ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Clayton
Posts: 26
Registered: ‎01-06-2009
0

H.323 calls exceeding maximum limit: 16 (SSG5)

We're receiving this in our SSG5 Log: "H.323 calls exceeding maximum limit: 16"

 

Using "get session service h.323" returns only 23 sessions.

 

I understand base licence on SSG5 is 64 for for H.323 w/96 available with upgrade key, so i don't think we are exceeding the units abillity even with the base.

 

This is the versions in use: Harware 710(0) Firmware 6.1.0r4

 

What i can't figure out is why we're getting this entry in the log. "H.323 calls exceeding maximum limit: 16" and what does the 16 indicate ?

 

There are a mix of 23 Avaya 46xx and 16xx phones at this site connecting back to an Avaya 8500 media Server via a route based tunnel to an SSG140 at the home office.

 

I had the H.323 ALG turned on but we are going to try it again turned off tonight. All other traffic is fine but the phones either won't register or do sometimes. If the the call volume is more then a few calls, calls don't go through. Singe calls work fine.

 

Any Ideas ?

 

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

Hi

 

Actually by default the FWs configuration is the default call limit is 16 for a FW with the Base licence. This can be increased to 64 but we need a CLI cmd:

set envar max_h323_call_num=64

 

After this do a "save" but you will need a reboot in order for this to take effect.

 

The default and max limitations for this can usually be checked via:

 

ssg5-isdn-wlan-> get sys-cfg | i h323
default h323 call num number: 32
max h323 call num number: 96

 

The above is an illustration of a FW with the extended licence. Once the CLI setting has been configured, the max number of calls will be increased to what the max number handle.

 

Also, please note that h323 calls are all ALG intensive applications, increasing the number of calls the FW can handle may reduce the amount of resources available for other ALGs (eg if you are running more than 1 VOIP application or you are also running and using MSRPC ALG etc)

 

Hope this will help.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Clayton
Posts: 26
Registered: ‎01-06-2009
0

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

It was set that way, i checked it first as you sugested, we're actually trying it now, great timing. I entered the command anyway "just cuz". and this showed up in the log: Environment variable max_h323_call_num set to 64. so i think it's right.

 

Our phones are trying to register with the ayava server as I type this... we'll see what happens thanks ! 

Contributor
Clayton
Posts: 26
Registered: ‎01-06-2009
0

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

We did disable the h.323 ALG our traffic is going over a tunnel so we figured no need. not sure if it's fixed but 26 323 sessions are up and we're making calls, no errors in the log so far. I will keep all posted.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

You will need to reboot for the envar to take effect though? If ALG is disabled then the envar has no effect basically.. If you are using VPN, with the appropriate policies, I dont think that you will really need ALG as there is no natting involved

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Clayton
Posts: 26
Registered: ‎01-06-2009
0

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

It said it was at 64 max, before I enetered the command you mensioned. I rebooted anyway.

 

Here is where we are at an d this is confirmed. With ALG H.323 on. the phones do not work, with it off on the ssg5 at the remote location all regular IP phones work but the phones that are members of a call center do not work unless we turn h323 ALG off on our SSG140 at the main office where the Avaya 8300 is.

 

ps. can the max calls be increased on the SSG140 above 128 with licencing?

Contributor
Clayton
Posts: 26
Registered: ‎01-06-2009
0

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

To clarify we are using tunnels, route based but if ALG is on no worky... ?
Contributor
Clayton
Posts: 26
Registered: ‎01-06-2009
0

Re: H.323 calls exceeding maximum limit: 16 (SSG5)

Update:

 

We have been running fine with no problems at all since my last post last night. The morning calls have started coming in on the regular as well as the call center phones.

 

Still no problems as long as the H.323 ALG is turned off on SSG5 at the remote sight to get the regular Avaya 46xx phones working. To get the 1600 Avaya phones on the call centers working we needed to turn off the H.323 ALG on the SSG140 at the main office where the Avaya 8500 is located.

 

We have confirmed that turning H.323 ALG back on will instantly duplicate the problems encountered.

 

Note that we are not comining in on a NAT, all our traffic at this time traverses a route based tunnel between the SSG140 and the SSG5.

 

We have several other sights being converted from frame relay and I will update this thread if we find anything changes.

 

It seems this is definatley a problem with the Junipers implementation of there H.323 ALG and it's handling of Avaya's traffic.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.