[SOLVED] Asterisk full log flooded with NOTICES for deleted extension. GXP2160/2130


i noticed that my full log for asterisk is getting flooded with entries for extensions that were deleted a long time ago. they don’t appear in freepbx extensions list.

NOTICE[14928] chan_sip.c: Registration from ‘sip:[email protected]’ failed for ‘xx.xx.xx.xx:5060’ - Wrong password

Is there any way to find out why it’s showing these notices and how to remove those ghost extensions ? the phones that were provisioned were factory reset as well, and all the ext deleted

My guess is that you are allowing anonymous and/or guest inbound connections on port 5060

whois xx.xx.xx.xx ?

anonymous is set to no in sip settings. xx.xx.xx.xx is static ip of the location that had the phones set up. then all exts at that locations were deleted from freepbx and phones factory reset. somehow these entries still appear in the log.

however you still have attempts

sip set debug ip xx.xx.xx.xx

and see . . .

1 Like

here’s sip debug of one entry
xxx.xxx.xxx.xxx is static ip at the location that had the phones (gxp2160) and extensions set up. phones are still there but reset to factory defaults so no account information is stored + the extensions were deleted a while ago.

It appears that the phone never got reset. Possibly, the stale nonce is misleading and it did get reset but then got reprovisioned by EPM.

Power off phone, confirm that attempts stop. Be sure it’s gone from EPM. Power phone back on and factory reset it. Check that there are no further attempts.

1 Like

i have no way of accessing the location physically so i cant power off the phones (no switch access either). i can only access their gui where i removed the reg settings , saved and factory reset. these were provisioned by hand and not EPM. i also checks few tables in asterisk db looking for instances of the extensions that are trying to register. they’re nowhere to be found.

I’m reasonably certain that the failing requests are coming from the phone – they contain:
User-agent: Grandstream GXP2160
and Asterisk (or an attacker) would have no way of knowing that.

Possibly, you have more than one ‘line’ (account) configured on the Grandstream and didn’t delete all of them.

If you log into the phone and look at the accounts, are they all blank?

Possibly, the phone you are resetting is not the one causing the trouble.

The REGISTER request contains the MAC address: 00:0B:82:97:BA:FF

With luck, you’ll have a record of which phone that is and will be able to access and reset it.

You can view the MAC address of the phone you are connected to in the GUI at Status -> Network Status.

1 Like

ok so i was able to access the switch unifi where i power cycled all the POE ports and after they all came back the NOTICE messages are gone from the log. prior to that i went through each phone (11) and set account active to NO on each account (GXP2160 and GXP2130) even though only the first account was configured and then cleared. After that i power cycled the ports and the messages are now gone. Seems like even after the first account was set to NO it somehow kepts registering with no information filled. Extremely strange situation with grandstream hardware. thanks everyone for your help!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.