h245Tunneling VS Firewall

Discussion related to implementation and use of the H.323 Plus H.323 stack at http://www.h323plus.org.
Post Reply
montu
Posts: 5
Joined: Wed Jan 18, 2012 11:09 pm

h245Tunneling VS Firewall

Post by montu »

I have an H323 listener app with h245Tunneling option enabled and gateway (Cisco as5350, IOS 12.4) with this option enabled too.
At some point of connection negotiation gateway sends to the listener startH245 Facility PDU:
0:02.968 H225 Answer:80 H225 Receiving PDU [ip$10.3.114.200:1720/ip$10.10.1.38:46631] :
{
q931pdu = {
protocolDiscriminator = 8
callReference = 5193
from = originator
messageType = Facility
IE: Facility = {

}
IE: Display = {
63 69 73 63 6f 20 53 79 73 74 65 6d 73 2c 20 49 cisco Systems, I
6e 63 2e nc.
}
IE: User-User = {
26 90 06 00 08 91 4a 00 04 7d d4 ee e2 6a a5 11 &.....J..}...j..
e1 80 8f 00 0f f7 d0 4f 12 81 01 00 1f 05 80 11 .......O........
00 7d d6 27 32 6a a5 11 e1 86 38 d7 7e 8f ab dc .}.'2j....8.~...
65 07 00 0a 0a 01 26 d4 45 01 00 01 00 10 80 01 e.....&.E.......
80 .
}
}
h225pdu = {
h323_uu_pdu = {
h323_message_body = facility {
protocolIdentifier = 0.0.8.2250.0.4
conferenceID = 16 octets {
7d d4 ee e2 6a a5 11 e1 80 8f 00 0f f7 d0 4f 12 }...j.........O.
}
reason = startH245 <<null>>
callIdentifier = {
guid = 16 octets {
7d d6 27 32 6a a5 11 e1 86 38 d7 7e 8f ab dc 65 }.'2j....8.~...e
}
}
h245Address = ipAddress {
ip = 4 octets {
0a 0a 01 26 ...&
}
port = 54341
}

multipleCalls = false
maintainConnection = false
}
h245Tunneling = true
}
}
}
The listener tries to connect to gateway at 10.10.1.38:54341 but failed because of firewall.
0:02.970 H225 Answer:80 H225 Set protocol version to 4 and implying H.245 version 7
0:02.970 H225 Answer:80 H323TCP Connecting to 10.10.1.38:54341 (local port=0)
0:12.974 H225 Answer:80 H323TCP Could not connect to 10.10.1.38:54341 (local port=0) - Timed out(1073751884)
0:12.974 H225 Answer:80 H225 Connect of H245 failed: Timed out
0:12.975 H225 Answer:80 H323 Clearing connection ip$10.10.1.38:46631/5193 reason=EndedByTransportFail
0:12.975 H225 Answer:80 H323 Call end reason for ip$10.10.1.38:46631/5193 set to EndedByTransportFail
So I have two questions:
1) AFAIK when h245Tunneling is ON there is no need in separate connections for h245, but listener tries to established one above.
2) There is no ability to disable firewall on gateway. How to workaround this situation? When h245Tunneling is OFF on both sides the listener opens port for h245 (there is no firewall on listener host), gateway connects to it and everything ok. Is there any option to force this behaviour for a situation when h245Tunneling is ON?

shorne
Posts: 45
Joined: Thu Aug 27, 2009 4:17 am

Re: h245Tunneling VS Firewall

Post by shorne »

program your listener to ignore the startH245 message.

You could use GnuGk gatekeeper to remove the message as it passes through
http://www.gnugk.org/gnugk-manual-5.html#ss5.1
See RemoveH245AddressOnTunneling=1

montu
Posts: 5
Joined: Wed Jan 18, 2012 11:09 pm

Re: h245Tunneling VS Firewall

Post by montu »

shorne wrote:You could use GnuGk gatekeeper to remove the message as it passes through
We can`t use GnuGk on Cisco gateway, but thanx anyway.

This problem resolved by enabling FastStart option on gateway.
It seems that Cisco gatekeeper can`t use h245Tunneling with SlowStart.

Post Reply