A number of external callers cannot connect. Is this related to "blocked UAs"?

Discussion in '3CX Phone System - General' started by Colddevil, Oct 7, 2016.

Thread Status:
Not open for further replies.
  1. Colddevil

    Joined:
    Jun 14, 2016
    Messages:
    13
    Likes Received:
    0
    For the most part, my 3CX installation has been going very well. However, I am getting complaints from some of our customers that they are unable to connect to our number. I have not been able to replicate the scenario on my own devices, but I am told it simply does not connect to anything--I've requested more detailed information on the behaviour, so I can add it here when I get it.

    I have been watching the logs, and the thing that is giving me a whole lot of confusion is these constant "User Agent-VaxSIPUserAgent/3.1 from <my gateway internal IP> because it is on blocked UAs List".

    I know some of the numbers that are unable to connect; however, I cannot find them in the logs at all. What does the above message/warning mean exactly? Is there a way I can find out what exactly it is blocking? I can't find much information on this at all.

    I don't have anything on my blacklist besides adding an "Allow" action for IPs on my internal network.
    [​IMG]

    This is just a snippet of code where these things pop up.
    Code:
    07-Oct-2016 09:58:50.147   PBX has dropped a message with 'User-Agent: VaxSIPUserAgent/3.1' from IP <INTERNAL GATEWAY IP> because it is on blocked UAs list
    07-Oct-2016 09:58:39.235   Currently active calls - 2: [4205,4207]
    07-Oct-2016 09:58:22.321   PBX has dropped a message with 'User-Agent: VaxSIPUserAgent/3.1' from IP <INTERNAL GATEWAY IP>[/b] because it is on blocked UAs list
    07-Oct-2016 09:58:09.089   Currently active calls - 2: [4205,4207]
    07-Oct-2016 09:57:37.078   Currently active calls - 2: [4205,4207]
    07-Oct-2016 09:57:34.711   PBX has dropped a message with 'User-Agent: VaxSIPUserAgent/3.1' from IP <INTERNAL GATEWAY IP> because it is on blocked UAs list
    07-Oct-2016 09:57:32.504   [CM503007]: Call(C:4207): Line:10003>>14145072282 has joined, contact <sip:<MAIN NUMBER>[/b]@10.1.240.9:5060>
    07-Oct-2016 09:57:32.503   [CM503007]: Call(C:4207): Extn:114 has joined, contact <sip:114@<INTERNAL GATEWAY IP>88:5060>
    07-Oct-2016 09:57:32.502   L:4207.2[Line:10003>>[b]<EXTERNAL NUMBER>[/b]] has joined to L:4207.1[Extn]
    07-Oct-2016 09:57:32.502   NAT/ALG check:L:4207.2[Line:10003>><EXTERNAL NUMBER>] RESPONSE 200 on 'INVITE' - basic check passed. No information for extended checks
    
    Does anybody know if this would be related to some customers (external numbers) reporting that they cannot connect to our phone number? If these VaxSIPUserAgent/3.1 blocked UA messages are unrelated, is there any way to find out what is causing the drops?

    Thanks for reading.
     
  2. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    0
    Not likely.

    I believe the UAs which get blocked are known spammy/hacky user agents.
    It would be akin to crafting your web host to block the "Googlebot" User-Agent (though robots.txt would work fine..).

    Thus.. I don't think vaxsipuseragent is something in play for you. It certainly isn't the 3CX user agent.. you may want to capture some info from incoming INVITEs from your SIP trunk provider to verify what theirs is.. or contact them.
    Again.. not likely. Possible.
     
  3. Colddevil

    Joined:
    Jun 14, 2016
    Messages:
    13
    Likes Received:
    0
    I think you're right about the blocked UA's. I was watching the traffic on the gateway, and there appears to be a handful of IPs I've never seen that are trying to connect over port 5060. Checking blacklists I've found that other people have complained about them in the past.

    The following message makes it appear as if it is 3CX that has a blocked UAs list. These packets wouldn't be passing through the TWC SBC.
    "PBX has dropped a message with User-Agent:VaxSIPUserAgent from IP 10.1.240.1 because it is on blocked UAs list".

    I think I'll need to be able to duplicate the scenario of somebody not being able to connect in order to properly try to diagnose it. If it's on the green side of this sketch I should be able to fix it. If it's on the right, nope. About 95% of the time everything works fine--but I was hoping it was something like a blacklist that the person inadvertently ended up on was the cause of the drops.
    [​IMG]
     
  4. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    0
    I'm at a loss.. based on your diagram, are you expecting VOIP to be delegated with that SBC alone for your trunk/provider? If so, shouldn't your firewall just be outright blocking all SIP, then? And, if that's done, you shouldn't see any more requests coming in from the left.

    I have been leveraging the tunnel more.. limiting inbound SIP to my trunk provider(s), but leaving RTP and the tunnel pretty much open (have considered ARIN-only addresses for those..). Seems that solid connections or even 4G on a smartphone seems to hold up at this point. Haven't set to encrypt.. not quite that paranoid yet.
     
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,375
    Likes Received:
    231
    The only reason that you'd be getting any hack attempts (from the left side) is if you have port 5060 open (forwarded to the 3CX server). You'd only have to do that if you had another VoIP provider, or, used any remote extensions. If you find that any internal IP's show, as being blocked from time to time, (I found that on occasion with some ATAs, failed registration), you can always white-list them.
     
  6. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    2,978
    Likes Received:
    183
    I read in the OP question that he has his internal network on the ALLOW blacklist (basically Whitelisted).
    I was once told that this is a bad idea...

    I don't think this has to do with calls not getting thru - but found it interesting.

    I would get the TWC and see if they have any logs that show those "blocked" calls... and what the reply from their system or your 3cx was.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. anjanavj

    Joined:
    Jun 28, 2016
    Messages:
    7
    Likes Received:
    0
    thanks A lot!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    I do not believe that the attempted hacks on the system have anything to do with clients not being able to reach you.

    I am a little confused as I see the email address in use indicates India; yet the service "TWC" would normally indicate a cable company SIP provider called "Time Warner Cable" in the US (will be known as Spectrum going forward). They sell single call path SIP trunks, so I guess the first question is how many trunks have you purchased and how many simultaneous calls can your PBX handle (which version and edition)? TWC provides a user portal by which you can manage the trunks so as to accommodate or limit various features. They also usually include some number of DIDs as a package. You may need to review what is actually on the TWC account and how set-up. It could be as simple as your customers using a DID that has not been adequately setup within 3CX or a limit on the trunks.

    It is somewhat problematic to solve a sporadic problem when no real details are know, so the best bet is to start at the beginning and insure the setup is correct. If you know the callerID of any of the customers and can get a date and approximate time, you could run reports to see if they show up or use the 3CX Log Viewer utility as it may provide more detail.
    http://www.3cx.com/blog/docs/3cx-log-viewer/

    If none of the above reveals anything, then a call to TWC may be in order, but they too will need some details in order to do a search. I have used TWC in the past without any issues.
     
Thread Status:
Not open for further replies.