The network topology is very simple. The client initiates a connection from V1-Trust, and both the gatekeeper and the MCU are in the V1-Untrust zone.  When the H.323 ALG is enabled, the call can set up, but the stream data was not passing.  When the H323 ALG is disabled, and a policy with "any" service is created, it works.

The customer's application breaks the H.323 protocol.

According to the H.323 definition, RTP/RTCP channels will pickup one negotiation’s port to send the stream. However, if the customer's H323 application uses a random port to send stream data after both endpoints negotiate, the RTP/RTCP stream is dropped by the firewall.

H.323 opens a correct gate according to the OLC/OLC_ACK, but the customer's application uses a different source port to send the stream, and the stream is denied by the firewall. The call fails.

The following was captured with 'debug h323' and 'debug flow':

## 2007-05-24 17:47:32 : openLogicalChannelAck
## 2007-05-24 17:47:32 : logicalChannelNumber
## 2007-05-24 17:47:32 : : 5
## 2007-05-24 17:47:32 : forwardMultiplexAckParametersRes
## 2007-05-24 17:47:32 : h2250LogicalChannelAckParameters
## 2007-05-24 17:47:32 : Session Id: 2
## 2007-05-24 17:47:32 : mediaChannel
## 2007-05-24 17:47:32 : transportAddress
## 2007-05-24 17:47:32 : unicastAddress
## 2007-05-24 17:47:32 : iPAddress
## 2007-05-24 17:47:32 : mediaControlChannel
## 2007-05-24 17:47:32 : transportAddress
## 2007-05-24 17:47:32 : unicastAddress
## 2007-05-24 17:47:32 : iPAddress
## 2007-05-24 17:47:32 : iP: 172.16.13.15 - port: 6003
## 2007-05-24 17:47:32 :
## 2007-05-24 17:47:32 : H.245 Response - Processing (item: 1 of 1)
## 2007-05-24 17:47:32 : OLC-ACK: type=0 num=5 ifp=v1-trust addr=172.16.13.15(6002/6003)
## 2007-05-24 17:47:32 :   same RTP & RTCP ip 172.16.13.15
## 2007-05-24 17:47:32 : OLC-ACK: seach from zone -1 ip= 0.0.0.1 to zone 11 ip= 10.10.0.40
## 2007-05-24 17:47:32 : OLC-ACK: no policy found
## 2007-05-24 17:47:32 :   keep ip 172.16.13.15(6002, 6003)
## 2007-05-24 17:47:32 :   h245_rm_create_gate (create stream gate if not data channel
## 2007-05-24 17:47:32 : SS-Res3: no way to fine out which zone forward traffic arrives
## 2007-05-24 17:47:32 : SS-Res3: no way to fine out which zone forward traffic exits
## 2007-05-24 17:47:32 : H323 RM Resource: forwarding tunneling -- info1: 0 info2: 0
## 2007-05-24 17:47:32 :    RTCP Gate   : 10.10.0.40(6003-6003) to 172.16.13.15(6003-6003)
## 2007-05-24 17:47:32 :         Xlated : 10.10.0.40(6003) to 172.16.13.159(6003)
## 2007-05-24 17:47:32 :    RTP Gate   : 10.10.0.40(6002-6002) to 172.16.13.15(6002-6002)
## 2007-05-24 17:47:32 :         Xlated : 10.10.0.40(6002) to 172.16.13.15(6002)
## 2007-05-24 17:47:32 : h225 session refreshed id =524287 as parent session
..............
00572.0:   v1-trust:172.16.13.15/2131->10.10.0.40/6002,17<Root>
  packet dropped, denied by policy
 


The following command corrected the issue:

set alg h323 gate source-port-any

This command can be set if you are using asymmetric media (endpoints that send media from one port and receive on another).  Asymmetric media handling is by default off.