I have a customer that called in stating they are intermittently unable to make calls. I logged into their 908 and I see an error message that continuously scrolls in my session. Below is the error message I am seeing. I also noticed that there are 4 sip user extensions that have been created. The customer claims they are going out the t1 0/3 interfce to a shoretel 220T1A. I'm not very familiar with that product, but he claims he is going out of it analog and has no softphones connected on his side. I deleted the 4 users that were created yesterday, but 4 different ones have created this morning.
Error message
2013.02.07 08:53:15 SIP.STACK ERROR MSGBUILDER SIP Pre-Parser Error (UDP) :
Sip users
EXTENSION TYPE IP ADDRESS PORT PROT EXPIRES
---------- ------------------------------ ---------------- ----- ---- -------
556624101 (Unknown) 198.175.125.108 5063 UDP 2491
556624102 (Unknown) 198.175.125.108 5062 UDP 1879
556624103 (Unknown) 198.175.125.108 5061 UDP 553
556624104 (Unknown) 198.175.125.108 5060 UDP 1743
Thank you,
Sean
Seanm,
Thanks for posting! You may want to check the output of "debug sip stack messages" to see what device is sending SIP messages with errors and also see exactly what is attempting to register to the Adtran unit and when that is occurring. You may want to check and see if "ip sip registrar" is configured, and if so, disable it with "no ip sip registrar".
One last thing you may want to consider setting up is a SIP access class. Below is an example.
ip access-list standard My_SIP_Server
permit host 192.168.1.1
!
ip sip access-class My_SIP_Server in
This configuration example ensures that only SIP traffic from 192.168.1.1 is allowed to reach the unit. You would of course need to use the IP addresses of your SIP servers in the ACL. Feel free to respond to this post if you have any questions.
Thanks!
David
It sounds like the system may have been hacked and someone created SIP extensions to make outbound calls.
Can the system be logged into from the public internet?
Are you using a strong user name and password?
You may want to change the username and password and then delete the SIP users and see if the problem is fixed.
Are you referring to my 908e, or the customer's shoretel? I have no access to their equipment, just our's. Is there any way to prevent sip users from being created?
I'm referring to the 908e.
Seanm,
Thanks for posting! You may want to check the output of "debug sip stack messages" to see what device is sending SIP messages with errors and also see exactly what is attempting to register to the Adtran unit and when that is occurring. You may want to check and see if "ip sip registrar" is configured, and if so, disable it with "no ip sip registrar".
One last thing you may want to consider setting up is a SIP access class. Below is an example.
ip access-list standard My_SIP_Server
permit host 192.168.1.1
!
ip sip access-class My_SIP_Server in
This configuration example ensures that only SIP traffic from 192.168.1.1 is allowed to reach the unit. You would of course need to use the IP addresses of your SIP servers in the ACL. Feel free to respond to this post if you have any questions.
Thanks!
David
Seanm,
I wanted to check back with you to see if you were still experiencing the problem. If so, feel free to post any follow up questions you may have. If not, feel free to mark any of the responses as correct or helpful.
Thanks!
David
Seanm,
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
David