6 Replies Latest reply on Feb 28, 2013 9:08 AM by david

    Sip user-registration

    seanm New Member

      I have a customer that called in stating they are intermittently unable to make calls.  I logged into their 908 and I see an error message that continuously scrolls in my session.  Below is the error message I am seeing.  I also noticed that there are 4 sip user extensions that have been created.  The customer claims they are going out the t1 0/3 interfce to a shoretel 220T1A.  I'm not very familiar with that product, but he claims he is going out of it analog and has no softphones connected on his side.  I deleted the 4 users that were created yesterday, but 4 different ones have created this morning.

       

      Error message

      2013.02.07 08:53:15 SIP.STACK ERROR  MSGBUILDER   SIP Pre-Parser Error (UDP) :

       

      Sip users

      EXTENSION  TYPE                           IP ADDRESS       PORT  PROT EXPIRES

      ---------- ------------------------------ ---------------- ----- ---- -------

      556624101  (Unknown)                      198.175.125.108  5063  UDP  2491

      556624102  (Unknown)                      198.175.125.108  5062  UDP  1879

      556624103  (Unknown)                      198.175.125.108  5061  UDP  553

      556624104  (Unknown)                      198.175.125.108  5060  UDP  1743

       

      Thank you,

      Sean

        • Re: Sip user-registration
          unified Past_Featured_Member

          It sounds like the system may have been hacked and someone created SIP extensions to make outbound calls.

          Can the system be logged into from the public internet?

          Are you using a strong user name and password?

           

          You may want to change the username and password and then delete the SIP users and see if the problem is fixed.

            • Re: Sip user-registration
              seanm New Member

              Are you referring to my 908e, or the customer's shoretel?  I have no access to their equipment, just our's.  Is there any way to prevent sip users from being created?

                • Re: Sip user-registration
                  unified Past_Featured_Member

                  I'm referring to the 908e.

                  • Re: Sip user-registration
                    david Employee

                    Seanm,

                     

                    Thanks for posting!  You may want to check the output of "debug sip stack messages" to see what device is sending SIP messages with errors and also see exactly what is attempting to register to the Adtran unit and when that is occurring.  You may want to check and see if "ip sip registrar" is configured, and if so, disable it with "no ip sip registrar".

                     

                    One last thing you may want to consider setting up is a SIP access class.  Below is an example.

                     

                    ip access-list standard My_SIP_Server

                      permit host 192.168.1.1

                    !

                    ip sip access-class My_SIP_Server in

                     

                    This configuration example ensures that only SIP traffic from 192.168.1.1 is allowed to reach the unit.  You would of course need to use the IP addresses of your SIP servers in the ACL.  Feel free to respond to this post if you have any questions.

                     

                    Thanks!

                    David

                • Re: Sip user-registration
                  david Employee

                  Seanm,

                   

                  I wanted to check back with you to see if you were still experiencing the problem.  If so, feel free to post any follow up questions you may have.  If not, feel free to mark any of the responses as correct or helpful.

                   

                  Thanks!

                  David

                  • Re: Sip user-registration
                    david Employee

                    Seanm,

                     

                    I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                     

                    Thanks,

                    David