Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

Ghost 911 - Verified


This is a strange case, any and all insight would be appreciated!  We're trying to get TAC to engage but they don't believe this situation is occurring.

The facts:

-1 office 10 different phones in this location on different floors (out of 30+ locations over 2000 phones) experiences ghost 911 calls.  (We've looked at the cm logs, phone console logs, packet capture, all show the phone dialing the digits 9911 (no extra digits)).  All phone lines are centralized, no lines in each office.

-The packet capture also shows no other communication to the phone (except for the call manager keepalives).  So its unlikely they are being remote controlled.

-The initial packet comes from the phones ip address to initiate the call.

-The phone which makes the call is random, and rarely is the same phone twice.

-One phone is located in a locked room with door badge reader, the logs were reviewed and no access was made to the room.

-Occurrences happen once a week up to 3-4 times per week.

-The call lasts less than a second, a human could not possible initiate the call and end the call in that timeframe

-No other phone call is made to or from the phone prior to the 911 call during that day

What could cause this to happen, any possible miss configuration in routing somewhere?  Bug?

Your help is greatly appreciated!

Abhay Singh Reyal

I would suggest you to collect detailed CM traces of 5 minutes before and after the time of event , find below link helpful.

If that is not possible then collect the traces by scheduling them, find below link

Once you collect the traces, provide Calling Number, Called Number and Exact Time Stamp. 



Abhay Singh Reyal
The Only Way To Do Great Work Is To Love What You Do. If You Haven’t Found It Yet, Keep Looking. Don’t Settle


Thanks for the response, we have uploaded the trace, packet capture and phone console logs to the case for several of the Ghost occurrences.  Our TAC engineer has reviewed and states that the logs are all showing the phone making the call.  Our problem is this is physically impossible.  One of the phones was locked in a room, with no access.  Another phone was right next to an admin, who looked over as she received a CER text and saw nobody there.

Thanks again,

Jaime Valencia
Hall of Fame Cisco Employee

I'd probably try to isolate this to the device/FW in first place, try a few different FW releases on that device. If it still happens, and you have a spare phone handy, try switching the physical device for another one with the same config and line, and see if it occurs again.

If it doesn't happen, delete the new device and the "faulty" device from your cluster, and then configure it again, and see if the problem happens again.



if this helps, please rate


Great suggestions!

We have swapped firmware on devices that have had this occur

-Started with SCCP45.9-3-1ES27S move to SCCP45.9-4-2ES25S per TAC  <- Problem has recurred on new version

We have deleted and recreated a phone <-Problem has recurred after recreation

We have replaced the physical phone in one instance <- Problem occurred again on new phone

All phones that experienced this have been rebooted also.

Content for Community-Ad

Spotlight Awards 2021