I am setting up a new CUCM7 environment which will be shared by various divisions of the Company. As such the Server environment is in a DMZ. We are trying to place the Gateways inside the firewalls (on the same networks as the phones) and have created a rule to allow all traffic bi-directionally between the Gateways, our Publisher and 2 Subscribers. For some reason we cannot get the gateways to register via MGCP. I do not see any traffic being blocked in the firewall log, and have placed a sniffer on the segment of the gateway and servers. The Sniffer trace on the server side shows an MGCP request initiated by the gateway to each of the subscribers, as well as a response from the servers. On the Client side, we cannot see the response. I have as a test placed a gateway in the same network as the servers, I can place a call from a phone registered to that gateway from inside our network, and can hear voice initiated from that phone, but cannot recieve voice from the far end phone. It seems like there is a problem with UDP, but where?
What Checkpoint version are you using, there are some issues with anything other the R65. Are you using the packet inspection to allow through MGCP or the actual ports? We had to upgrade to R65 plus a service pack - not sure what one. The logs do not show any drops also some GW`s failed while others went through even though they used the same rules. Do a DEBUG MGCP PACKET and no MGCP, MGCP what do you see? In our case we saw the force restarts but not reply from back CUCM
I am using NGX R65. It turns out that even though I did not turn Smart Defense on, the Checkpoint was scanning the MGCP packets, and stopping them (without logging). I have turned on smart defense and turned off service scanning for all IPT traffic. I created custom objects for the MGCP (SIP, and SCCP) services and am no longer using the predefined objects. The CM environment is working beautifully.
The ports you'll want to make sure are open:
nicmatth-sip#sh ip nbar port | i mgcp
port-map mgcp udp 2427 2727
port-map mgcp tcp 2427 2428 2727
As well as UDP 16384 - 32767.
The MGCP registration ports will be one of the above. Check 'debug mgcp packet' for any 5xx messages to see if it's just failing without any correlation to the firewall.
Make sure that the top line of 'show ccm' matches what you have in CCM. Don't forget the domain name!
If you still have audio problems, use the 'mgcp bind media source interface x/x' and make sure that the IP phone subnet has reachability to that subnet.
I've the same issue with a CheckPoint firewall running in version R70. In fact, all the GWs passing throughthe FW can't register into the CUCM.
Any ideas? Normally UDP and TCP, 2427 and 2428 are open on the FW. My CUCM cluster is in version 7.1.5a. Here below an overview of the GW configuration, status and debugs.
TFTP is working properly. I tried without IP DOMAIN NAME but without success...
MGCP Domain Name: pfrr2820ch123ogvrs.dzp.vrnet
Priority Status Host
Primary Backup Ready 10.238.30.70
First Backup Registering with CM 10.238.30.50
Second Backup Backup Ready 10.238.30.20
Current active Call Manager: None
Backhaul/Redundant link port: 2428
Failover Interval: 30 seconds
Keepalive Interval: 15 seconds
Last keepalive sent: 15:02:15 CET Jul 21 2010 (elapsed time: 1w5d)
Last MGCP traffic time: 11:08:33 CET Aug 3 2010 (elapsed time: 00:00:24)
Last failover time: 11:08:33 CET Aug 3 2010 from (10.238.30.70)
Last switchback time: 11:08:03 CET Aug 3 2010 from (10.238.30.50)
Switchback mode: Graceful
MGCP Fallback mode: Enabled/ON
Last MGCP Fallback start time: 16:48:35 CET Aug 2 2010
Last MGCP Fallback end time: None
MGCP Download Tones: Disabled
TFTP retry count to shut Ports: 2
Configuration Auto-Download Information
Current version-id: 1280763234-7084499e-1a5e-4668-8af7-fe887e7f1c21
Current state: Waiting for commands
Configuration Download statistics:
Download Attempted : 1
Download Successful : 1
Download Failed : 0
TFTP Download Failed : 0
Configuration Attempted : 1
Configuration Successful : 1
Configuration Failed(Parsing): 0
Configuration Failed(config) : 0
Last config download command: New Registration
FAX mode: disable
Configuration Error History:
ccm-manager switchback immediate
ccm-manager redundant-host 10.238.30.50 10.238.30.20
no ccm-manager fax protocol cisco
ccm-manager config server 10.238.30.20 10.238.30.70 10.238.30.50
mgcp call-agent 10.238.30.70 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax rate 14400
mgcp fax t38 inhibit
mgcp profile default
DEBUG MGCP PACKETS
Aug 3 11:34:50.024 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug 3 11:34:50.028 CET: MGCP Packet received from 10.238.30.50:2427--->
Aug 3 11:34:50.028 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug 3 11:35:20.008 CET: MGCP Packet sent to 10.238.30.50:2427--->
RSIP 367388073 *@pfrr2820ch123ogvrs.dzp.vrnet MGCP 0.1
Aug 3 11:35:20.008 CET: MGCP Packet sent to 10.238.30.70:2427--->
RSIP 367388075 *@pfrr2820ch123ogvrs.dzp.vrnet MGCP 0.1
Aug 3 11:35:20.024 CET: MGCP Packet received from 10.238.30.50:2427--->
Aug 3 11:35:20.024 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug 3 11:35:20.028 CET: MGCP Packet received from 10.238.30.70:2427--->
Aug 3 11:35:20.028 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug 3 11:35:50.008 CET: MGCP Packet sent to 10.238.30.70:2427--->
RSIP 367388077 *@pfrr2820ch123ogvrs.dzp.vrnet MGCP 0.1
Aug 3 11:35:50.008 CET: MGCP Packet sent to 10.238.30.50:2427--->
RSIP 367388079 *@pfrr2820ch123ogvrs.dzp.vrnet MGCP 0.1
Aug 3 11:35:50.024 CET: MGCP Packet received from 10.238.30.70:2427--->
Aug 3 11:35:50.024 CET: //-1/xxxxxxxxxxxx/MGCP/mgcp_mp_get_not_entity(830):[lvl=2]Invalid parameter (pkt 0x3000E3F8 pkt->mgcp_parm_lines 0x0)
Aug 3 11:35:50.028 CET: MGCP Packet received from 10.238.30.50:2427--->
We`re have almost given up on checkpoint and moving to Cisco ASA. No-one seems to be getting an handle on it in our company nor does Checkpoint. If you hard code the ports does that not go against the feature of using the CheckPoint MGCP "profile"- excuse the wording not a FW guy. Our problem would be some MGCP GW`s would work others fail - all going to the same CUCM or our Analogues would fail - MGCP just showing registering. In some cases we have to H323 for now. We running R65 but if R70 is failing as well .....
Just curious, in your mgcp config for this gateway in call manager: is the mgcp domain name configured "pfrr2820ch123ogvrs.dzp.vrnet" or just "pfrr2820ch123ogvrs" ?
I entered the completed name with the domain name.
The solution was found last week. In fact, as far as I understood, the FW admin had to define dynamic ports for MGCP UDP packets.
Of course, we had to create two new objects in the services of the Checkpoint - MGCP_UDP 2427 and protocol type none and MGCP_TCP 2428 and here again no protocol type.
I'll ask a confirmation to the FW admin to get here a complete solution.