Polycom can not answers a call

Reply
Highlighted
L2 Linker

Polycom can not answers a call

hi all.

i have a problem with palo altl and polycom.

When i make a call from inside to outside >> it ok

when a call from outside comming >> i can not answers

i open all port, allow all application as: h.323, h.252, rtp...

pls help me know why

Tags (1)
Highlighted
L4 Transporter

Dat.tran,

      You can try using an application override to see if that resolves your issue: 

Highlighted
L2 Linker

i Creat overide  as:

but not succesfull.

When call comming, i only see h.225

but when call to outside, i can see h.225, RTP

pls help me

Highlighted
L4 Transporter

Dat,


Do NOT follow the document https://live.paloaltonetworks.com/docs/DOC-3194 (H323 Polycom Video Conf Drops), as if you notice, that document references Port 5060 (SIP), but SIP is certainly NOT H.323 traffic. (2 totally diff protocols).


I worked at Polycom for 4 years, so this is a common problem that needs to be resolved by the Firewall, checking ports, etc. The H225 call setup is probably working, but the negotiation of what TCP/UDP ports is not being allowed by the firewall.   I have seen this many many times.  Many times.  :smileysilly:


Your best friend in troubleshooting this will be to use Wireshark traces to see what is and is not going in your network.


Please confirm what settings you have enabled on your codec from the WebUI:

Fixed Ports:  (what if anything do you have here)

Enable H.460 (on or off)

NAT configuration (what is this setting)  <---- Very important, and could be the reason why the call fails.


First thing I would do, is to create a rule allowing ONLY the specific IP address from the source network, inbound to your network, with ANY application, ANY service.    Put this rule at the top of your rulebase. (Please confirm this for me)


We do this, just to see if the H225 call setup and negotiation work correctly.  If the call sets up and works correctly, then you know we have some firewall rules and dynamic NAT policies in the FW that are not working.


What I would definitely do, is to contact Palo Alto T2 support, and get the ticket opened with them. I would then (with Palo T2 on the phone), called into Polycom T2 support (they have codecs on the public internet with no firewalls between them.  Best test scenario).


Have Polycom call into your FW, and let PA T2 support look at your logs and see what is going on.


I will be glad to assist you, just send me a PM and I can work with you on this. 


Thanks SC

Highlighted
L2 Linker

Hi Scantwell!

this is my Polycom setting

polycom firewall.png

This is Palo Alto session when i call from outside:

polycom sesion 2.png

This is my Wireshark capture on my computer when i call to Polycom

wireshark.png

i created a polices to allow all as you say:

polycies.jpg

thanks you so much

Highlighted
L4 Transporter

Turn OFF H460

Turn OFF NAT configuration.

The PA box (to the best of my knowledge) does NOT support H.460 FW traversal.

The NAT config is ONLY is your FW does not know how to do H323 with the PA does know how to do.

Thanks

Highlighted
L2 Linker

i change config, but nothing happen,

do you think my NAT on Palo Alto have problem.

i opened many port.

Highlighted
L4 Transporter

I think you need to get a wireshark trace ready to see what is happening when inbound traffic from the Internet is processed by the FW.

I would go back to original suggestion.  Contact Palo Alto T2 support, get a ticket opened, and then get on a conference call with Polycom T2 support and when Polycom attempts to call you, the Palo Alto techs can perform the associated traces.

To answer your question, YES, I think this definitely a PA issue, and they need to do the troubleshooting.

Highlighted
L1 Bithead

Hellp Dat.tran

Were you able to resolve this issue. I also have same problem.

I am planning to open a case with TAC but before that want to understand if there was any resolution associated to this since this is a very old case.

Regards

Girish Vyas

Highlighted
L5 Sessionator

Trying doing a bidirectional NAT for voip traffic.

Rate helpful answer.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!