Yes, this would typically indicate that something is blocking the h225 traffic from the endpoint to the vcs and that there appears to be some control and more likely keepalive packet on that session.
Now, why an hour? The default behavior for TC based endpoints is that in there is no h225 keepalive prior to TC6 and in TC6 and later, it defaults to two hours. The keepalive for these devices is on the H245 session and is sent ever 30 seconds. You can see this information in the release-note for CSCub20591.
You do not specify what the endpoints are but the output snippet you have for the H323MCS_EndSessionCommand output is from a TC based codec at location 2. You could run a tcpdump on that endpoint to look at the tcp exchange with the vcs; something like this "tcpdump -s0 -w /tmp/h323.pcap host and tcp" to get a better idea of what is happening.
Now, it does not have to be a firewall. There are other tcp aware devices that could be in the path. For example, WAAS. One clue may be that if the tcp ack in the packet exchange from the location 2 device seems to be much quicker than what you expect for the RTT to the vcs, than that would indicate likely something again in the middle that is tcp aware. You can get an idea of the expected RTT from the codec through the "systemtools network traceroute" command.
Yes, you are seeing something in the middle which is generating the TCP RST towards both ends. I would say there is your proof that there is a TCP/H225 aware device in the middle that is timing out the session after an hour. Since it thinks that the session is no longer active, it appears to be cleaning it up on both sides as it removes the TCP information from its table.
Since you have captures from both side, you may be able to tell on which side of the tunnel is this possibly coming from based upon the response time of the TCP ACKs during the session.
If you can find out what it may be there is likely a way to tune it to either ignore the h225 traffic. Or extend the timeout to something greater than 2 hours while running TC6.0 or later on the codecs.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...