I am seeing this "SIP stack timer retransmit" every now and then in the log. Also I see this suspicious ip address that when I googled showed the following details:
184.108.40.206 --> Avast
220.127.116.11 --> Some ip in France described as in abuseipdb.com
I restricted both the ip with a subnet on my firewall but I still see these in the adtran logs. Any help is really appreciated.
Your firewall probably doesn't apply it to the "self" context, so it blocks traffic through the device but not to the device. Firewalling these attackers individually doesn't scale very well.
Create a standard access-list sip-access. include in it the IPs of the external SIP servers of your provider(s) as well as any internal subnets with SIP phones
Apply it to the SIP process.
ip access-list standard sip-access
permit 192.168.2.0 0.0.0.255 ! internal phone subnet
permit host 192.0.2.33 ! Provider's SIP server
sip access-class ip "sip-access" in