(warning) INVITE on internal profile by a LAN phone (polycom), for other extensions..

Status
Not open for further replies.
P

pbxcom

New Member
Sep 15, 2021
13
0
1
Hi,

No call or any other activity triggers it, it just happens hourly.
The offending IP (10.0.0.59) is in my LAN, its a polycom phone (firmware 5.8).
It issues an "INVITE" every hour to other extensions and that causes Fusion/FS to warn that this is not normal.

The polycom itself uses extension 100, the other two extensions (101 and 102) are set as BLFs/Soft Line keys on the phone (auto provisioned with Fusion). As can be seen the logs appear almost exactly every hour.

2021-11-10 01:40:58.858574 98.73% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [101@pbx.lan] from ip 10.0.0.59 2021-11-10 01:40:58.858574 98.73% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [102@pbx.lan] from ip 10.0.0.59 2021-11-10 00:41:26.878856 98.77% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [101@pbx.lan] from ip 10.0.0.59 2021-11-10 00:41:26.878856 98.77% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [102@pbx.lan] from ip 10.0.0.59 2021-11-09 23:41:55.898653 98.80% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [101@pbx.lan] from ip 10.0.0.59 2021-11-09 23:41:55.398984 98.90% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [102@pbx.lan] from ip 10.0.0.59 2021-11-09 22:42:23.918562 98.60% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [101@pbx.lan] from ip 10.0.0.59 2021-11-09 22:42:23.418662 98.63% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [102@pbx.lan] from ip 10.0.0.59 2021-11-09 21:42:51.918895 98.77% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [101@pbx.lan] from ip 10.0.0.59 2021-11-09 21:42:51.418750 98.80% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [102@pbx.lan] from ip 10.0.0.59 2021-11-09 20:43:19.938705 98.33% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [101@pbx.lan] from ip 10.0.0.59 2021-11-09 20:43:19.438517 98.50% [WARNING] sofia_reg.c:1861 SIP auth challenge (INVITE) on sofia profile 'internal' for [102@pbx.lan] from ip 10.0.0.59

I tried looking at "Presence" features in the phone but they are disabled.. And as mentioned phone was factory reset and provisioned with Fusion.
This trial setup has only 3 phones (1 physical and 2 softphones).. if this was a real installation the log would be full of spam. Any insights on what causes this is much appreciated.

Cheers
 
Last edited:
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,045
566
113
I have never seen anything like this, can you try capturing it with sngrep and maybe that will give a little more detail.
 
P

pbxcom

New Member
Sep 15, 2021
13
0
1
DigitalDaz said:
I have never seen anything like this, can you try capturing it with sngrep and maybe that will give a little more detail.
Click to expand...
@DigitalDaz

Here is the sngrep (matched the exact same time from the Fusion log):

2021/11/9 14:26:33.416658 10.0.0.59:5060 -> 10.0.0.58:5060 SUBSCRIBE sip:101@10.0.0.58:5060 SIP/2.0 Via: SIP/2.0/UDP 10.0.0.59;branch=z9hG4bKc832804b4FB0B6EA From: "K" <sip:100@pbx.lan>;tag=A18A00E3-ED5D3862 To: <sip:101@pbx.lan>;tag=0cQ88rIFk2B7 CSeq: 36 SUBSCRIBE Call-ID: 8b96186806bbfb5bbbcd803885738c37 Contact: <sip:100@10.0.0.59> Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER Event: dialog User-Agent: PolycomVVX-VVX_600-UA/5.8.5.1256 Accept-Language: en Accept: application/dialog-info+xml Proxy-Authorization: Digest username="100", realm="pbx.lan", nonce="bee79609-4845-41ac-bdba-6003a26716d9", qop=auth, cnonce="alS7zAGeLdiuDGr", nc=000000 , uri="sip:101@10.0.0.58:5060", response="0d11be88128dab70c4e3bad43d916476", algorithm=MD5 Max-Forwards: 70 Expires: 3600 Content-Length: 0

And response:

2021/11/9 14:27:05.420600 10.0.0.58:5060 -> 10.0.0.59:5060 SIP/2.0 407 Proxy Authentication Required Via: SIP/2.0/UDP 10.0.0.59;branch=z9hG4bK3939fb399A0A48B0;rport=5060 From: "K" <sip:100@pbx.lan>;tag=A18A00E3-ED5D3862 To: <sip:101@pbx.lan>;tag=0cQ88rIFk2B7 Call-ID: 8b96186806bbfb5bbbcd803885738c37 CSeq: 37 SUBSCRIBE User-Agent: FreeSWITCH Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, messa -summary, refer Proxy-Authenticate: Digest realm="pbx.lan", nonce="a481e89a-65bd-49b2-b5f4-e1aff9a8411a", algorithm=MD5, qop="auth" Content-Length: 0

The above (time 14:27) is what triggers the warning in the log, but if we look at the sequence:

digitaldaz.png

Do you think the polycom is trying different (possibly non-standard) Presence/BLF mechanisms? Does it look fishy/nefarious in any way?

Thanks
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,045
566
113
They are subscribes, there is no problem with that, they are just presence

I think its only recently subscribes have started authing. FS is wrongly reporting it as an invite, I think I have seen this before.
 
  • Like
Reactions: pbxcom
P

pbxcom

New Member
Sep 15, 2021
13
0
1
DigitalDaz said:
They are subscribes, there is no problem with that, they are just presence

I think its only recently subscribes have started authing. FS is wrongly reporting it as an invite, I think I have seen this before.
Click to expand...
Thanks for the info.
 
Status
Not open for further replies.
Top Bottom