CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 4 of 4

Thread: H.323 Issues over VPN - Lots of out of state packets

  1. #1
    Join Date
    2008-05-27
    Posts
    66
    Rep Power
    17

    Default H.323 Issues over VPN - Lots of out of state packets

    Hoping someone with some H.323 experience can help me out with an issue I'm having.


    We have a structure like this:

    X <------> CPFW <----> Internet <-----> Edge <-----> X

    Where X is a Siemens HiPath HG1500 IP Trunking card in our Siemens phone system.

    Basically, we have a VPN from our headquarters to a remote site. Everything is working fine VPN wise, except for IP trunking between our phone systems. The HG1500 cards in the phone system use H.323 to create trunks between the phone systems to enable internal dialing.

    Initially when we set this up, I could place calls and signaling would go through. Calls would complete, except there was no audio either way. I disabled "H.323" as the protocol type for the H.323 protocol object, and I then was able to get calls to complete.

    About a day later I get reports from the remote site (using the Edge) that calls will still only complete sometimes. Looking in tracker, I filter by source or destination for any of the phone systems trying to communicate and I see a lot of dropped packets (TCP) on the corporate FW for out of state reasons. TCP timeouts are set at 3600, and UDP Virtual session timeout is set for 600 sec. Some packets are listed as service H.323 and others are just on random ports.

    I have read something about setting up an H.323 gatekeeper, but I'm unsure as to whether or not this will solve our issue. Anyone have any experience with H.323 across a VPN like this? Any help would be greatly appreciated.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,147
    Rep Power
    18

    Default Re: H.323 Issues over VPN - Lots of out of state packets

    Couple of things to try and also look at. First of all when you tested was there normal traffic on the Edge as well?
    There was during the day they were trying to use it I presume?

    Some protocols still do not know what keepalives are, or use them once per hour, so set the timing for the used TCP protocols at least 2 to 3 times the standard value, the UDP timing should not be a problem, also make sure on the Edge itself to turn all SmartDefense off and also disable the profile on the Edge object in Dashboard.

    When the Edge gets to busy, Voice is one of the first things to suffer, but if this would be the case I would upgrade to an 1140, trade in the Edge and you have a much better device.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2008-05-27
    Posts
    66
    Rep Power
    17

    Default Re: H.323 Issues over VPN - Lots of out of state packets

    Thanks for the reply.

    I'm seeing the drops on the corporate CP GAIA cluster, not from the Edge. The Edge isn't dropping the packets for OOS, the cluster at the corporate office is.

    I'm hesitant to turn up the TCP session timeout as we're bumping up against the upper limits of these gateways CPU wise - luckily they're slated for replacement in a week or so.

  4. #4
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,147
    Rep Power
    18

    Default Re: H.323 Issues over VPN - Lots of out of state packets

    When the Edge is dropping traffic, which you don't see, you will get OOS packets on the central GW.
    Raising the time out only on the services used to ie 4000 won't hurt your performance to much.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

Similar Threads

  1. Lots of False Positives, R71.
    By kaydo in forum IPS Blade (Formerly SmartDefense)
    Replies: 9
    Last Post: 2011-07-14, 08:02
  2. Connectra drops out of state packets
    By serge_s76 in forum Mobile Access Blade (Formerly Connectra)
    Replies: 1
    Last Post: 2009-03-12, 02:27
  3. Out of state issues...
    By brierw in forum Installing And Upgrading
    Replies: 4
    Last Post: 2008-09-25, 21:16
  4. Drop out of state TCP packets
    By prasanthkdas@aim.com in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2007-06-11, 00:29
  5. Allow Out-of-State Packets for specific TCP services
    By Jleung in forum Miscellaneous
    Replies: 1
    Last Post: 2005-11-10, 09:28

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •