RelianceNet
asked on
Polycom cannot connect out of network
We just put in an HDX 8000 at one of our remote sites that is protected by a Fortigate 110C firewall.
The Internal IP of the HDX is 192.168.100.180 which is on the default VLAN of our Procurve 5412zl. We created a Virtual IP on the Fortigate that maps an available External IP to the HDX.
Currently all traffic (ANY -> ANY) from the Internal IP of the HDX is allowed
Outgoing rule has NAT box checked.
Currently all traffic (ANY -> ANY) from WAN -> Virtual IP is allowed
We also have a Riverbed Steelhead 1050 in place in an In-Path configuration. It is an WAN optimizer.
We can connect calls across our VPN to our home site using Internal IP's of the Video Conferencing units but all outgoing calls seem to stop at the firewall.
Head scratcher, please help!
Thanks,
Brian
The Internal IP of the HDX is 192.168.100.180 which is on the default VLAN of our Procurve 5412zl. We created a Virtual IP on the Fortigate that maps an available External IP to the HDX.
Currently all traffic (ANY -> ANY) from the Internal IP of the HDX is allowed
Outgoing rule has NAT box checked.
Currently all traffic (ANY -> ANY) from WAN -> Virtual IP is allowed
We also have a Riverbed Steelhead 1050 in place in an In-Path configuration. It is an WAN optimizer.
We can connect calls across our VPN to our home site using Internal IP's of the Video Conferencing units but all outgoing calls seem to stop at the firewall.
Head scratcher, please help!
Thanks,
Brian
ASKER
ASKER
h323 connection fail with this message:
Failed Attempt; "Your call could not be completed because the call was routed through an intermediate network that does not service the far site. Contact your network administrator for assistance.; Rolling Over."
Failed Attempt; "Your call could not be completed because the call was routed through an intermediate network that does not service the far site. Contact your network administrator for assistance.; Rolling Over."
ASKER
Traceroutes run from the Polycom stop at the firewall
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you have a gatekeeper ? If not , set to Off. You set to Auto yet without specifying the GK address.
If you set the NAT Configuration -->Public Wan Address to: Auto , does it also show 66.208.21.63
If you set the NAT Configuration -->Public Wan Address to: Auto , does it also show 66.208.21.63
ASKER
The Fortigate is not h460 compliant nor should the NAT Traversal been enabled.
The trick is basically to use the fixed ports OR the Nat Traversal not both
The trick is basically to use the fixed ports OR the Nat Traversal not both
Hi I have some what similar issue.
BO LAN --> FortiGate 111c <---- VPN Tunnel ---> Fortigate 310B ---> HO LAN -> CS1000 (Gatekeeper)
I have a BCM 50 in BO LAN and Nortel CS1000 in HO LAN. The VPN is up and I can ping both side. But when trying to call other end extensions, voice is not getting through, the BCM is registering with the gatekeeper successfully.. I am not a voice guy but think this has something to do with the way fortigate handle the H323 traffic... any help realy appreciated..
Sincerely
SK
BO LAN --> FortiGate 111c <---- VPN Tunnel ---> Fortigate 310B ---> HO LAN -> CS1000 (Gatekeeper)
I have a BCM 50 in BO LAN and Nortel CS1000 in HO LAN. The VPN is up and I can ping both side. But when trying to call other end extensions, voice is not getting through, the BCM is registering with the gatekeeper successfully.. I am not a voice guy but think this has something to do with the way fortigate handle the H323 traffic... any help realy appreciated..
Sincerely
SK
@principiamangement
I had a similar solution, although this is not my account. We recently attempted to move from a Juniper SSG that has a remote ipsec tunnel coming back to HQ. The firewall was replaced with a fortigate 60c, and there is also an avaya phone system behind it. Most sites are on a private network, although thats not an option at this location.
I was able to have a few phones register, although I was having some issues with all of the phones registering. When the users would pick up I just got dead air. There is no ALG options in this firewall but there is a command for session-helper which has some proxy type options for h323 and ras.
I tried removing the 2 services, but it didn't seem to help. I am still looking into a solution to this though. There is also a diag command.. ."diag sys h323 ...."
Hope this may lead you in a direction of some help.
I had a similar solution, although this is not my account. We recently attempted to move from a Juniper SSG that has a remote ipsec tunnel coming back to HQ. The firewall was replaced with a fortigate 60c, and there is also an avaya phone system behind it. Most sites are on a private network, although thats not an option at this location.
I was able to have a few phones register, although I was having some issues with all of the phones registering. When the users would pick up I just got dead air. There is no ALG options in this firewall but there is a command for session-helper which has some proxy type options for h323 and ras.
I tried removing the 2 services, but it didn't seem to help. I am still looking into a solution to this though. There is also a diag command.. ."diag sys h323 ...."
Hope this may lead you in a direction of some help.
ASKER
Picture-17.png
Picture-18.png
Picture-19.png
Picture-20.png