This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_W23
Participant
‎2017-10-23 09:29 AM

VOIP over site to site VPN not working

Good day,

I am trying to implement VOIP over H323  at a branch office that is connected to my main office via a site to site VPN. The branch office is an 1100 series appliance (77.20.30) while the main office is an open server running Gaia 77.30.

The site to site VPN seems to work fine, but the VOIP phone is not connecting properly to the server in the main office and the phone cannot make or take calls. My tracker logs show H323_RAS_ONLY traffic being encrypted and decrypted between the gateways with no errors. I did read in the Checkpoint VOIP documentation that you cannot make calls with H323_RAS_ONLY, which seems to match the problem I am having.

The VPN is in simplified mode and has the "accept all encrypted traffic" option set. 

I am wondering how I can get the gateway to treat the H323 traffic as H323 or H323_RAS? I assume its because the H323_RAS_ONLY is used due to the "match any" option on that service, and the accept all traffic option treats everything as an ANY rule?

Is there a way around this? Do I have to take off the accept all encrypted traffic option and create individual rules in the rulebase?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2017-10-23 01:56 PM

You should be able to uncheck the "Match Any" for H323_RAS_ONLY service.

0 Kudos
Chris_W23
Participant
‎2017-10-24 09:03 AM
In response to PhoneBoy

Hi Dameon,

I unchecked the "Match Any" as you suggested, and I am still having issues. The logs are showing it as H323_RAS now at least.

I noticed this morning when doing an "fw ctl zdebug drop" that H323 (TCP 1720) packets are being dropped outbound at the remote site, with the error "dropped by vpn_encrypt_chain reason: no reason"

Do you have any ideas why that could be? Its kind of a vague error message.

Thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-24 11:44 AM
In response to Chris_W23

This may require troubleshooting by the TAC...

Contact Support | Check Point Software 

0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2017-10-28 11:36 AM

Getting VOIP to work requires a good schematic of the VOIP traffic and the exact details about which version is in use. Wether or not Check Point can handle you H323 traffic correctly is version and implementation dependent.

VOIP is definitly a reason to make sure you  have the Latest HFA on the units. R77.20.30 is not the latest versions I think there are some VOIP related fixes in higher versions. I think we are about R77.20.61 at the moment. And I strongly recommand to use update everything before you proceed further troubleshooting.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events