IP office 500 SCN issue with Checkpoint R75

[clarkstyx18]

We currently have 3 sites interconnected through MPLS, each site has IP office 500v2 R6.1 and are linked with each other through SCN.
Site A (Main HQ) has checkpoint R75 installed wherein site B and C doesnt have firewall. SCN status is up on all the 3 branches. Site B and Site C can call each extension vice verse. Site A cannot call either site B or C. On the checkpoint firewall, a policy has been made to allow ALL traffic bi- directional including H323. I believe that all my configurations on each IP office is correct and there's something that needs to be done on the checkpoint firewall but I'm not sure what it is. Is there any tool to trace which ports are blocked or to see if packet has been dropped whenever a call is made from site A to site B or C? Attached is a sample monitor log in which we tried calling from site A (ext4355) to site B (ext 7055).

 

[amriddle01]

Wireshark running at each side of the link will show what is going out one and arriving at the other, that will show what traffic is being blocked and on what port.

This is the port required for the SCN link to come up:

50795 IPO Voice Networking (UDP) Small Community Network signalling (AVRIP) and BLF updates. Each system does a broadcast every 30 seconds. BLF updates are sent required up a maximum of every 5 seconds.

Here are all other ports the system uses for calls/setup etc:

25* SMTP (TCP) Email system alarms from the IP Office to SMTP server.
67 BOOTP/DHCP
68 BOOTP/DHCP
69 TFTP (UDP) File requests to the IP Office.
69 TFTP (UDP) File requests by the IP Office.
161* SNMP (UDP) From SNMP applications.
162* SNMP Trap (UDP) To addresses set in the IP Office configuration.
389* LDAP (TCP)
520 RIP (UDP) To and from the IP Office to other RIP devices. For RIP1 and RIP2 (RIP1 compatible) the destination address is a subnet
broadcast, eg. 192.168.42.255. For RIP2 Multicast the destination address is 224.0.0.9."
520 RIP (UDP)
1719 H.323 RAS (UDP) H.323 VoIP device registering with the IP Office.
1720 H.323/H.245 (UDP) Data to a registered VoIP device.
2127 (UDP) PC Wallboard to CCC Wallboard Server.
5060 SIP (UDP/TCP) SIP Line Signalling
8080 HTTP (TCP) Browser access to the Delta Server application.
8089 Enconf (UDP) From the IP Office to the Conferencing Center Server Service. User access to the conference center is direct via HTTP
sessions."
8888 HTTP (TCP) Browser access to the IP Office ContactStore (VRL) application.
49152-53247* RTP/RTCP (UDP) Dynamically allocated ports used during VoIP calls for RTP and RTCP traffic. The port range can be adjusted through the System | Gatekeeper tab.
50791 IPO Voicemail (UDP) To voicemail server address.
50793 IPO Solo Voicemail (UDP) From IP Office TAPI PC with Wave drive user support.
50794 IPO Monitor (UDP) From the IP Office Monitor application.
50795 IPO Voice Networking (UDP) Small Community Network signalling (AVRIP) and BLF updates. Each system does a broadcast every 30 seconds. BLF updates are sent required up a maximum of every 5 seconds.
50796 IPO PCPartner (UDP) From an IP Office application (for example Phone Manager or SoftConsole). Used to initiate a session between the IP Office and the application.
50797 IPO TAPI (UDP) From an IP Office TAPI user PC.
50799 IPO BLF (UDP) Broadcast to the IP Office LAN and the first 10 IP addresses registered from other subnets.
50800 IPO License Dongle (UDP) To the License Server IP Address set in the IP Office config.
50801 EConf (UDP) Conference Center Service to IP Office.
50804* HTTP (TCP) IP Office configuration settings access.
50808* HTTP (TCP) IP Office system status access.
50812* HTTP (TCP) IP Office security settings access.


Also in an SCN the 7XXX shortcodes you have are not required unless it's not a true SCN

 

[AACon]

It seems to be getting an Network out of order response.
There has to be something blocking traffic in the firewall somewhere. Though, you say it shows the SCN up...

Looks like its getting NetworkOOO then trying a shortcode. Why do you have shortcodes setup for an SCN?

-Austin
ACE: Implement IP Office

 

[amriddle01]

BTW, according to that trace something is blocking/misdirecting the traffic or the routing is wrong, as you have this in there: Cause=38, Network out of order

 

[clarkstyx18]

thanks amriddle01 , actually, All the SCN are up based on the system status. So if if I will run wireshark on each site, what specific log should I look at? what source and destination should I look at, should it be from IP of Phone in Site A to IP of Phone in site B? Regarding the short codes, I didn't knew that short codes isn't necessary if SCN is active, so Ill guess Ill just delete all the short codes I made for all the sites.

 

[clarkstyx18]

@amriddle01 - Ive fixed the ip routes on the IP offices, before, SCN is down, after changing IP routes on the IP office, it became UP, I strongly agree that its the firewall, because we tried removing the firewall and calls are coming in, but the thing is, firewall is essential and cannot be removed.


@AACon - yeah i didnt know that you dont need short codes for SCN, Im used to configure SIP trunking that's why.

 

[mattKnight]

Checkpoint has a tool called tracker that will tell you precisely what ports are being dropped etc.

However - the checkpoint is a Voip aware firewall and is probably tweaking packets and rules.

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[amriddle01]

Checkpoints are up there with Sonicwalls for stubbornness

 

[shamsudheen]

Dear mattKnight, should we download this tool(tracker)? or it comes with checkpoint?

 

[hairlessupportmonkey]

Andy - sonic walls wouldnt touch check point for security though.... mil grade security.

ACSS - SME
General Geek

 

[clarkstyx18]

@matt - are you referring to the smartview tracker? I guess well just have to trace the packets comming from the IP of the phone (caller) to the destination IP of the other phone in the other site.

 

[mattKnight]

>are you referring to the smartview tracker

yep, that is the one.



Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[clarkstyx18]

im currently on the site right now, weve asked the network engineer to view trafic from the remote site to the Head Office and he is not getting any traffic.. Any other ideas?

 

[clarkstyx18]

this is what i got from monitor

68251857mS CMLineRx: v=17
CMReleaseComp
Line: type=IPLine 17 Call: lid=0 id=1756 in=0
Cause=38, Network out of order
68251857mS CMCallEvt: 0.1754.0 228 TargetingEP: RequestEnd 0.1756.0 228 H323TrunkEP
68251857mS CMTARGET: 261.1753.0 228 PR&L Acc.0: CancelTimer CMTCNoAnswerTimeout
68251858mS CMCallEvt: 0.1754.0 -1 BaseEP: DELETE CMEndpoint f50d8b78 TOTAL NOW=4 CALL_LIST=2
68251858mS CMCallEvt: 0.1756.0 228 H323TrunkEP: StateChange: END=B CMCSOffering->CMCSCompleted
68251860mS CMLOGGING: CALL:2012/03/0811:34,00:00:00,000,7060,O,61,4561,PR&LAcc,,,0,,""n/a,0
68251860mS CD: CALL: 261.1753.0 BState=Disconnecting Cut=1 Music=0.0 Aend="PR&L Acc(7060)" (0.0) Bend="" [Line 17] (267.2) CalledNum=4561 (Santhosh) CallingNum=7060 (PR&L Acc) Internal=0 Time=8037 AState=Dialled
68251861mS CD: CALL: 261.1753.0 Deleted
68251861mS CMExtnEvt: PR&L Acc: CALL LOST (CMCauseNetworkOOO)
68251861mS CMExtnEvt: PR&L Acc: Extn(7060) Calling Party Number(7060) Type(CMNTypeInternal)
68251862mS CMCallEvt: 261.1753.0 -1 PR&L Acc.0: StateChange: END=X CMCSDialled->CMCSCompletedTone
68251863mS CMExtnTxC: v=7060
CMFacility
Line: type=NoLine 0 Call: lid=261 id=1753 in=0
IE CMIEFastStartInfoData (6)
68251863mS CMExtnTx: v=7060, p1=0
CMFacility
Line: type=IPLine 250 Call: lid=261 id=1753 in=0
IE CMIEFastStartInfoData (6)
Timed: 08/03/12 11:34
68251864mS CMExtnTx: v=7060, p1=8010
CMFacility
Line: type=IPLine 250 Call: lid=261 id=13 in=1
IE CMIEFastStartInfoData (6)
68251864mS CMExtnEvt: v=13 State, new=CMESCompleted old=Proceeding,0,0,PR&L Acc
68251865mS CMCallEvt: 0.1756.0 -1 H323TrunkEP: StateChange: END=X CMCSCompleted->CMCSDelete
68251865mS CMCallEvt: END CALL:228 (f5096f10)
68251866mS CMCallEvt: 0.1756.0 -1 BaseEP: DELETE CMEndpoint f508f118 TOTAL NOW=3 CALL_LIST=1
68251868mS CMMap: PCG::AddToneGenerator g B1[4] for cp[550]b0r1 append pcp[553]b0r1 (total 1)
68251868mS CMMap: PlatformConnectionAudioSAP::ConnectVoice pcp[553]b0r1 Configure 0.0
68251868mS CMMap: PlatformConnectionAudioSAP::ConnectVoice pcp[553]b0r1 ConnectIndication 0.0
68251868mS CMMap: a=0.0 b=0.0 pcp[550]b0r1 RTPB2
68251869mS H323Tx: 13 dst=191.168.46.27:4833
H323 Pcol=08(Q931) Reflen=2 ref=0001(Local)
Message Type = Facility
ForwardLCParameters [G729_A (frames=2)] H2250 SID=01: RTP=191.168.46.2(49152) , RTCP=191.168.46.2(49153) ,
ReverseLCParameters [G729_A (frames=2)] H2250 SID=01: RTP=191.168.46.2(49152) , RTCP=191.168.46.2(49153) ,

 

[AACon]

the address I see in there is 191.168.46.2...is that correct? 191 is not uhm...common?

-Austin
ACE: Implement IP Office

 

[amriddle01]

You have already proved its the firewall, making more traces of it failing will not help really, I don't know if a forum exists for that firewall but it may be worth while posting there/somewhere related as we are far from experts on those devices

 

[clarkstyx18]

yeah thats correct, they designed their network that way..

 

[AACon]

If that's how they designed it then I'm not surprised there are problems.

-Austin
ACE: Implement IP Office

 

[mattKnight]

Application Intelligence for H.323
The Security Gateway supports H.323 version 4 and below, which includes H.225 version 4 and H.245
version 7. It performs the following application layer checks:
 Strict enforcement of the protocol, including the order and direction of H.323 packets.
 If the phone number sent is longer than 24 characters, the packet is dropped. This prevents buffer
overruns in the server.
 Dynamic ports are only opened if the port is not used by another service. For example: If the Connect
message sends port 80 for the H.245, it will not be opened. This prevents illegal use of well-known
ports.
The Security Gateway supports Fast Connect, an advanced H.323 capability that ensures that audio is
available as soon as the phone is answered. This feature is active by default, and is always available.

https://updates.checkpoint.com/fileserver/SOURCE/direct/ID/11660/FILE/CP_R75_Firewall_AdminGuide.pdf

I'd first try turning on faststart on the IP trunks

If that doesn't work, I'd get the firewall team to turn off the application intelligence for H.323 protocol. (I am not sure how compliant the H.323 stack is on the IPO, but judging by the issues that people have with other devices - it may not be that good) If you do this, you will need to open the RTP port manually - the checkpoint should open them automagically by inspecting the H.323 control packet if you use application intelligence.



Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[clarkstyx18]

@matt- IPS is already disabled.. any to any is applied on the voip domain policy.. any other reasons why calls are not coming through?