Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nuisance H323 calls on SX20

Hi,

 

I'm having an issue with an SX20 device that keeps receiving nuisance h323 calls, no IP address is displayed and it just says "cisco".  We have received over 100 of these calls.  As a work around I have blocked all h323 on the firewall and only allowed a few IP's of known addresses that we use.

 

I tried to look in the logs of the SX20 to see if I could find the IP that was making the spam calls so I could block it but I couldn't find anything useful in there.  Is there a better way around this as now I need to manually add an IP on the firewall every time they want to dial someone new?

 

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello! Yes, I noticed that in

Hello!

 

Yes, I noticed that in VCS logs as well.

Before the common scans were on sip/5060/udp.

The same issue you might have when SIP is expoded to the public, especially the udp port, but there are also scans on tcp and at one point there will be TLS as well.

Its like spam, the spammers adopt.

For now I would say, as you did put it behind a firewall and only allow sources you really want to have communication with (which might not be ideal or even possible) or use a call control, like vcs or cucm+expressway upfront.

If you have your firewall upfront you could log the ip addresses which try to do h323 and sip connections, you could try to block them. But its also just playing hide and seek, there are no common ips used for scanning and anyhow you do not know where they scan from, often compromised systems are used for these scans.

Some firewalls have geo-ip features, so you could block continents / countries / areas which you are not communicating with.

 

Anyhow, consider to use a call control and do admission control there.

 

Please rate this posting using the stars below.

 

Please remember to rate helpful responses and identify

This issue has been raised in

This issue has been raised in a few threads already, suggest you see:

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
6 REPLIES

Hello! Yes, I noticed that in

Hello!

 

Yes, I noticed that in VCS logs as well.

Before the common scans were on sip/5060/udp.

The same issue you might have when SIP is expoded to the public, especially the udp port, but there are also scans on tcp and at one point there will be TLS as well.

Its like spam, the spammers adopt.

For now I would say, as you did put it behind a firewall and only allow sources you really want to have communication with (which might not be ideal or even possible) or use a call control, like vcs or cucm+expressway upfront.

If you have your firewall upfront you could log the ip addresses which try to do h323 and sip connections, you could try to block them. But its also just playing hide and seek, there are no common ips used for scanning and anyhow you do not know where they scan from, often compromised systems are used for these scans.

Some firewalls have geo-ip features, so you could block continents / countries / areas which you are not communicating with.

 

Anyhow, consider to use a call control and do admission control there.

 

Please rate this posting using the stars below.

 

Please remember to rate helpful responses and identify

New Member

I raised a ticket with TAC

I raised a ticket with TAC and he suggested to put my endpoints in private network, to see if I continue to receive spam calls. This doesnt solve my problem. I think the quality of Cisco's reply is starting to fall.

I noticed the spam calls are coming at a 5 minutes interval. Easily can get 100 calls in a day for each endpoints.

 

The only solution is to put it behind a VCS.E?

This issue has been raised in

This issue has been raised in a few threads already, suggest you see:

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
New Member

Thanks guys, there is no VCS

Thanks guys, there is no VCS-E or CUCM available in this instance so I guess there's no other choice right now apart from blocking everything like we have done.  

 

It's a minor inconvenience to add new ip's to the allowed list but not that bad as they don't make too many video calls to new destinations.

 

 

New Member

Hi Guys,Please view the below

Hi Guys,

Please view the below link for the solution and for an up-to-date IP black list:

http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

Thanks,

Ali Ibraheem

New Member

Thanks Ali, hope we hear some

Thanks Ali, hope we hear some news from the vendors about this soon.

4348
Views
10
Helpful
6
Replies
CreatePlease to create content