H.323 IOS Configuration And Packet Analysis

Published by Keyboard Banger on


Let’s examine the packets between two H.323 nodes. The network setting is as follows:

x5002 — Mongi Shop router — PSTN router — x4001 and x4002.

Dial peer configuration

h323--2016-03-06 19_10_41

h323--2016-03-06 19_10_35

The signaling protocol for these dial peers is left to the default value, which is H.323. Actually, when you do a “show dial-peer voice 4000” for example, you’ll see “cisco” as the protocol:

h323--2016-03-06 19_15_22

It’s not a new protocol. This is just the Cisco version of H.323.

In the rest of the article, user at x5002 calls user at x4001.

H.323 Fast Connect: Call Setup And Teardown

In the H.323 Fast Connect mode, the media channel capabilities are negotiated in the same TCP session as the H.225 call establishment. So we have only one TCP session, over which there will be a Call Setup message and Open Logical Channel exchange messages.

First, the originating gateway sends a TCP Open request on port 1720, which is the H.323 default port on which a gateway listens for incoming H323 Call Setup messages. If the TCP Three-way handshake is made successfully, we can proceed to H.225 operations.

h323-2016-02-28 16_33_47

We use the filter h225 to see H225 messages in Wireshark. The originating gateway sends a H225 Call Setup message that contains also a Open Logical Channel OLC packet. The terminating gateway replies with Call Proceeding that also contains an Open Logical Channel packet. This demonstrates that H.323 is operating in Fast Connect mode. This is the default operation mode for H.323 on Cisco voice gateways.

h323-2016-02-28 16_20_59

The terminating gateway replies with the Call Alerting message, which is translated into a ringback tone.

Once the called party phone is off hook, the terminating gateway sends a Connect message. At this point, RTP packets are exchanged.

h323-2016-02-28 16_40_06

The user at x4002 ended the commmunication fist. So the terminating gateway is the one who sends the releaseComplete message first.

h323-2016-02-28 16_42_19

The originating gateway replies with a releaseComplete message:

h323-2016-02-28 16_43_55

To examine H.323 statistics on a voice gateway: show h323 gateway. Initially the counters were null on both voice gateways. Then, we made the call and here is how the counters went:

On the originating gateway:

h323-2016-02-28 16_46_31

H.323 counters on the Originating gateway

On the terminating gateway:

h323-2016-02-28 16_46_39

H.323 counters on the Terminating gateway

H.323 Slow Start: Call Setup and Teardown

I’m going to change the H.323 operating mode on one voice gateway to slow start, and leave the default on the other gateway:

h323-2016-02-28 16_57_53

One TCP session is negotiated first. This is for the H.225 session:

h323-2016-02-28 16_58_56

After sending Call Setup and Call Proceeding messages, a second TCP session is negotiated; this is the transport channel for the H.245 Terminal Capabilities negotiation.

h323-2016-02-28 17_00_35

Then comes the H.245 signaling where we have :

  • Terminal Capabilities packet exchange
  • Master/Slave determination
  • Open Logical Channel

h323-2016-02-28 17_04_18

Once H.245 signaling is agreed, both gateways are ready for the Connect message. Once the called party phone is hooked off, RTP streams are exchanged.

h323-2016-02-28 17_06_29

Like in H.323 Fast Connect, when a phone is hooked on, its attached gateway sends a releaseComplete. This triggers a TCP FIN message to the other party, to signal the end of the TCP session (remember the second TCP session established for H.245 signaling).

h323-2016-02-28 17_09_49

And the other gateway follows with a releaseComplete too, and a TCP FIN segment to end the H.245 TCP session

h323-2016-02-28 17_14_51

 H.323 Source Interface

The command that sets a source interface for H.323 traffic is “h323-gateway voip bind srcaddr …”. However, unlike what it is said in the Cisco CIPT1 Foundation Learning Guide, this command does not set all H.323 traffic to be sourced from the specified interface. And I tried that in Wireshark.

On my PSTN router, I set the H323 interface to the loopback interface:

h323-2016-02-28 20_35_54

I then make a call from an attached phone (x4001) to the other phone extension x5002.

What I notice is: when a call is initiated from the attached phone, the source IP address of H.225 signaling and H.245 signaling is the egress interface and NOT the loopback interface. The loopback interface is only used for RTP traffic:

h323-2016-02-28 20_32_33

Although the “h323-gateway voip bind srcaddr” command is set under the loopback interface, the H.323 traffic goes on and off the WAN interface. The loopback address is only used for RTP.

However, when the call is initiated from the other gateway (the one not with the H323 interface binding command),  the loopback interface is indeed used for both signaling and media streams.

Notice below that Call Setup, CallProceeding, Alerting, Notify and Connect use the WAN IP addresses and not the H323 bound interface. I still don’t know why but I may need to figure it out.

h323-2016-02-28 20_41_25




Categories: CCNP Collaboration

Keyboard Banger

Keyboard Banger is a network engineer from Africa. He has been working in network support and administration since 2008. He started writing study notes about certification exams and technology topics a couple of years ago. When he's not writing articles, he can be found wandering on technical forums.


Leave a Reply

Your email address will not be published. Required fields are marked *