SRX Services Gateway
SRX Services Gateway

H323 ALG breaks Videoconferencing.. in 10r2

01.25.10   |  
‎01-25-2010 12:24 AM

Hi, had a nightmare upgrade from 9.5 to 10.0R2 on SRX650's..   The H323 Alg which is on by default breaks Video Conferencing.. It all worked fine in 9.5, but in 10, its broken..

 

TAC suggested disabling the H322 Alg.. that fixed it, but then you have to ask what the point of having it there in the first place was.

 

 

14 REPLIES
SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

01.27.10   |  
‎01-27-2010 06:01 AM

Were there any special rules that you had to apply to make h323  work after  turning off the ALG?  We are going to be doing h323 testing through our SRX running 10.0R2 today.

 

thanks!

SRX Services Gateway
Solution
Accepted by Automate (Trusted Expert)
‎08-26-2015 01:27 AM

Re: H323 ALG breaks Videoconferencing.. in 10r2

01.29.10   |  
‎01-29-2010 02:01 AM

No, just disable it

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

02.06.10   |  
‎02-06-2010 09:53 PM

Hi,

 

I just ran into this issue as well with a client running "10.0R2.10".  I resolved the issue by disabling the alg (set security alg h323 disable).  Anyone have an ETA on the fix?

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

02.06.10   |  
‎02-06-2010 11:13 PM

Hi All,

 

I came across another issue related to a Lifesize Gatekeeper.  Basically, we were unable to see the return video even after disabling the h323 alg.  Opened a ticket with JTAC and will keep everyone posted.  If anyone has something to add, let me know.


Thanks.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

02.13.10   |  
‎02-13-2010 12:15 AM

H.323 ALG is a new feature made available on SRX650 platform beginning with 10.0. Some other SRX platforms supported H.323 earlier than 10.0 but for SRX650 it was 10.0. That is why probably things were working fine before the upgrade. The problems seen by the ALG may be dependent on what H.323 application you are using. We generally support Avaya H.323 but may not support what you have since there is enormous amount of difference among H.323 vendors in terms of what H.323 features and protocols are used (H.323 is a very large suite of protocols and not one standard). Hence it may simply be that we are not yet supporting the H.323 application you have.

 

In any case since it was working for you without any ALG previously implies that you do not have any NAT or policy restrictions to prevent H.323 from working. Hence disabling the H.323 ALG is probably the right solution for you. But it would still be good to know what H.323 application you are using so that we can look into supporting that in the future if there is enough demand.

 

-Richard

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

03.01.10   |  
‎03-01-2010 10:05 AM

I had this same problem with SRX240 and 10.0R2.10. Our customer got Tandberg video conferencing system and those devices couldn't register to call manager over internet but could be manged and pinged. After disabling h.323 alg they started to work. There's no NAT, two different Zones with "application any" rule.

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

04.18.10   |  
‎04-18-2010 07:59 PM

mr_packethead wrote:

Hi, had a nightmare upgrade from 9.5 to 10.0R2 on SRX650's..   The H323 Alg which is on by default breaks Video Conferencing.. It all worked fine in 9.5, but in 10, its broken..

 

TAC suggested disabling the H322 Alg.. that fixed it, but then you have to ask what the point of having it there in the first place was.

 

 


There are different H323 implementations in the market. We need to learn more about this application. Have you filed a PR for this case? It is better to have the packets captured from the customer side.

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

08.10.10   |  
‎08-10-2010 12:15 AM

Hi,

 

We have had the same problem last week.

Random problems were occuring with the IP-phones.

 

disabling the ALG h323 fixed the problem.

 

We use Ericsson Businessphone BP250 VoIp Phones through SRX 650 10.0R3

 

good luck ;-)

Kinds regards,

Paul

-----
swissknife-IT'er
SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

10.11.10   |  
‎10-11-2010 01:28 PM

I am currently implimenting/configuring a Lifesize system.  I can make outgoing calls, and after finding this thread today I disabled the h323 alg which made it possible to share screen/content during a call (from my end after initiating the call, but the other end cannot share content/screen or it doesn't come through).  However, I am unable to receive incoming calls which is likely just an error in the config I'm hoping...

 

Would you be willing to share your config so I can compare to mine?

 

Thanks,

Chuck

 


firewall72 wrote:

Hi All,

 

I came across another issue related to a Lifesize Gatekeeper.  Basically, we were unable to see the return video even after disabling the h323 alg.  Opened a ticket with JTAC and will keep everyone posted.  If anyone has something to add, let me know.


Thanks.

 

John


 

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

10.19.10   |  
‎10-19-2010 04:55 PM

How's the H.323 ALG behaving in JunOS 10.2r3, for those that had issues? I am curious. And don't have a LifeSize system to test with. Smiley Happy

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

10.20.10   |  
‎10-20-2010 02:26 AM

Junos 10.0R4.7

 

In this release, for a wan-link with no NAT and any/any/any rules,

you need to disable H323 for LifeSize,

and enable SIP for IP-phones.

 

Just FYI.

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

04.15.11   |  
‎04-15-2011 01:29 PM

We have Polycom here trying to connect to multiple endpoints in multiple networks through SRXs at the edge and have the same problem. We are running 10.2R3 on all of the SRXs. The only way we've made it limp along is to disable h.323 but that doesn't completely solve the problem. We still drop calls, content and sometimes can't even connect. We've done call tracerouting and proved that many of our issues are related to one way traffic.

 

What is the word from Juniper on this? This has been a known issue for a while and needs to be fixed ASAP. I'd even settle for a work around that isn't "disable h.323 inspection" because that doesn't really work either. Many people have complained here and with just about every major VC system so this really rests on Juniper to address. Can we get some usefule info please?

 

Lumber

SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

[ Edited ]
08.22.11   |  
‎08-22-2011 12:53 PM
I have alg problems on srx cluster based on 10.4 r3 is it a chance to jump to 10.4 r5.6?
Era
Highlighted
SRX Services Gateway

Re: H323 ALG breaks Videoconferencing.. in 10r2

08.23.11   |  
‎08-23-2011 02:23 PM

Nearly all the big H323 implementations implement extentions that do not work with ALGs.

 

Almost all Tandberg documentation states to NOT use ANY kind of Application gateway witht their products.

 

Also for future not:

 

- Many of the ALGs block by default and require you to configure them in some way to be used. Dissable any you have not read the documentation for.

- Read the release notes when upgrading between releases... every .x release contains new features... NEW ALGs are always a possiblity and firewalls block by default.