Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  SSG 520 Dropping VC call after an hour

    Posted 07-02-2012 05:34

    Hi Guys,

     

    We have two juniper firewalls, ssg520 and ssg140, at two of our offices. The ssg520 is on ScreenOS 6.1.0r5.0 while the ssg140 is on 6.2.0r4.0. Each time we make VC call, it times out precisely an hour and we have to re-establish the call again. I created custom services similar to H323 with timeout of 180 minutes and that didn't solve the problem. I also the "application to IGNORE" on the custom policy and that didn't help either.

     

    I had a go in disabling the ALG for H323 but didn't not have the chance to test the VC as all VOIP calls were dropped.

     

    Kindly help urgently as the business is on my tail 🙂

     

    Thanks.



  • 2.  RE: SSG 520 Dropping VC call after an hour

    Posted 07-03-2012 07:18

    See output of "get alg h323" ... In there there's a default timeout configured (incoming-table timeout).

     

    Use "set alg h323 incoming-table timeout <value>" to increase it. See if it helps.



  • 3.  RE: SSG 520 Dropping VC call after an hour

    Posted 07-04-2012 01:23

    Hi,

     

    Do you know if the call gets disconnected even when the traffic is flowing over the session?

    In that case it wont be a timeout but rather the session been torn down.

    Can you check if there is anything on the VOIP setup which can cause this.

    I have seen issues where VOIP is supposed to send keepalives or re-register with the server and if this fails the session is lost.

     

    Regards.

    Hardeep



  • 4.  RE: SSG 520 Dropping VC call after an hour

    Posted 07-12-2012 03:57
      |   view attached

    I disabled the alg for h323 and the vc still drops after an hour. Please see the attached document of out setup.

     

    Thanks

    Attachment(s)

    pdf
    VC Timeout.pdf   139 KB 1 version


  • 5.  RE: SSG 520 Dropping VC call after an hour

    Posted 07-15-2012 23:58

    Hi,

     

    Do you know if the call re-negotiates the data port after an hour?

    Try to look for services related to call that may timeout after an hour.

     

    Example:

    Registration messge

    Call data flow session (meaning that the session renegotiates a new set of UDP ports to exchange data)

     

    Regards.

    Hardeep



  • 6.  RE: SSG 520 Dropping VC call after an hour
    Best Answer

    Posted 07-17-2012 04:18

    Hi All,

     

    Thanks for all your efforts. The issue was with our carrier. Our carrier placed transparent firewalls on their core for the two sites concerned and the timeout setting for H323 was precisely an hour. This was changed and the problem has disappeared. Hurray! Smiley Very Happy