Screen OS

Hi all,

I'm facing with Video Conferrence (VC) service. [ VC -- Switch Access -- Switch Core -- Firewall SSG520 --> Internet]

In Office Zone , i connect VC equipment to the Switch (include MCU and HXD of Polycom), i seperate the VC equipment in dedicate Vlan. And then i make a static nat (MIP) on Firewall SSG520

When we call VC to the far site with IP Public, it's ok. But after 01 month we have the problem , the far site see my site but my site can not see the far site. I reset Firewall and it OK again. But during time (01 week, 02 week), it happend again and i have to reset Firewall

I check the system before make a reset and can not find any abnormal on SSG520 (CPU, Memory, Session...)

Do you have and suggest to fix this?

Thanks and best regards

Khanh Dang

I also try connect Core Switch to new Router Cisco 2911 and make static Nat on that Router, it OK for long time. So i guess the problem is Nat on Firewall SSG520

Thanks

Hello,

I hope you are doing great,

Would you mind giving us the logs from your polycom devices, as per my experience polycom have some control messages that do not behave like the way the RFC describe it.

Most of the time when you have problems like this they are caused because the ALG it is not able to allocate the correct ports or modify the information on the payload as required.

Always keep in mind that you have a couple of ways to fix this.

Please go to your polycom device web page, in there if you go to admin configuration then to network and then to network IP.

In the bottom you will find a part that says Security server:

In here you can fix the problem in a couple of different ways.

You can use fixed ports for the RTP streams, which means that you can only allow those ports and create static translations (As per my points of view this will be one of the best things you can do).

Then you will have the option to enable Firewall traversal h.460 but you need first to confirm if the SSG support this, to be honest I don't think they do, since I review the ALG features and I have not found anything about that, probably I will avoid to use this one.

Then you have nat configuration, you will have deactivate-auto-manual, ill rather use it manual and put the public IP address that you have in there.

Then there is the last option that says its nat compatible with H.323, I don't think you should mark this.

As you know h.323 its an umbrella protocol, so it is not required that the device support all the sub features.

My recommendation will be:

1. Use static ports.

2. Use manual nat

3. Create static nat translations (With other networking vendor I have seen that if you are matching the nat based on ports it will not handle properly the ALG).

Also you can provide the logs on the Polycom device and I can try to tell you what happened.

To retrieve this information you can follow this procedure:

You can go to Diagnostics - System registry - Download Files, and download everything.

I hope this information will be helpful, and if you need anything else please let me know.

Regards,

Luis Sandi

Hi Luis,

Thanks for your recommend, i'm gonna check the log of Polycom and maybe need you help. Also on ALG of Firewall SSG520 doesn't have option to enable Firewall traversal h.460

Regards

Khanh Dang

Hello,

I hope you are doing great,

I would like to confirm if the information I provided you helped and if there is anything else I can do for you.

Regards,

Luis Sandi