Phantom Phone Ringing

I have an odd problem with phantom ringing on Polycom 550 phones. What’s been happening is that a particular phone will start ringing, showing a random (usually 4 digit) CID. The call never goes to voice mail and answering only stops the ringing - there’s no connection. Just the one phone is affected at the time but it has happened to four different phones over the last 12 months.

Here’s the peculiar part… The PBX is hosted remotely and is locked down by IP (the PBX can only talk to the provider and this office), the phones are behind NAT and there are NO forwards. Changing the internal static IP address of the phone stops the ringing.

There is no record of these phantom calls in any of the log files on the PBX. If they were originating from the PBX, changing the IP would have no effect.

My guess is that it’s coming from something else in the office. I did read a post outlining a similar problem and they blamed their Netgear router (which is what this office has). That would be an easy enough solution, but I’d rather know why.

I guess I’ll have to trace packets but was curious to see if anyone else had experienced this.

There are random invites getting through your router to your phone(s) from the internet. One easy way to deal with this is to configure your phone not to use the default SIP port 5060. This does not require any PBX config changes.

1 Like

There’s an option in some Polycom phones to restrict the IP and port negotiated during registration. If you turn on this option the phone should ignore packets not matching the IP and port established during registration.

1 Like

Random invites getting through to the phones that are behind NAT and there are no forwarded ports?

Don’t take this the wrong way, but yeah, that’s what he said.

I understand that you think it can’t be happening, but it’s really about the only way this can happen, and it’s not like we haven’t seen it a couple dozen times.

You can run a tcpdump on the network where the phones are to see where the phantom invites are actually coming from.

1 Like

Seriously, as @lgaetz said don’t use port 5060 , secondary suggestion , don’t use Netgear Routers unless they are very expensive, and you know how to exactly program them, The domestic ones are , well, . . . . .


No more prosafe netgears for our clients. Ubiquiti edge router lite or pfsense only here. We had the exact same issues.


I appreciate the responses and will heed the advice. As I had stated, I’ve seen other posts with similar issues where they’ve blamed Netgear routers. I will, however, pursue this with a bit of packet sniffing since I’d like to be sure I’m not missing anything (ie, hacked PC, rouge copier, etc.). God knows we need to protect ourselves from enemies foreign and domestic.

Thanks again everyone.


turn off IP calling on the phones. That will fix it.

1 Like

If the phones were on the WAN side, I would agree… but having UDP INVITE packets floating around inside the LAN makes me a bit nervous.


the phones are behind a NAT but the SIP port is exposed to the open Internet which means you can receive IP to IP calls i.e. phantom calls. It’s a known issue and changing the SIP port 5060 to something else would fix this but the better solution imho is to turn off IP calling on the phones.

Not sure what ‘exposed’ means… There are no forwards that allow incoming connections to the LAN… the phones initiates the registration to the external PBX.

Sorry dude, but i couldn’t resist. . .

A rouge copier no less :wink:

1 Like

Just humor me. Access the phone configs and turn off IP to IP calling or whatever equivalent command exists with Polycom phones.

We see this a lot and trying to explain the fact that the outbound connection to the provider opens a NAT hole that can be exploited back in can be hard.
Assuming you have a SIP trunks or they are remote phones to a head office then you just need to block SIP TCP/UDP traffic for port 5060 on your firewall allowing just your SIP provider through.Most providers worth their salt will have a range of fixed IPs for you to use in the firewall rules.

We were called into one client recently that had a brand new Cisco ASA 5508-X which was exhibiting this behaviour. That is not a cheap firewall by any means. My point being is there are a lot of people putting voip in without being forearmed about the dangers of ‘the Internet’ and proper security.

We have seen the same behavior with a home users remote phone. We have determined also that the calls are coming in thru the users firewall as described.

When the phone communicates to the outside the cheap firewall is opening 5060 to the outside and allowing any traffic back in rather than limiting the traffic to only from the single destination.

1 Like

check the router to see is upnp is turned on and if yes turn it off