Polycom videoconf and Fortigate issue

Another day, another problem to solve in network engineer day.

So today, we have a customer with a fortigate in 6.2.2 version and a visioconf app (polycom realpresence desktop) installed on a simple PC. This PC is reachable from Internet through a VIP and an IPV4 policy is doing a SNat to go outside.
Not sure why, but you have to create an inbound IPV4 policy to allow trafic goes to the VIP.

Inbound IPv4 rule from Outside to dmz zone
IPV4 rule from Dmz to outside

Issue :
When making a video call, call signalisation is working but inbound RTP is blocked somewhere. So the inbound packet counter is not increasing.

Troubleshooting :
– Wireshark on the end PC show that there is no inbound RTP packet
– Doing some diag debug flow

id=20085 trace_id=19766 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-6ac1d22e, reply direction"
id=20085 trace_id=19766 func=__ip_session_run_tuple line=3255 msg="DNAT 213.16.Z.Z:9379->10.1.X.X:3246"
id=20085 trace_id=19766 func=__ip_session_run_tuple line=3292 msg="run helper-h245(dir=reply)"
id=20085 trace_id=19767 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 216.230.X.X:52501->213.16.Z.Z:9379) from wan2. flag [.], seq 30550497, ack 733914851, win 350"

Session was already created before, but these packets are mentionning some H245 helper. After doing some research, I found a lot of post in forum about these “enhancements”.
Anyway after disable it, Videoconf was working

 Default configuration :
config system session-helper
    edit 1
        set name pptp
        set port 1723
        set protocol 6
    edit 2
        set name h323
        set port 1720
        set protocol 6
    edit 3
        set name ras
        set port 1719
        set protocol 17

How to remove :
config system session-helper
delete 2
Trace after disabling service helper :
id=20085 trace_id=19786 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-6ac2fc62, reply direction"
id=20085 trace_id=19786 func=__ip_session_run_tuple line=3255 msg="DNAT 213.16.Z.Z:63663->"
id=20085 trace_id=19787 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 216.230.X.X:1720->213.16.Z.Z:63663) from wan2. flag [.], seq 276066792, ack 2820814858, win 216"

Source : https://kb.fortinet.com/kb/documentLink.do?externalID=FD45735

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *