Mysterious Calls on a Sangoma S500

Hello everyone,

I need some help understanding what is going on.

This is a remote phone.
Extension number = 6406
Phone LAN IP = 192.168.10.101 (Subnet 192.168.10.0/24)
The phone is behind a TP Link router. There’s no ports forwarded etc.
The PBX is at another location behind a SonicWall.
The phone was provisioned and is registered over WAN (locked down).
No issued until yesterday.

Yesterday, the phone got a call from 6406 (it’s own extension) at 3:40 AM, tried answering, call got disconnected. Checked CDR, no details at all. I brushed it off…

Today at 5:42 AM same thing happened, answered, but this time the phone froze, couldn’t hangup, had to unplug the power…

I looked again in CDR and in Asterisk logs, Zero information there.

So I downloaded the System Log File from the actual phone. and I see the following:

[01-31 05:42:14 50:a1:6d] SIP: SDP IP 192.168.1.83, Port 25282, Interval 2, codec 0, audio 0, direct 3
[01-31 05:42:14 50:a1:6d] SIP: ActionUrlPro active_url sip:[email protected]:5060
[01-31 05:42:14 50:a1:6d] SIP: ActionUrlPro local_uri sip:[email protected]:5060
[01-31 05:42:14 50:a1:6d] SIP: ActionUrlPro remote_uri sip:[email protected]:5060

[01-31 05:42:21 50:a1:6d] SIP: SDP IP 192.168.1.83, Port 25282, Interval 2, codec 0, audio 0, direct 3
[01-31 05:42:21 50:a1:6d] SIP: ActionUrlPro active_url sip:[email protected]:5060
[01-31 05:42:21 50:a1:6d] SIP: ActionUrlPro local_uri sip:[email protected]:5060
[01-31 05:42:21 50:a1:6d] SIP: ActionUrlPro remote_uri sip:[email protected]:5060

[01-31 05:42:24 50:a1:6d] SIP: SDP IP 192.168.1.83, Port 25282, Interval 2, codec 0, audio 0, direct 3
[01-31 05:42:24 50:a1:6d] SIP: ActionUrlPro active_url sip:[email protected]:5060
[01-31 05:42:24 50:a1:6d] SIP: ActionUrlPro local_uri sip:[email protected]:5060
[01-31 05:42:24 50:a1:6d] SIP: ActionUrlPro remote_uri sip:[email protected]:5060

[01-31 05:42:26 50:a1:6d] SIP: SDP IP 192.168.1.83, Port 25282, Interval 2, codec 0, audio 0, direct 3
[01-31 05:42:26 50:a1:6d] SIP: ActionUrlPro active_url sip:[email protected]:5060
[01-31 05:42:26 50:a1:6d] SIP: ActionUrlPro local_uri sip:[email protected]:5060
[01-31 05:42:26 50:a1:6d] SIP: ActionUrlPro remote_uri sip:[email protected]:5060

See full log: https://pastebin.freepbx.org/view/26d09f91

SDP IP 192.168.1.83 – What is that IP address?

Can anyone explain what is going on?

Thanks

I found this post which might be the reason behind this.

I see on the phone:

image

So I believe that the below in EPM basefile management has to be set to 1

image

A few questions

  1. How come that isn’t the default?
  2. If the above is the case here, wouldn’t it be sip:[email protected]:5060 rather than the phone LAN IP?
  3. I ran an nmap scan against the WAN IP it does did not return 5060 as open.

Thanks

  1. Randomizing the SIP port can cause issues with NAT if something happens internally with the phone such as it rebooting or getting a DHCP lease refreshed. Which can then lead to the NAT rule for port 8108 be no good because it’s now 8103 and the NAT hasn’t cleared or refreshed.

  2. Who is to say they didn’t hit sip:[email protected]:wan.port and your NAT translated it to sip:[email protected]:5060? This isn’t giving you actual SIP packets that would show Via headers on how the call was routed.

  3. Again, nothing is saying that 5060 UDP is open at the firewall. They could be hitting some random port and the NAT is doing the rest.

1 Like

Also want to point out that while I don’t use Sangoma phones, this is pretty common setting for phones that use this style of firmware, etc. That is the HTTP/GET interfacing for remote actions of the phone and using the web servlet app in the phone do HTTP based requests. So this very will could not even be a SIP based request but an HTTP API based request to the phone.

1 Like

Thanks for taking the time to explain this. :pray:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.