ShoreTel Switches Rebooting/Crashing/Stop Processing Calls Until Rebooted

Answer

Examples of the issue:

This may be due to the customer running port scans on the ShoreTel switches. The ShoreTel switches are not designed to have port scans run on them and all ShoreTel devices should be exempt from any port scans being run.

To determine if the customer is running a port scan on Shoretel devices 

  1. telnet/ssh to the switch

  2. From the menu type gotoshell to get to the --> prompt 

  3. If a Virtual switch or VMB switch enter -->trace_redirect 1 to display the output

  4. Log the output to a log file using putty

  5. Search the putty log for the following output 

telnetd: telnet not enabled for address 0xac1b690e
stelshark: Command Rcvd = stop
stelshark: Stop
sshd_session_task(0x591b6a4) : enter
ssh_handle_key_exchange: Invalid session state : session->session_state=9
 
issuing a 
stelshark stop signal internally

If you see this command in the logs then the customer is running a port scan.

Correct the issue by excluding the ShoreTel devices from the scan and monitor. 

To further verify, you can run a packet capture to verify there is a scan running. You will see multiple requests (most of the time telnet or SSH) originating from the same IP address. If you open the packets you will see every packet has a different port number this is how you know they are scanning the switch.


Article: 000012720