CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 13 of 13

Thread: Checkpoint R60 HFA_06 and Avaya IP Office 500

  1. #1
    Join Date
    2008-06-02
    Location
    Buenos Aires, Argentina
    Posts
    54
    Rep Power
    12

    Default Checkpoint R60 HFA_06 and Avaya IP Office 500

    Howdy, iŽve Checkpoint NGX R60_HFA06, the main problem is that VoIP calls from Avaya IP Office 500 donŽt work, only works in one direction.

    In the Cisco switches weŽve vlans assigned to each subnet, each subnet are in both Firewall with an ip address of each subnet and vlan. Each IP Phone (10.2.24.57 and 58) comunicate to the CallManager, and the Call Manager has 2 intefaces (10.2.0.28 and 36) and the FileServer (10.2.8.14) to download the correct .bin, the calls between IP Phones work fine.

    Now, when we try to call from an IP Phone (10.2.24.57 and 58) to a extension in the IP Office Server (192.168.5.10) the call works fine, i see all the traffic pass thru the Firewall... but when a try to call back from the extension in the IP Server to an IP Phone the call die after dial the number, it sound busy tone. In the Firewall i only see accept H323 packets to the Call Manager and no other kind of traffic. I do a fw monitor zdebug and donŽt see any drop packets from/to Ip Server.

    We do several test, putting the service H323 in advanced setting to none, h323 and h323_any.. with no success. At this point, i donŽt no know where it can be the problem. Do you have any suggestion?

    Thanks in advance.
    Last edited by mhernandez; 2012-05-30 at 16:18.

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    16

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    Avaya has it own implementation of H323 that does not come too good in usual CP environment. Nevertheless it should work with the latest R60 HFA.

    Personally I would recommend R65 that supports Avaya correctly.

    Nevertheless it is not enough. To make it work, you have to put very specific rules in place.

    1. Those rules should describe VOIP only with specific H323 related services. ANY service won't fly.
    2. all relevant VOIP entities should be defined in the SmartDashboard and put in the relevant rules. Those objects are VOIP Domain, Gateways and GateKeepers if used.

    Traffic traces before and after FW are advised for troubleshooting, if all above does not help.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2008-06-02
    Location
    Buenos Aires, Argentina
    Posts
    54
    Rep Power
    12

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    Thanks Valeri for the reply.

    Today iŽll do several tests with a Engineer of Avaya. IŽll post the results.

  4. #4
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    I have the similar problem.
    So, earlier I used a VPN tunnel for communication of two Avaya 406 (10.0.0.10) and 500 (192.168.10.10). The VPN tunnel was adjusted with freebsd (mpd) and alt linux systems (pppd). Everything worked perfectly, but sometimes the tunnel hanged, lost connection and it was necessary to reboot manually the mpd service or even the linux server.
    Now I decided to set VPN tunnel with Checkpoint. Everything also worked, but Avaya's stations didn't work normally. If I receive call from remote office - I can answer a call and talk to the person if I call from myself in remote office, I hear only "busy" tone .
    In the Checkpoint tracker I can see log entries of H323 both to me, and from me, I don't see any blocking.

    I tried to add a pass rule to the firewall for Avaya_RTP (UDP 2048-2999), H323_any, H323_ras, but it had no effect.

    Anybody has an idea, what it can be and how to correct? Thanks.

  5. #5
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    16

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    what is your FW version? Have you configured all parameters to H323 related objects, like VOIP domains, etc?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  6. #6
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    Quote Originally Posted by varera View Post
    what is your FW version? Have you configured all parameters to H323 related objects, like VOIP domains, etc?
    I have Checkpoint 4600 with R75.40 firmware.
    I didn't configure any H323 parameters yet because I don't know how to do it.

    But I found this document and try to repeat this steps to solve my problem:
    https://supportcenter.checkpoint.com...tionid=sk14587


    But I can't find any VOIP domain parameters in my SmartDashboard!
    Last edited by drBuben; 2012-09-17 at 06:31.

  7. #7
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    I am sorry for my carelessness.
    I found where all VOIP settings are set. But there were questions as as it is necessary to create in network objects for my configuration.

    I have Avaya 406 IP:10.0.0.10 locally, at other office there is Avaya 500 IP:192.168.10.10. What new network object I should create and how to adjust, to provide phone calls in both sides? Gatekeeper, Gateway or another?

    My rules and log information:



    Last edited by drBuben; 2012-09-17 at 10:34.

  8. #8
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    I want to return to my problem with bi-directional calls from one Avaya to another.
    There are dumps that I made during calls from one side to another.
    May be it can help to understand my problem.

    If I cannot find how to solve my problem I will have to use a Zyxel Zywall for VPN tunnel and VOIP traffic.



    TCPDUMP between Avaya IP Office 406 (10.0.0.10) and Avaya IP Office 500 (192.168.10.10)


    The phone call from Avaya IP Office 406 (10.0.0.10) to Avaya IP Office 500 (192.168.10.10). The answer from other side is a tone «BUSY».

    TCPDUMP during a call from Avaya IP Office 406 (10.0.0.10) to Avaya IP Office 500 (192.168.10.10)
    tcpdump -vvv src host 10.0.0.10 and dst host 192.168.10.10

    [Expert@cp4600]# tcpdump -vvv src host 10.0.0.10 and dst host 192.168.10.10
    tcpdump: listening on Mgmt
    10:39:40.276505 10.0.0.10.6710 > 192.168.10.10.h323hostcall: S [tcp sum ok] 986906624:986906624(0) win 8192 <mss 1024> (ttl 99, id 64432, len 44)
    10:39:40.282275 10.0.0.10.6710 > 192.168.10.10.h323hostcall: . [tcp sum ok] 986906625:986906625(0) ack 110665492 win 8192 (ttl 99, id 64435, len 40)
    10:39:40.282608 10.0.0.10.6710 > 192.168.10.10.h323hostcall: . 0:191(191) ack 1 win 8192 (ttl 99, id 64436, len 231)
    10:39:40.319229 10.0.0.10.6710 > 192.168.10.10.h323hostcall: . [tcp sum ok] 191:191(0) ack 5 win 8192 (ttl 99, id 64443, len 40)
    10:39:40.320635 10.0.0.10.6710 > 192.168.10.10.h323hostcall: F [tcp sum ok] 191:191(0) ack 52 win 8145 (ttl 99, id 64445, len 40)
    10:39:40.320640 10.0.0.10.6710 > 192.168.10.10.h323hostcall: . [tcp sum ok] 192:192(0) ack 52 win 8192 (ttl 99, id 64446, len 40)
    10:39:40.340011 10.0.0.10.6710 > 192.168.10.10.h323hostcall: . [tcp sum ok] 192:192(0) ack 53 win 8192 (ttl 99, id 64450, len 40)

    PBX traffic during phone call. This traffic was after my test call.

    10:39:26.353392 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62560, len 60)
    10:39:26.371156 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62575, len 60)
    10:39:26.391089 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62579, len 60)
    10:39:26.411160 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62584, len 60)
    10:39:26.433285 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62594, len 60)
    10:39:26.451144 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62599, len 60)
    10:39:26.473304 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62609, len 60)
    10:39:26.490925 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62618, len 60)
    10:39:26.510950 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62629, len 60)
    10:39:26.531679 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62636, len 60)
    10:39:26.550989 10.0.0.10.49152 > 192.168.10.10.49162: [no cksum] udp 32 (ttl 98, id 62643, len 60)
    10:39:26.571834 10.0.0.10.49153 > 192.168.10.10.49163: [no cksum] udp 48 (ttl 98, id 62645, len 76)
    10:39:26.575440 10.0.0.10.h323hostcall > 192.168.10.10.4218: . [tcp sum ok] 1742144310:1742144336(26) ack 892797740 win 4369 (ttl 99, id 62646, len 66)
    10:39:26.576766 10.0.0.10.h323hostcall > 192.168.10.10.4218: F 26:76(50) ack 1 win 4369 (ttl 99, id 62647, len 90)
    10:39:26.579136 10.0.0.10 > 192.168.10.10: icmp: 10.0.0.10 udp port 49152 unreachable for 192.168.10.10.49162 > 10.0.0.10.49152: udp 32 (ttl 96, id 2693, len 60) (ttl 99, id 62650, len 56)
    10:39:26.579451 10.0.0.10.h323hostcall > 192.168.10.10.4218: . [tcp sum ok] 77:77(0) ack 2 win 4369 (ttl 99, id 62654, len 40)
    10:39:26.605508 10.0.0.10 > 192.168.10.10: icmp: 10.0.0.10 udp port 49153 unreachable for 192.168.10.10.49163 > 10.0.0.10.49153: [no cksum] udp 24 (ttl 96, id 2715, len 52) (ttl 99, id 62660, len 56)




    TCPDUMP during a call from Avaya IP Office 500 (192.168.10.10) to Avaya IP Office 406 (10.0.0.10)
    Phone call passes normally.
    tcpdump -vvv src dst 10.0.0.10 and src host 192.168.10.10

    [Expert@cp4600]# tcpdump -vvv dst host 10.0.0.10 and src host 192.168.10.10
    tcpdump: listening on Mgmt
    11:52:35.440834 192.168.10.10.4246 > 10.0.0.10.h323hostcall: S [tcp sum ok] 3407675392:3407675392(0) win 65535 <mss 1460> (DF) (ttl 255, id 48700, len 44)
    11:52:35.443087 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 3407675393:3407675393(0) ack 4245291009 win 65535 (DF) (ttl 255, id 62621, len 40)
    11:52:35.443102 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 0:4(4) ack 1 win 65535 (DF) (ttl 255, id 16894, len 44)
    11:52:35.443115 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P 4:335(331) ack 1 win 65535 (DF) (ttl 255, id 39040, len 371)
    11:52:35.480822 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 335:335(0) ack 46 win 65535 (DF) (ttl 255, id 31414, len 40)
    11:52:35.572320 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 335:335(0) ack 157 win 65535 (DF) (ttl 255, id 17927, len 40)
    11:52:39.269409 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 335:335(0) ack 454 win 65535 (DF) (ttl 255, id 59137, len 40)
    11:52:39.285671 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 335:339(4) ack 454 win 65535 (DF) (ttl 255, id 32233, len 44)
    11:52:39.285685 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P [tcp sum ok] 339:362(23) ack 454 win 65535 (DF) (ttl 255, id 41706, len 63)
    11:52:39.298450 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 362:366(4) ack 454 win 65535 (DF) (ttl 255, id 58271, len 44)
    11:52:39.298458 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P 366:474(108) ack 454 win 65535 (DF) (ttl 255, id 54834, len 148)
    11:52:39.298465 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 474:478(4) ack 454 win 65535 (DF) (ttl 255, id 51012, len 44)
    11:52:39.298472 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P [tcp sum ok] 478:500(22) ack 454 win 65535 (DF) (ttl 255, id 23189, len 62)
    11:52:39.312747 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 500:500(0) ack 481 win 65535 (DF) (ttl 255, id 9694, len 40)
    11:52:39.339466 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 500:500(0) ack 578 win 65535 (DF) (ttl 255, id 30794, len 40)
    11:52:39.353854 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 500:504(4) ack 578 win 65535 (DF) (ttl 255, id 40146, len 44)
    11:52:39.353869 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P [tcp sum ok] 504:527(23) ack 578 win 65535 (DF) (ttl 255, id 32678, len 63)
    11:52:39.364734 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 527:527(0) ack 605 win 65535 (DF) (ttl 255, id 38815, len 40)
    11:52:39.370403 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 527:531(4) ack 605 win 65535 (DF) (ttl 255, id 22729, len 44)
    11:52:39.370411 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 531:554(23) ack 605 win 65535 (DF) (ttl 255, id 21154, len 63)
    11:52:39.370417 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 554:558(4) ack 605 win 65535 (DF) (ttl 255, id 50547, len 44)
    11:52:39.370424 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P [tcp sum ok] 558:598(40) ack 605 win 65535 (DF) (ttl 255, id 19985, len 80)
    11:52:39.382716 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 598:602(4) ack 605 win 65535 (DF) (ttl 255, id 22183, len 44)
    11:52:39.382730 192.168.10.10.4246 > 10.0.0.10.h323hostcall: P 602:649(47) ack 605 win 65535 (DF) (ttl 255, id 29018, len 87)
    11:52:39.385683 192.168.10.10.4246 > 10.0.0.10.h323hostcall: . [tcp sum ok] 649:649(0) ack 656 win 65535 (DF) (ttl 255, id 32348, len 40)
    11:52:39.537602 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55015, len 60)
    11:52:39.557348 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55029, len 60)
    11:52:39.578793 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55039, len 60)
    11:52:39.597344 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55054, len 60)
    11:52:39.618833 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55065, len 60)
    11:52:39.637133 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55078, len 60)
    11:52:39.657434 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55091, len 60)
    11:52:39.677296 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55101, len 60)
    11:52:39.697218 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55111, len 60)
    11:52:39.717602 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55121, len 60)
    11:52:39.737430 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55131, len 60)
    11:52:39.757720 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55142, len 60)
    11:52:39.777058 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55152, len 60)
    11:52:39.797589 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55162, len 60)
    11:52:39.817214 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55172, len 60)
    11:52:39.837377 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55182, len 60)
    11:52:39.857312 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55192, len 60)
    11:52:39.877420 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55202, len 60)
    11:52:39.897163 192.168.10.10.49156 > 10.0.0.10.49156: [udp sum ok] udp 32 [tos 0xb8] (ttl 97, id 55212, len 60)
    Last edited by drBuben; 2012-09-20 at 05:04.

  9. #9
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    16

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    As mentioned above, you need to create and to define properly Gatekeeper object. Read and follow Administration manual to do so. Without Gatekeeper, even if not explicitly used in the rulebase VOIP may not work or work one direction only.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  10. #10
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    I discussed my problem with Aibulat Nigmatullin from Moscow NTC and we also defined VOIP Gatekeepers for each network.

    For my local network Gatekeeper defined as:
    VoIP installed at: avaya_spb (10.0.0.10)
    Related Endpoints Domain: spb_lan (10.0.0.0/24)

    For remote local network Gatekeeper definied as:
    VoIP installed at: avaya_msk (192.168.10.10)
    Related Endpoints Domain: spb_lan (192.168.10.0/24)

    I created a rule that allow any traffic from and to both gatekeepers.

    My actions had no effect. Avaya stations can ping each other.

  11. #11
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    16

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    Support case?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  12. #12
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    Quote Originally Posted by varera View Post
    Support case?
    SR Details:

    -------------------------------------------------
    SR# : 28-468729981

    Abstract: VPN: Bi-directional calls don^t work with Avay and Checkpoint 4600 R75.40


    I am waiting for help from Checkpoint support.

  13. #13
    Join Date
    2012-03-17
    Posts
    7
    Rep Power
    0

    Default Re: Checkpoint R60 HFA_06 and Avaya IP Office 500

    I have just found how to solve my problem with bi-directional calls!

    Its enough to add 2 NAT rules such as:

    | Original Packet | Translated Packet |
    -------------------------------------------------------------------------------------------------------------------------
    № Source Destination Service| Source Destination Service |
    1 my_trustred_networks Any Any | Original Original Original |
    2 Any my_trustred_networks Any | Original Original Original |

    I found all helpful information in this thread: https://www.cpug.org/forums/voice-ov...d-address.html

    I tried to install VPN IPSec tunnel with Checkpoint and D-Link DI-804 and also saw this error: message_info: Connection contains real IP of NATed address.
    D-link status is "IKE tunnel established", but Checkpoint log contains error that it cannot pass tunnel test. But this problem for other thread.

Similar Threads

  1. IP Office & Checkpoint R65 IPO_VoiceNetworking question
    By daz306td in forum Voice over IP Blade (VoIP)
    Replies: 3
    Last Post: 2010-12-02, 14:18
  2. How to manually uninstall HFA_06 from SPLAT
    By mibs01 in forum Installing And Upgrading
    Replies: 2
    Last Post: 2008-09-30, 07:16
  3. Checkpoint Safe@Office & Connecting in Visitor's mode possible?
    By Deetz in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-10-31, 12:29
  4. Unable to connect using SecureClient VPN in Office Mode to Checkpoint Gateway NGAI-R5
    By Kubann in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2007-02-28, 18:05
  5. BT Home HUB with Checkpoint safe@office 200
    By reAnimate in forum Authentication
    Replies: 20
    Last Post: 2006-09-26, 01:45

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •