Firewall troubleshooting
This topic provides firewall troubleshooting tips and guidance. It includes a summary of the recommended configuration, along with information regarding the following issues:
- General — check firewall ports configuration
- Content sharing unreliable with firewall default UDP session timeout value
- Poly/Polycom endpoints cannot receive presentation due to keep-alive issues
- Unreliable Content Sharing on an unregistered H.323 endpoint
General — check firewall ports configuration
Check that you have configured your firewall rules as shown here.
Content sharing unreliable with firewall default UDP session timeout value
It has been observed in several Enterprise network environments that purpose-built video endpoint systems from Cisco Systems and Poly registered to the Pexip Service may experience unreliable content sharing behavior. This behavior may include an inability to receive or initiate content share soon after the video call is connected, either to a video bridge or in a point-to-point call. In many cases the content share capability is initially found to behave as expected, but then changes to the unreliable state within a short period of time. A list of compatible Cisco Systems and Poly endpoint models which can be registered to the Pexip Service can be found here.
The common element to these Enterprise network environments may be the presence of a Palo Alto Networks Firewall. After working alongside Palo Alto Networks Technical Support, the problem was traced to a requirement to increase the value of the UDP session timeout setting on the Palo Alto Networks Firewall. Video endpoints registered to the Pexip Service use SIP (Session Initiation Protocol) as the signaling protocol, and the content share channel is negotiated via SIP BFCP (Binary Floor Control Protocol), which is UDP-based. It was observed that the two-way BFCP communications between the video endpoint to the Pexip Service was being closed prematurely when the default UDP session timer of 30 seconds is used.
Pexip's recommendations when Palo Alto Networks or SonicWall firewalls are present are:
- Ensure that the firewall can accommodate all the traffic types and port ranges to/from the IP address spaces shown here.
- Increase the UDP session timeout from the default 30 second value to 600 seconds for UDP port range 10000-65535.
- Disable the "Application Filtering" setting on the Firewall, which may be called SIP-ALG.
For firewalls from other vendors we recommend that you:
- Increase the UDP session timeout to 180 seconds for UDP port range 10000-65535.
Poly/Polycom endpoints cannot receive presentation due to keep-alive issues
Poly/Polycom endpoints sometimes cannot receive presentation content if another participant in the call presents first, due to SIP keep-alive issues.
For more information see Poly/Polycom endpoints are unable to receive presentation.
Unreliable Content Sharing on an unregistered H.323 endpoint
Unreliable content sharing behavior has been observed in some enterprise network environments on purpose-built video endpoint systems, using the H.323 signaling protocol, that are not registered to any gatekeeper.
This behavior may include an inability to receive or initiate content share soon after the video call is connected, to either a VMR or in a point-to-point call.
Symptoms: content on the affected endpoint is never received (even after starting and stopping the content stream by this endpoint — a feature known as firewall pinhole and specifically NAT hole punching).
Solution: Configuration change of the Palo Alto firewall rules and the configuration change of the endpoint:
- On the Palo Alto Firewall: add a rule allowing H.323, H.225, and H.245 traffic, and the UDP ports 10000-65535 (outbound direction for the established connections).
- On the video endpoints: disable the media static ports.