The Video phone call didn’t work after Eudemon1000E-X6 deployed

Publication Date:  2013-07-31 Views:  338 Downloads:  0
Issue Description
Before, the customer used iptable as firewall deployed in the headquarter and branch. Then they replaced the headquarter ipstable with Huawei firewall Eudemon1000E-X6. The other feature worked well but there was a problem when making a video phone call.
The topology is as follows.




During the video phone call, the customer in the branch can see the video picture and can hear the sound from the headquarter, but the customer in the headquarter can’t see any video picture and can’t hear any voice from the branch.
Alarm Information
None
Handling Process
1. Check the packet filter policy between trust zone and untrust zone, there only exist the outbound direction policy:
policy interzone trust untrust outbound
policy 11
  action permit
  policy session traffic statistic enable
      policy source address-set serv_videoconf

Here the ip the video phone in headquarter is in the address-set serv_videoconf. From the configuration we can see there is on packet filter policy in the inbound direction between trust zone and untrust zone.
2. Check the NAT policy between trust zone and untrust zone, there only exist the outbound direction policy
nat-policy interzone trust untrust outbound
  policy 17
  action source-nat
  policy source address-set serv_videoconf
      address-group ip4

3. Display the firewall session table:
Current Total Sessions : 5
  udp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:02:00  Left: 00:01:56
  Interface: GigabitEthernet0/0/3  NextHop: 200.1.xxx.xxx  MAC: 00-xx-e6-4d-9e-40
  <--packets:0 bytes:0   -->packets:12 bytes:720
  192.168.1.30:55532[200.1.xxx.xxx:2048]-->186.92.xxx.xxx:2356

  udp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:02:00  Left: 00:01:59
  Interface: GigabitEthernet0/0/3  NextHop: 200.1.xxx.xxx  MAC: 00-xx-e6-4d-9e-40
  <--packets:0 bytes:0   -->packets:217 bytes:43400
  192.168.1.30:55546[200.1.xxx.xxx:2048]-->186.92.xxx.xxx:2350

  udp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:02:00  Left: 00:01:59
  Interface: GigabitEthernet0/0/3  NextHop: 200.1.xxx.xxx  MAC: 00-xx-e6-4d-9e-40
  <--packets:0 bytes:0   -->packets:438 bytes:422695
  192.168.1.30:55540[200.1.xxx.xxx:2048]-->186.92.xxx.xxx:2352

We can see that there is no packet from untrust->trust.
4. Check the ASPF configuration, the following is shown:
firewall interzone trust untrust
detect ftp

As the video phone call is established in the protocol H232, and the protocol h232 is a multi-channel, so it is necessary to configure detect h232 between the trust zone and untrust zone.
firewall interzone trust untrust
detect ftp
detect h232

After that, the video phone call worked all right.
Root Cause
1. The packet filter policy deny the video phone traffic.
2. There is no corresponding NAT policy.
3. There is no ASPF configuration that is “detect h232”
Suggestions
1. When replaying the iptable with Huawei firewall, some configuration is not shown in the original iptable configuration, therefore we need to analyze the service and add some additional configuration to make sure the service work all right.
2. When some multi-channel protocol services pass through the Eudemon firewall, it is necessary to configure the corresponding ASPF command.

END