401 Unauthorized when receiving calls from providers

ghanou895 · September 22, 2021, 2:53pm

Hello,
I’m new to Asterisk and SIP telephony in general, trying to build a web Softphone,
I setup asterisk and added my WebRTC endpoints, so that I can make Local calls between them.

Now I just got a provider SIP account (Username/Password and server address…), My account works fine in other Softphones.

When I try to call to receive calls, I can see that mys server is receiving the INVITE request from the provider but then it returns a 401 Unauthorized Tried many solutions but nothing seems to work, since I’m new to the domain so I’m not sure how can I fix this

Here is the Log

<--- Received SIP request (1282 bytes) from UDP:196.41.228.32:5060 --->
INVITE sip:213982420090@192.168.1.18:5060 SIP/2.0
Via: SIP/2.0/UDP 196.41.228.32:5060;branch=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b;rport
Via: SIP/2.0/UDP 196.41.228.115:5071;rport=5071;branch=z9hG4bK-ahbc4rmu3votu6zn
Max-Forwards: 69
Record-Route: <sip:196.41.228.32;lr;ep;pinhole=UDP:41.111.136.198:65476>
Contact: sip:196.41.228.115:5071
To: <sip:213982420090@196.41.228.32>
From: <sip:0556382997@196.41.228.32>;tag=UQJ44NLV6G2A3XRAM4RQ____.o
Call-ID: 3a64c388a15dac2@196.41.228.244~2o
CSeq: 450 INVITE
Expires: 300
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS, UPDATE
Content-Disposition: session
Content-Type: application/sdp
User-Agent: PortaSIP
P-Asserted-Identity: <sip:0556382997@196.41.228.32>
Remote-Party-ID: <sip:0556382997@196.41.228.32>;party=calling
cisco-GUID: 3468086570-3909692268-1066052068-1066052068
h323-conf-id: 3468086570-3909692268-1066052068-1066052068
Content-Length: 310

v=0
o=PortaSIP 3299437597378171192 1 IN IP4 196.41.228.115
s=-
t=0 0
m=audio 60438 RTP/AVP 18 3 8 0 4 101
c=IN IP4 196.41.228.115
a=rtpmap:18 G729/8000/1
a=rtpmap:3 GSM/8000/1
a=rtpmap:8 PCMA/8000/1
a=rtpmap:0 PCMU/8000/1
a=rtpmap:4 G723/8000/1
a=rtpmap:101 telephone-event/8000/1
a=fmtp:101 0-15

<--- Transmitting SIP response (733 bytes) to UDP:196.41.228.32:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 196.41.228.32:5060;rport=5060;received=196.41.228.32;branch=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b
Via: SIP/2.0/UDP 196.41.228.115:5071;rport=5071;branch=z9hG4bK-ahbc4rmu3votu6zn
Record-Route: <sip:196.41.228.32;lr;ep;pinhole=UDP:41.111.136.198:65476>
Call-ID: 3a64c388a15dac2@196.41.228.244~2o
From: <sip:0556382997@196.41.228.32>;tag=UQJ44NLV6G2A3XRAM4RQ____.o
To: <sip:213982420090@196.41.228.32>;tag=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b
CSeq: 450 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1632322393/9bd16c297da55a8e6d03c87f5ad657d0",opaque="195c9a35060ce674",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (597 bytes) from UDP:196.41.228.32:5060 --->
ACK sip:213982420090@192.168.1.18:5060 SIP/2.0
Via: SIP/2.0/UDP 196.41.228.32:5060;branch=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b;rport
Via: SIP/2.0/UDP 196.41.228.115:5071;rport=5071;branch=z9hG4bK-ahbc4rmu3votu6zn
Max-Forwards: 69
To: <sip:213982420090@196.41.228.32>;tag=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b
From: <sip:0556382997@196.41.228.32>;tag=UQJ44NLV6G2A3XRAM4RQ____.o
Call-ID: 3a64c388a15dac2@196.41.228.244~2o
CSeq: 450 ACK
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
User-Agent: PortaSIP
Content-Length: 0

Thanks in advance.

jcolp · September 22, 2021, 2:54pm

You’d need to show the actual configuration you are using.

david551 · September 22, 2021, 3:04pm

In particular, for chan_pjsip, which you should be using, you should only specify outbound authentication and for chan_sip, which you should be moving away from, you should use remotesecret, rather than secret (although you will see an older method, insecure=invite, in most examples on the internet, but those examples usually have lots of bad practice).

In general, service providers expect you to take them on trust, even though they will ask you to prove who you are.

ghanou895 · September 22, 2021, 3:12pm

Here is my config

pjsip.conf

;============================================
[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0

[webrtc_client_1]
type=aor
max_contacts=2
remove_existing=yes

  
[webrtc_client_1]
type=auth
auth_type=userpass
username=webrtc_client_1
password=****
 
[webrtc_client_1]
type=endpoint
aors=webrtc_client_1
auth=webrtc_client_1
outbound_auth=icosnet
dtls_auto_generate_cert=yes
webrtc=yes
; Setting webrtc=yes is a shortcut for setting the following options:
; use_avpf=yes
; media_encryption=dtls
; dtls_verify=fingerprint
; dtls_setup=actpass
; ice_support=yes
; media_use_received_transport=yes
; rtcp_mux=yes
context=default
disallow=all
allow=opus,ulaw
direct_media=no


;==========================================  registration   ======================================================================

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0

 
[icosnet]
type=registration
transport=transport-udp-nat
outbound_auth=icosnet
server_uri=sip:196.41.228.32
client_uri=sip:213982420090@196.41.228.32
contact_user=213982420090
retry_interval=60
 
[icosnet]
type=auth
auth_type=userpass
password=*********
username=213982420090

 
[icosnet]
type=aor
max_contacts=2
contact=sip:213982420090@196.41.228.32
 
[icosnet]
type=identify
endpoint=webrtc_client_1
match=196.41.228.32

here is the extensions.conf file

[default]
include => local-extensions
exten => 5098,1,Dial(PJSIP/webrtc_client_1,30)

exten => 213982420090,1,Dial(PJSIP/webrtc_client_1,30)

david551 · September 22, 2021, 3:20pm

You don’t have an endpoint [see Joshua’s response for why you are being challenged].

Incidentally, naming a transport as udp-nat, when it has no NAT settings, is confusing.

ghanou895 · September 22, 2021, 3:27pm

As I said, I’m a newbie to the domain tried setting up NAT, but I don’t really know how to do so,
I thought that if there is a network problem then I won’t receive any request,

david551 · September 22, 2021, 3:32pm

Wrong NAT settings will generally cause calls to break some time into the call, e.g. you might have no or one way audio, and the call might drop at 30 seconds, when retransmissions of response or ACK time out.

ghanou895 · September 22, 2021, 3:37pm

Got you, any suggestion on what I’m doing wrong here; as you said you have no endpoint, I didn’t understand what you mean, since my endpoint is configured and logged in from the softphone.

jcolp · September 22, 2021, 3:48pm

In PJSIP an endpoint section defines the configuration to use when talking to something remote (like an ITSP). You don’t have one for the ITSP, you have an identify section which says to use the configuration of a WebRTC client for talking to your ITSP, and it also says to challenge them for authentication. That’s probably not what is needed. The wiki has an example for an ITSP endpoint[1].

[1] res_pjsip Configuration Examples - Asterisk Project - Asterisk Project Wiki

ghanou895 · September 23, 2021, 7:54am

I got you, that was the issue, I needed an endpoint for the ITSP, the case is to close.

system · October 23, 2021, 7:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Asterisk returns 401 for correctly authenticated extensions when calling Asterisk SIP	7	1017	October 24, 2018
200 OK not coming after 401 Asterisk SIP	3	366	August 14, 2020
401 UnAuthorized Asterisk Support	4	233	July 23, 2007
Authentication behavior on incoming calls Asterisk SIP	9	51	September 11, 2024
Status code 401 unauthorized Asterisk Support	1	321	June 27, 2013

401 Unauthorized when receiving calls from providers

Related topics