7.0.8 to 7.1.8 upgrade - H.323 not working

Reply
Highlighted
L2 Linker

7.0.8 to 7.1.8 upgrade - H.323 not working

Dear All,

 

We have recently upgraded as the title suggests, and since upgrading our Polycom Group series video conference units are not working correctly on H.323 protocol.  When we connect to either a public video bridge or direct to another Polycom device, we are unable to hear the caller ont he conference.  This was previously working in 7.0.8.

 

From our initial investigations, we are able to get this working by configuring a static NAT rule for the Polycom device.  However when the device using the general Trust -> Untrust dynamic NAT it does not seem to work correctly.  We have performed packet captures which all seem to be flowing correctly and we are not seeing any dropped packets. 

 

We have also configured a Trust -> Untrust ANY ANY security rule for the polycom to make sure its not being blocked from that perspective.

 

The only thing I can think of is that the traffic is not being routed back for some reason due to some change involving NAT that was implemented since 7.0.8.

 

Can anyone think of why we are having this issue?

 

 

Tags (4)

Accepted Solutions
Highlighted
L4 Transporter

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

Hi Gavin,

 

I would stick to using static NATs for both inbound and outbound, this is how I've always set up VoIP/video conferencing NAT rules.

 

Additionally you may be facing this issue, but you'd need to look at the global counters in combination with a packet filter.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Session-setup-fails-due-to-session-hash-colli...

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a-specific...

 

hope this helps,

Ben

View solution in original post


All Replies
Highlighted
L2 Linker

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

Seriously... No one wants to take a stab at this one? lol

Highlighted
L4 Transporter

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

Hi Gavin,

 

I would stick to using static NATs for both inbound and outbound, this is how I've always set up VoIP/video conferencing NAT rules.

 

Additionally you may be facing this issue, but you'd need to look at the global counters in combination with a packet filter.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Session-setup-fails-due-to-session-hash-colli...

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a-specific...

 

hope this helps,

Ben

View solution in original post

Highlighted
Cyber Elite

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

Hello,

I agree with the static NAT's, I also prefert to make them bi-directional, causes less of a headache with asymentric routing.

 

Regards,

Highlighted
L2 Linker

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

Hi Guys,

 

Ok so If use static NAT's and I have 8 meeting rooms with Polycom devices, that would mean 8 public IP addresses.  Surely that's not scalable?  Maybe some kind of PAT would be a better option?  What does everyone think?

Highlighted
L4 Transporter

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

Hi Gavin,

 

Yes that is how I have done it in the past with these polycomm video conferencing devices. Do polycomm have a central server that you could set up on your internal network, with all the devices calling back to that? Then you just need to do a 1-to-1 static NAT for the central server.

 

You could you PAT in theory to send the traffic to the right video phones but I do not think you can change the ports the video units use.

 

hope this helps,

Ben

Highlighted
Cyber Elite

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

@GavinPalmer the scalability of this solution would wholly depend on your environment; for example in my environment the scalability of this is sensible and it's exactly what we do with our few actual video conferencing units. I always tell clients that this type of equipment should be a 1-1 anyways seeing as Polycom in particular has real issues sitting behind NATs.

 

PATs are acceptable granted that you can actually get it working; I wish I still had my cheat sheet from when I setup a few units to be used with verizon hotspots because I spent a fair amount of time figuring it all out but unfortunately I can't locate the list. Polycom is pretty notorious for behaving poorly behind a PAT  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!