Port 2517: H.323 Annex E — The VoIP Protocol That Lost

What Runs on Port 2517

Port 2517 is registered with IANA for H.323 Annex E Call Control Signalling Transport, service name call-sig-trans. It operates on both TCP and UDP, though UDP is its purpose.¹

If you see traffic on this port, you're looking at a video conferencing or VoIP system using H.323 — likely enterprise equipment from a Cisco, Polycom, or similar vendor that predates the SIP era.

The Problem Annex E Solved

H.323 is the ITU-T's protocol suite for multimedia communications over IP networks — voice calls, video conferences, the whole stack. The main H.323 call signaling lives on port 1720 (TCP). That works, but TCP has a cost: each call needs its own connection. In a large call center or conference bridge handling thousands of simultaneous calls, maintaining that many TCP connections gets expensive.

Annex E's answer was simple: use UDP instead. Run all call signaling through a single UDP channel and multiplex it. Fewer connections, higher throughput, better performance at scale. Port 2517 is where that multiplexed UDP signaling lives.²

The catch is that UDP doesn't guarantee delivery. So Annex E added its own reliability layer on top — acknowledgments, retransmissions, the usual. It rebuilt TCP's reliability in userspace, which is either clever or a warning sign depending on your perspective.

Why You Probably Don't Know This Port

H.323 is fading. It was the dominant VoIP and video conferencing protocol through the early 2000s — if your company used Polycom conference rooms or Cisco IP phones, H.323 was running underneath. Then SIP arrived, simpler and more flexible, and the industry gradually moved on.

H.323 still exists in legacy enterprise equipment, in some international telecom infrastructure, and in ISDN gateways that need to talk to modern networks. But new deployments almost universally choose SIP. Port 2517's traffic, where it appears at all, is usually a sign of older equipment that hasn't been replaced yet.

The Registered Port Range

Port 2517 sits in the registered ports range (1024–49151). IANA maintains this registry so that port numbers don't collide — if a protocol is registered, other services know not to use that number. Port 2517 was registered by the ITU-T (the International Telecommunication Union's standardization branch) in 2013, formalizing what H.323 implementations had been doing for years.¹

The registered range requires IANA approval but doesn't require the operating system to restrict access the way well-known ports (0–1023) do. Any process can bind to port 2517 without elevated privileges.

What to Do If You See It

If port 2517 shows up in your network traffic or firewall logs:

• You're almost certainly looking at H.323 video conferencing or VoIP equipment
• Check if you have legacy conference room systems, ISDN gateways, or older Cisco/Polycom/Tandberg endpoints on your network
• If you don't expect H.323, treat unexpected traffic on this port with suspicion

To check what's listening on your local machine:

Linux/macOS:

ss -tlnp | grep 2517
# or
lsof -i :2517

Windows:

netstat -ano | findstr :2517