Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

In Transparent mode, the H.323 ALG is not working

0

0

Article ID: KB9881 KB Last Updated: 12 Jan 2012Version: 2.0
Summary:
The network topology is very simple. The client initiates a connection from V1-Trust, and both the gatekeeper and the MCU are in the V1-Untrust zone.  When the H.323 ALG is enabled, the call can set up, but the stream data was not passing.  When the H323 ALG is disabled, and a policy with "any" service is created, it works.
Symptoms:
The customer's application breaks the H.323 protocol.

According to the H.323 definition, RTP/RTCP channels will pickup one negotiation’s port to send the stream. However, if the customer's H323 application uses a random port to send stream data after both endpoints negotiate, the RTP/RTCP stream is dropped by the firewall.

H.323 opens a correct gate according to the OLC/OLC_ACK, but the customer's application uses a different source port to send the stream, and the stream is denied by the firewall. The call fails.

The following was captured with 'debug h323' and 'debug flow':

## 2007-05-24 17:47:32 : openLogicalChannelAck
## 2007-05-24 17:47:32 : logicalChannelNumber
## 2007-05-24 17:47:32 : : 5
## 2007-05-24 17:47:32 : forwardMultiplexAckParametersRes
## 2007-05-24 17:47:32 : h2250LogicalChannelAckParameters
## 2007-05-24 17:47:32 : Session Id: 2
## 2007-05-24 17:47:32 : mediaChannel
## 2007-05-24 17:47:32 : transportAddress
## 2007-05-24 17:47:32 : unicastAddress
## 2007-05-24 17:47:32 : iPAddress
## 2007-05-24 17:47:32 : mediaControlChannel
## 2007-05-24 17:47:32 : transportAddress
## 2007-05-24 17:47:32 : unicastAddress
## 2007-05-24 17:47:32 : iPAddress
## 2007-05-24 17:47:32 : iP: 172.16.13.15 - port: 6003
## 2007-05-24 17:47:32 :
## 2007-05-24 17:47:32 : H.245 Response - Processing (item: 1 of 1)
## 2007-05-24 17:47:32 : OLC-ACK: type=0 num=5 ifp=v1-trust addr=172.16.13.15(6002/6003)
## 2007-05-24 17:47:32 :   same RTP & RTCP ip 172.16.13.15
## 2007-05-24 17:47:32 : OLC-ACK: seach from zone -1 ip= 0.0.0.1 to zone 11 ip= 10.10.0.40
## 2007-05-24 17:47:32 : OLC-ACK: no policy found
## 2007-05-24 17:47:32 :   keep ip 172.16.13.15(6002, 6003)
## 2007-05-24 17:47:32 :   h245_rm_create_gate (create stream gate if not data channel
## 2007-05-24 17:47:32 : SS-Res3: no way to fine out which zone forward traffic arrives
## 2007-05-24 17:47:32 : SS-Res3: no way to fine out which zone forward traffic exits
## 2007-05-24 17:47:32 : H323 RM Resource: forwarding tunneling -- info1: 0 info2: 0
## 2007-05-24 17:47:32 :    RTCP Gate   : 10.10.0.40(6003-6003) to 172.16.13.15(6003-6003)
## 2007-05-24 17:47:32 :         Xlated : 10.10.0.40(6003) to 172.16.13.159(6003)
## 2007-05-24 17:47:32 :    RTP Gate   : 10.10.0.40(6002-6002) to 172.16.13.15(6002-6002)
## 2007-05-24 17:47:32 :         Xlated : 10.10.0.40(6002) to 172.16.13.15(6002)
## 2007-05-24 17:47:32 : h225 session refreshed id =524287 as parent session
..............
00572.0:   v1-trust:172.16.13.15/2131->10.10.0.40/6002,17<Root>
  packet dropped, denied by policy
 

Solution:
The following command corrected the issue:
set alg h323 gate source-port-any

This command can be set if you are using asymmetric media (endpoints that send media from one port and receive on another).  Asymmetric media handling is by default off.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search