Tuesday, August 3, 2010

Problems in MGCP registration through Checkpoint

We are setting up a new CUCM7 environment which will be shared by various divisions of the Company. As such the Server environment is in a DMZ. We are trying to place the Gateways inside the firewalls (on the same networks as the phones) and have created a rule to allow all traffic bi-directionally between the Gateways, our Publisher and 2 Subscribers. For some reason we cannot get the gateways to register via MGCP. We do not see any traffic being blocked in the firewall log, and have placed a sniffer on the segment of the gateway and servers. The Sniffer trace on the server side shows an MGCP request initiated by the gateway to each of the subscribers, as well as a response from the servers. On the Client side, we cannot see the response.As a test we have placed a gateway in the same network as the servers, we can place a call from a phone registered to that gateway from inside our network, and can hear voice initiated from that phone, but cannot receive voice from the far end phone. It seems like there is a problem with UDP, but where?

We are using NGX R65. It turns out that even though I did not turn Smart Defense on, the Checkpoint was scanning the MGCP packets, and stopping them (without logging). We have turned on smart defense and turned off service scanning for all IPT traffic. We created custom objects for the MGCP (SIP, and SCCP) services and am no longer using the predefined objects. The CM environment is working beautifully.

The ports you'll want to make sure are open:

nicmatth-sip#sh ip nbar port | i mgcp
port-map mgcp udp 2427 2727
port-map mgcp tcp 2427 2428 2727
As well as UDP 16384 - 32767.

The MGCP registration ports will be one of the above. Check 'debug mgcp packet' for any 5xx messages to see if it's just failing without any correlation to the firewall.

Make sure that the top line of 'show ccm' matches what you have in CCM. Don't forget the domain name!

If you still have audio problems, use the 'mgcp bind media source interface x/x' and make sure that the IP phone subnet has reachability to that subnet.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

