Need a more practiced eye to look at this

I have an installation that is experiencing phantom calls from one phone to another. There are only a couple of phones making the calls. Looking in the call log of the phone itself it does show the phone calling another phone for approx 20 seconds. IF someone is in the same room as the calling phone you will hear it go off hook and hear the call progress tones to the other phone and eventually the voicemail greeting, then it hangs up. The CDR report reflects that the phone did make the call. we have replaced the phone with the same model / maker of phone 3 times. I have requested pacp files for the IP address of the phone. Looking at them they look normal with one exception. Instead of the IP of the phone system responding to the phone the WAN IP is present. Here is an example of that I am trying to explain:

2023/02/20 13:58:20.511340 10.1.1.38:5060 → 10.1.96.60:5061
NOTIFY sip:[email protected]:5061 SIP/2.0
Via: SIP/2.0/UDP 65.70.71.90:5060;branch=z9hG4bK4c8fe5aa
Max-Forwards: 70
From: “Unknown” sip:[email protected];tag=as724bef40
To: sip:[email protected]:5061
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 NOTIFY
User-Agent: NimbusVoice-14.0.16.11(13.38.2)
Event: message-summary
Content-Type: application/simple-message-summary
Content-Length: 86

Messages-Waiting: no
Message-Account: sip:*[email protected]
Voice-Message: 0/9 (0/0)

The phone system is at 10.1.1.38, the WAN is 65.70.71.xx, the phone is at 10.1.96.60 The network is a 21 network

The network settings in Asterisk SIP settings are correct. I suspect a bad actor within the network but I have no idea how to find them.

What I would suggest is to configure your phones to disallow IP calling and to only accept calls originating from your SIP server. This is different depending on the type of phone

https://wiki.freepbx.org/plugins/servlet/mobile?contentId=71271951#content/view/71271951

Also change ‘Allow SIP Guests’ and ‘Allow Anonymous Inbound SIP Calls’ under Settings → Asterisk SIP Settings to disabled.

Disabling guest access may require updating to chan_pjsip, if you are still using the legacy driver, as, for some providers, who can source calls from a wide range of addresses, it is the only practical way of handling incoming calls.

To the OP, please always say which channel driver (and FreePBX and Asterisk version) you are using.

The NOTIFY that you provided is unrelated to your issue. That is nothing more than Asterisk sending a voicemail/MWI notification to the phone.

Is the PBX local to the phones? Can you show the CDR entries of this rogue phone making calls?

Both turned off previous to this posting (Anonymous Inbound SIP Calls, and Allow SIP guests)

Using Chan_sip drivers and Freepbx 14 with Asterisk 13. The phone is local to the phone system.
Here is one call (CDR)

ue, 21 Feb 2023 1:18 CHAN_START Kaitlyn Johnson 2319 DEFAULT 2324 from-internal SIP/2319-00193556
Tue, 21 Feb 2023 1:18 CHAN_START Lisa Tennell 2324 DEFAULT s from-internal SIP/2324-00193557
Tue, 21 Feb 2023 1:19 HANGUP Lisa Tennell 2324 2324 DEFAULT 2324 from-internal AppDial SIP/2324-00193557
Tue, 21 Feb 2023 1:19 CHAN_END Lisa Tennell 2324 2324 DEFAULT 2324 from-internal AppDial SIP/2324-00193557
Tue, 21 Feb 2023 1:19 APP_START Kaitlyn Johnson 2319 2319 2324 DEFAULT s-NOANSWER macro-vm VoiceMail SIP/2319-00193556
Tue, 21 Feb 2023 1:19 ANSWER Kaitlyn Johnson 2319 2319 2324 DEFAULT s-NOANSWER macro-vm VoiceMail SIP/2319-00193556
Tue, 21 Feb 2023 1:19 APP_END Kaitlyn Johnson 2319 2319 2324 DEFAULT s-NOANSWER macro-vm VoiceMail SIP/2319-00193556
Tue, 21 Feb 2023 1:19 HANGUP Kaitlyn Johnson 2319 2319 2324 DEFAULT h ext-local SIP/2319-00193556
Tue, 21 Feb 2023 1:19 CHAN_END Kaitlyn Johnson 2319 2319 2324 DEFAULT h ext-local SIP/2319-00193556
Tue, 21 Feb 2023 1:19 LINKEDID_END Kaitlyn Johnson 2319 2319 2324 DEFAULT h ext-local SIP/2319-00193556

Related Call Detail Records

Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account CDR Table CDR Graph
Tue, 21 Feb 2023 1:18 1676963939.2432493 “Kaitlyn Johnson” <2319> Dial 2324 NO ANSWER 00:15
Tue, 21 Feb 2023 1:19 1676963939.2432493 “Kaitlyn Johnson” <2

Not part of the original issue but is bugging me. The server is on the local network to the phone, so why is it sending the WAN address instead of the local IP of the system? NAT on that extension is set to NO

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.