Welcome to ISAserver.org

Gatekeeper: registration problems

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> H.323 Gatekeeper >> Gatekeeper: registration problems

Page: [1]

Message

<< Older Topic Newer Topic >>

Gatekeeper: registration problems - 5.Apr.2002 11:07:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi,

I have some weird problems when internal Netmeeting clients try to register at the H.323 Gatekeeper service on ISA.

When the Netmeeting client is a SecureNAT client the registration is working as expected. The RAS (Registration/Admission/Status) protocol uses UDP port 1719. During the registration process the client starts up a listener on UDP port X (X being the initial port used by the client to connect to the H.323 RAS service). After a certain time, determined by the Registration expiration time (H.323 Advanced properties), the H.323 RAS service contacts the Netmeeting client on UDP port X to check if the client is still alive.

However, when the Netmeeting client is a Firewall client, the registration process doesn't work stable. On Netmeeting startup the client shows a 'Gatekeeper Connect Timed Out' error message. The weird thing is that on ISA the client shows up in the Active clients list. Trying a logon to the gatekeeper on the client does not clear the problem. Now, going to the Advanced Calling Options on the client and changing the state of the 'Log on using my account name' checkbox the registration succeeds. I can log on and logg off as much as I like during this session. Closing Netmeeting and start it up again... exact the same problem. Why ?!?!

Moreover, we see some unexpected entries in the Firewall log (UDP BIND). So, it seems that the H.323 RAS protocol is redirected by the firewall client to the ISA server instead of going directly. In my opinion that shouldn't happen because the Gatekeeper is the ISA internal interface, and this is contained in the LAT.

BTW --- next week I will try to take some traces in order to better understand the problem.

I'm missing something? "[Confused]"

Thanks,
Stefaan

[ April 06, 2002, 12:23 PM: Message edited by: spouseele ]

Post #: 1

Featured Links*

RE: Gatekeeper: registration problems - 6.Apr.2002 3:31:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Stefaan,

Does this happen on clients that are configured as both Firewall and SecureNAT clients, or client that are configure as Firewall clients only?

I would be very interested in the trace!

Thanks!

Tom

(in reply to spouseele)

Post #: 2

RE: Gatekeeper: registration problems - 6.Apr.2002 3:53:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Tom,

yes, the clients are Firewall *and* SecureNAT clients, because the internal network is a switched layer-3 network. [Smile]

During testing I've taken a Sniffer trace and saw that the packet layout for the H.323 RAS protocol was completely different between a SecureNat and Firewall client. In fact, the Sniffer even not recognized the protocol as H.323 RAS in the case of a firewall client. However, I was so stupid not to save the traces. [Mad]

I suspect that the problem occurs when the client try to install the listener for the H.323 RAS 'keep alive'. That could explain why the Gatekeeper think the client is registered and the client don't. Maybe it explains also the firewall UDP Bind entries.

Cheers,
Stefaan

(in reply to spouseele)

Post #: 3

RE: Gatekeeper: registration problems - 8.Apr.2002 4:02:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Tom,

I have solved the problem by changing the Firewall client properties to always resolve DNS names locally (add entry [Common Configuration] with parameter NameResolution=L). I followed the acticle http://www.isaserver.org/authors/harrison/tutoials/isa-clients-part3.htm.

I got this idea because I saw in the traces and the Firewall log a lot of unneeded DNS requests for local addresses by the Firewall client, although the LDT was correctly set. So, I think it is one of the mysteries of ISA why this have such an effect on the behaviour of the H.323 RAS in Netmeeting. [Eek!]

Note: the problem can be simulated by removing the 'NameResolution' parameter from the Firewall client properties.

BTW --- I send you the traces by email.

Cheers,
Stefaan

(in reply to spouseele)

Post #: 4