SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 4
Registered: ‎10-18-2009
0 Kudos
Accepted Solution

H323 ALG breaks Videoconferencing.. in 10r2

Hi, had a nightmare upgrade from 9.5 to 10.0R2 on SRX650's..   The H323 Alg which is on by default breaks Video Conferencing.. It all worked fine in 9.5, but in 10, its broken..

 

TAC suggested disabling the H322 Alg.. that fixed it, but then you have to ask what the point of having it there in the first place was.

 

 

Visitor
Posts: 3
Registered: ‎01-27-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

Were there any special rules that you had to apply to make h323  work after  turning off the ALG?  We are going to be doing h323 testing through our SRX running 10.0R2 today.

 

thanks!

Trusted Contributor
Posts: 59
Registered: ‎11-10-2009

Re: H323 ALG breaks Videoconferencing.. in 10r2

No, just disable it

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

Hi,

 

I just ran into this issue as well with a client running "10.0R2.10".  I resolved the issue by disabling the alg (set security alg h323 disable).  Anyone have an ETA on the fix?

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

Hi All,

 

I came across another issue related to a Lifesize Gatekeeper.  Basically, we were unable to see the return video even after disabling the h323 alg.  Opened a ticket with JTAC and will keep everyone posted.  If anyone has something to add, let me know.


Thanks.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

H.323 ALG is a new feature made available on SRX650 platform beginning with 10.0. Some other SRX platforms supported H.323 earlier than 10.0 but for SRX650 it was 10.0. That is why probably things were working fine before the upgrade. The problems seen by the ALG may be dependent on what H.323 application you are using. We generally support Avaya H.323 but may not support what you have since there is enormous amount of difference among H.323 vendors in terms of what H.323 features and protocols are used (H.323 is a very large suite of protocols and not one standard). Hence it may simply be that we are not yet supporting the H.323 application you have.

 

In any case since it was working for you without any ALG previously implies that you do not have any NAT or policy restrictions to prevent H.323 from working. Hence disabling the H.323 ALG is probably the right solution for you. But it would still be good to know what H.323 application you are using so that we can look into supporting that in the future if there is enough demand.

 

-Richard

Contributor
Posts: 27
Registered: ‎02-22-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

I had this same problem with SRX240 and 10.0R2.10. Our customer got Tandberg video conferencing system and those devices couldn't register to call manager over internet but could be manged and pinged. After disabling h.323 alg they started to work. There's no NAT, two different Zones with "application any" rule.

New User
Posts: 1
Registered: ‎04-18-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2


mr_packethead wrote:

Hi, had a nightmare upgrade from 9.5 to 10.0R2 on SRX650's..   The H323 Alg which is on by default breaks Video Conferencing.. It all worked fine in 9.5, but in 10, its broken..

 

TAC suggested disabling the H322 Alg.. that fixed it, but then you have to ask what the point of having it there in the first place was.

 

 


There are different H323 implementations in the market. We need to learn more about this application. Have you filed a PR for this case? It is better to have the packets captured from the customer side.

Visitor
Posts: 9
Registered: ‎02-25-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

Hi,

 

We have had the same problem last week.

Random problems were occuring with the IP-phones.

 

disabling the ALG h323 fixed the problem.

 

We use Ericsson Businessphone BP250 VoIp Phones through SRX 650 10.0R3

 

good luck ;-)

Kinds regards,

Paul

-----
swissknife-IT'er
Contributor
Posts: 10
Registered: ‎09-20-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

I am currently implimenting/configuring a Lifesize system.  I can make outgoing calls, and after finding this thread today I disabled the h323 alg which made it possible to share screen/content during a call (from my end after initiating the call, but the other end cannot share content/screen or it doesn't come through).  However, I am unable to receive incoming calls which is likely just an error in the config I'm hoping...

 

Would you be willing to share your config so I can compare to mine?

 

Thanks,

Chuck

 


firewall72 wrote:

Hi All,

 

I came across another issue related to a Lifesize Gatekeeper.  Basically, we were unable to see the return video even after disabling the h323 alg.  Opened a ticket with JTAC and will keep everyone posted.  If anyone has something to add, let me know.


Thanks.

 

John


 

Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

How's the H.323 ALG behaving in JunOS 10.2r3, for those that had issues? I am curious. And don't have a LifeSize system to test with. Smiley Happy

Highlighted
Visitor
Posts: 8
Registered: ‎08-31-2009
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

Junos 10.0R4.7

 

In this release, for a wan-link with no NAT and any/any/any rules,

you need to disable H323 for LifeSize,

and enable SIP for IP-phones.

 

Just FYI.

New User
Posts: 1
Registered: ‎04-15-2011
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

We have Polycom here trying to connect to multiple endpoints in multiple networks through SRXs at the edge and have the same problem. We are running 10.2R3 on all of the SRXs. The only way we've made it limp along is to disable h.323 but that doesn't completely solve the problem. We still drop calls, content and sometimes can't even connect. We've done call tracerouting and proved that many of our issues are related to one way traffic.

 

What is the word from Juniper on this? This has been a known issue for a while and needs to be fixed ASAP. I'd even settle for a work around that isn't "disable h.323 inspection" because that doesn't really work either. Many people have complained here and with just about every major VC system so this really rests on Juniper to address. Can we get some usefule info please?

 

Lumber

Era
Contributor
Posts: 63
Registered: ‎04-06-2009
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

[ Edited ]
I have alg problems on srx cluster based on 10.4 r3 is it a chance to jump to 10.4 r5.6?
Era
Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0 Kudos

Re: H323 ALG breaks Videoconferencing.. in 10r2

Nearly all the big H323 implementations implement extentions that do not work with ALGs.

 

Almost all Tandberg documentation states to NOT use ANY kind of Application gateway witht their products.

 

Also for future not:

 

- Many of the ALGs block by default and require you to configure them in some way to be used. Dissable any you have not read the documentation for.

- Read the release notes when upgrading between releases... every .x release contains new features... NEW ALGs are always a possiblity and firewalls block by default.