04-06-2012 02:12 PM - edited 03-21-2019 05:37 AM
We had a customer yesterday who stopped recevinging incoming calls.
The issue was fixed by a reboot, and unfortunately I did not keep a copy of the logs.
However, what seemed to be happening is that incoming SIP INVITE's were getting a "182 Queued" message back instead of "180 Ringing" as expected, so when you called you did not hear any ringback, and the call never went through... even this it was "connected".
Anyone have any insight into how this could happen or what that particular status code means?
Thanks.
Message was edited by: Daniel Placek
07-19-2012 08:56 AM
Update:
We have found an interesting CDR record that shows up right before the system locks up and stops accepting calls.
Below are 2 screenshots from the last 2 times it happened.
An incoming call with unknown CLID/CNAM comes in... following that the system accepts no further calls.
-------------------------
07-20-2012 09:26 AM
Mystery solved.
It appears to be a security problem on our SIP providers end. We did a long running packet capture in between the UC320 and the provider IAD.
Immediately preceding this issue we found:
INVITE sip:9011441212790843@64.179.x.x, with session description
INVITE sip:8011441212790841@64.179.x.x, with session description
INVITE sip:1#011441212790840@64.179.x.x, with session description
There were many calls in a row like this -- it appears to be attempted toll fraud.
The UC320 appears to accept the first 12 calls, then spits back "182 Queued" to all the rest that come in.
Because we had the AA setup to "Return to Main Menu" on timeout (instead of endcall) and the person sending these bogus requests was not sending "BYE"'s, the calls got hung, and any further calls got "Queued".
We are going to work with the provider on this... but it sure would be really nice if you could setup a UC320 to reject any calls to DIDs not defined in the incoming dial plan.
Thanks for all of your assistance.
07-23-2012 01:32 PM
Daniel,
Thank you for the update on this outstanding item.
One question, was the source IP address of the inbound calls from your SIP provider? The UC320W does block inbound calls from IP addresses that are not registered via the configured SIP trunk. (There are some corner cases where we generated some PMF's to allow inbound calls on multiple IP's).
Thanks again for your update.
Randy
07-25-2012 06:15 AM
Yes they were sourced from the provider -- that's why I identified it as a provider security problem.
It is SIP delivered over a T1 with QOS; they have a AdTran IAD on site as an SBC... it clearly has some access list problems.
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: