Hello Alexey. Thanks for your reply. Actually it was all working perfect before changing version and the idea of changing the advanced settings in H323 to none was something we tried because it has helped in the past to solve VoIP issues, although it did not this time. About trying with Endpoint Connect, the deal here is the customer especifically acquired SNX licenses because they have hundreds of users on the field requiring remote access to services, and installing a VPN software client on each laptop had become a nightmare. Suggesting to go back to such scenario won't be acceptable for them.
Any further suggestions will be very appreciated. Regards On Wed, Jul 20, 2011 at 2:38 AM, Alexey Baltacov <[email protected]>wrote: > Hello Sergio, > I never seen such problem but... > As I know in latest CP versions the worst thing can be done in order > to stop voice traffic is changing advanced proto settings to "none". > Usually things can help is configuring voice "by the book", with my > experience with SIP - it working in 85% of cases. > I mean configuring voice domain and etc... > One more thing you can try for test - install Endpoint Connect R75.10 > and test with it. Generally it is using the same 443 in order to > connect, just different client and more options for configuration. > Alexey > > On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez <[email protected]> > wrote: > > Hello. > > > > This cutomer of ours has an active/standby SPLAT cluster with SNX enabled > > (bear in mind there is no Connectra involved here), everything worked > > perfect until a migration from R70.20 to R75 was done and since then, SNX > > users getting conencted to the cluster can access all services they used > to > > with the exception of a VoIP service (H323), they can even ping to the > > server related but the application just won't work. No config changes had > > been done since it was working ok. > > > > Logs show a few drops of H323 traffic from an Office Mode IP, assigned to > a > > test user, the drops show no rule related and the info says: "dst scheme: > > NA; dst methods: SSL; route status: Failed to enforce VPN policy (8)" I > > looked for that message and found something similar related with an > > encryption problem not related with this scenario. > > > > Did a zdebug to find out what was dropped and found a few extra messages > > like the ones bellow: > > > > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 -> > > Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce > > VPN policy (8); > > > > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 -> > > X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have > > to be tunneled; > > > > Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is > the > > IP of the VoIP server. > > > > We could not find anything about those either. A case is opened already > with > > CP support but no answers have been received and the situation is > becoming > > more critical as time goes by. > > > > It was already checked the rule allowing the traffic is specific on H323 > on > > the "service" section and also to change to "none" the advanced > properties > > of the H323 service object, but with no luck. > > > > Has anybody seen something like this before. > > > > Any help will be very appreciated. > > > > -- > > Sergio Alvarez > > CISSP | CCSE+ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > > > -- > Sincerely, > > Alexey Baltacov > [email protected] | Tel: +972-504989954 > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
