Endless sip_inv.c errors

ablock · October 4, 2020, 4:48pm

Greetings all. FreePBX/Asterisk novice here. I recently installed FreePBX using the RasPBX distro. Got everything up and running with a SIP trunk and handful of PJSIP and legacy SIP devices (Grandstream wifi phones and Cisco 8841s respectively).

When I look at the logs, even when all devices are idle (or even fully disconnected), I see a constant stream of messages like the following:

[2020-10-04 09:42:33] SECURITY[2331] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2020-10-04T09:42:33.064-0700",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb4302228",LocalAddress="IPV4/TCP/127.0.0.1/5038",RemoteAddress="IPV4/TCP/127.0.0.1/59352",UsingPassword="0",SessionTV="2020-10-04T09:42:33.064-0700"
[2020-10-04 09:42:43] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2020-10-04 09:42:55] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2020-10-04 09:42:56] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2020-10-04 09:42:59] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)

~~This occurs about once a minute. The LocalAddress is always 127.0.0.1/5038 while the remote address is also localhost but on a random port above 50000.~~ Edit: it appears the security warning is benign and unrelated to the SIP errors.

I don’t know that this is a material issue but it bothers me (in addition to clogging the logs), so if anyone has suggestions on how to rectify it I’d appreciate the insight.

Thanks!

sorvani · October 4, 2020, 4:57pm

Do not know anything about your problem, but you do not need SIP for “legacy” devices.

The device does not know or care what driver the PBX is using to provide SIP.

ablock · October 4, 2020, 4:59pm

@sorvani The Cisco devices need an Asterisk patch to add some Cisco-specific commands, as detailed at usecallmanager.nz. However, I had this same issue when using the unpatched Asterisk 16 distro included with RasPBX (which is managed by apt).

sorvani · October 4, 2020, 5:00pm

Of course.

ablock · October 4, 2020, 5:02pm

Note that the patch does not touch sip_inv.c or pjproject.

Thanks!

ablock · October 4, 2020, 5:06pm

So it seems that per this post:

The security warnings are expected, and probably unrelated to the sip_inv.c errors. Would still be great to figure those out.

lgaetz · October 4, 2020, 5:07pm

It’s conventional to disable SECURITY level logging to the Asterisk full log since it tends to be verbose. Unless you require it for intrusion detection (in which case it’s better to have a log file specifically for ID) you will find it easier to only enable when you need it.

https://wiki.freepbx.org/display/FPG/Asterisk+Logfile+Settings

ablock · October 4, 2020, 5:10pm

Thanks, @lgaetz. I understand that and do have a separate fail2ban log. It appears that the errors I am seeing are unrelated to the security warnings which I will remove from the main log.

ablock · October 4, 2020, 5:47pm

Okay, so this seems to be an attack. I turned on PJSIP history and waited for a couple of the errors to come through, then ran pjsip show history. The relevant rows in the table:

No.   Timestamp  (Dir) Address                  SIP Message                        
===== ========== ============================== ===================================
00000 1601832405 * <== 147.135.246.41:59894     INVITE sip:[email protected]:5060 SIP/2.0
00001 1601832405 * ==> 147.135.246.41:59894     SIP/2.0 400 Bad Request

That IP address in France and should not be connecting to my PBX.

The details for that invite entry are:

<--- History Entry 33 Received from 147.135.246.41:54753 at 1601832717 --->;
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 0.0.0.0:54753;rport=54753;received=147.135.246.41;branch=z9hG4bK17052342956
Max-Forwards: 70
From: &lt;sip:[email protected]&gt;;tag=2029311865
To: &lt;sip:[email protected]&gt;
Call-ID: 1212621415-1894932257-351572944
CSeq: 1 INVITE
Contact: &lt;sip:[email protected]:54753&gt;
User-Agent: Cisco-SIPGateway
Content-Type: application/sdp
Content-Length: 203
Content-Type: application/sdp
Content-Length: 203
v=0
o=1001 16264 18299 IN IP4 0.0.0.0
s=Cisco-SIPGateway
c=IN IP4 0.0.0.0
t=0 0
m=audio 25282 RTP/AVP 100 6 0 8 3 18 5 101
a=rtpmap:0 pcmu/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11

The requested extension is invalid so obviously the intent here is fishy.

Manually adding the offending IP to fail2ban slowed down the frequency of these errors, but running pjsip history shows that they are still happening. They don’t seem to generate a parseable error in the log (there is no IP address to pass to fail2ban), so I’m not sure how I can prevent these other than by whitelisting the trunk IPs.

sorvani · October 4, 2020, 6:00pm

If you were on the distro version, the built in firewall does that by default. All things are blocked and thunk IP’s are automatically whitelisted. Even so far as to using SRV records.

I would highly recommend implementing some kind of firewall. Fail2ban is not a firewall, it is reactive.

ablock · October 4, 2020, 8:35pm

Thanks @sorvani. I have a hardware firewall so will whitelist the SIP trunk provider IPs for 5060 and the RTP ports. I am also going to add deny/permit rules to all my extensions.

system · November 4, 2020, 8:35pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.