found several documents that list the dynamic ports used for H.245 call control as either TCP 1024-4999 or TCP 11000 11999. If you turn on AutoQoS on the router, it creates an ACL with TCP 11000 11999. Where did these ranges come from? If you do a packet capture, the ports used for H.245 vary widely, but have never been in the 11000 11999 range. Most of the time the port falls above TCP 50000. The above document states all Ephemeral TCP ports as the port range, which is validated again by packet traces.
Is there a way to specify the H.245 port range in CallManager? It seems fairly inconvenient to open all ephemeral ports on an ACL or firewall if the router or firewall is not capable of 'fixup' or 'inspect'.
I sympathise - the documentation is very confusing and contradictory. I was hoping that someone would reply to this post with the full truth. I can however comment on some items:
TCP 1024-4999: H225 specifies TCP port 1720 for call setup. CCM can use either a standard H225 trunk, or an Intercluster Trunk. As CCM can use multiple Intercluster Trunks one port is just not enough. Therefore Intercluster Trunks use the range 1024-4999.
H245 in other Cisco documentation uses the range 11000-65355, which is why you are seeing TCP 50000+.
Gatekeeper Discovery is definitely a UDP process and I suspect that TCP 1718 in the paper is wrong.
My unofficial port list for CCM is:
TCP 1024-4999 InterclusterTrunk call setup
TCP 1720 H225 call setup
TCP 11000-65535 H323
TCP 2428 MGCP ISDN backhaul
TCP 2000 Skinny (obsolete CCM versions use 2001 & 2002)
TCP 5060 SIP telephone
UDP 16384-32767 RTP
UDP 5060 SIP Trunk
UDP 2427 MGCP control
UDP 1718 Gatekeeper Discovery (not normally used)
UDP 1719 Gatekeeper RAS protocol
UDP 2748 CTI/JTAPI (IPCC Xpress and anything else that uses a CTI route point)
I am not aware of any way to set the H245 port range in call manager. However, there is a facility to specify that a specific trunk can use port 1720 in Call Manager services. You could also terminate the call manager and IP traffic on a session border controller (aka IPIP Gateway) and re-originate with pure 1720.
You may have noticed an NBAR "match protocol" command in the routers. You can use these to do pre-filtering for the firewall or for deeper inspection. For example, there is a match protocol H323, Skinny, MGCP etc.
Hopefully someone else will enlighten us on the H245 port range!
SIP traces provide key information in troubleshooting SIP Trunks, SIP
endpoints and other SIP related issues. Even though these traces are in
clear text, these texts can be gibberish unless you understand fully
what they mean. This document attempts to br...
Please find the attached HTML document, download and open it on your PC.
This provides an easy to use form where you simply answer a few
questions and it will render the proper jabber-config.xml file for you
to copy/paste. There is built in logic to verif...
CUCM Database Replication is an area in which Cisco customers and
partners have asked for more in-depth training in being able to properly
assess a replication problem and potentially resolve an issue without
involving TAC. This document discusses the bas...