403 Forbidden on Outbound INVITE

My SIP provider is BSNL Wings and I can’t find a way to place an outbound call. I get a 403 Forbidden error each time.

I used Dial(SIP/wings/${EXTEN}) to initiate the outgoing call. But I can’t succeed.

The service provider’s customer support isn’t any helpful as they have no clue about any of this. If any of you have integrated Wings with Asterisk or knows why I encounter a 403 error, please explain it to me and guide me on how to solve.

Could it be because I’m calling a mobile number but in debug, it says 94966XXXXX@some-ip-here? If that’s the problem, how do I remove the @ip part?

Please guide.
Thanking you in advance.

You should be using PJSIP for new installations.

The problem is that you have no IP part! You should normally include the sip.conf section name (pjsip.conf endpoint section name) in dialstring. You can include the provider’s domain name in the dialstring directly, but would not normally do so, and would normally need to include authentication data.

I am surprised you are getting 403, though. I would expect a log message about an all numeric destination, and a different status code. I’m wondering if you have configured the provider as an outbound proxy, as that is the only way I can see for the call ever to get out of Asterisk at all.

As provider denied or not helpful, I think you can try by looking capturing packets and checking 403 refusing causes.

According to ietf document it could know about refusing causes.

10.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

https://tools.ietf.org/html/rfc2616#section-10.4.4

I actually tried migrating to PJSIP. But then, I can only hear audio on one side on internal calls. Outbound registration did work, but I was neither able to place calls nor receive. I wrote a new PJSIP.conf from scratch and tried setting direct media to no and force rport to yes but to no avail.

I actually do have the section name, it was a typo in the original post. Sorry for that.
I still can’t place outbound calls. Inbound works smooth.

There are no causes mentioned, just a 403 Forbidden error.

<------------->
--- (7 headers 0 lines) ---

<--- SIP read from UDP:218.248.233.142:80 --->
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 13.127.140.40:5060;branch=z9hG4bK635002b4;rport
Call-ID: 5847ca2827b5b25c1f421ba10be1836b@kl.voip.ims.bsnl.in
From: <sip:+919188990155@kl.voip.ims.bsnl.in>;tag=as75ea8420
To: <sip:9496683053@218.248.233.142>;tag=sbc0511p33wokxk
CSeq: 102 INVITE
Content-Length: 0

<------------->

Also, I tried to dial like Dial(SIP/wings/${EXTEN}@some.ip.here), this is what I found while debugging:

To: sip:9496683053%4013.127.140.4@218.248.233.142

It better by capturing packet (tcpdump) and open with wireshark.

Going back to the IP part. That is the one part that you cannot remove in any SIP system, as it is mandatory in SIP URIs.

More generally, you need to provide the complete transaction for the INVITE, not just the final status. Even then, specific knowledge about the ITSP may be needed.

Audio is at 10160
Adding codec gsm to SDP
Adding codec ulaw to SDP
Adding codec alaw to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (NAT) to 218.248.233.142:80:
INVITE sip:9496683053@kl.voip.ims.bsnl.in SIP/2.0
Via: SIP/2.0/UDP 13.127.140.40:5060;branch=z9hG4bK1377eea3;rport
Max-Forwards: 70
From: sip:+919188990155@kl.voip.ims.bsnl.in;tag=as425d1849
To: sip:9496683053@kl.voip.ims.bsnl.in
Contact: sip:+919188990155@13.127.140.40:5060
Call-ID: 616c913e7928a2c4698a42157d293695@kl.voip.ims.bsnl.in
CSeq: 102 INVITE
User-Agent: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Date: Tue, 30 Jun 2020 05:12:52 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
Content-Type: application/sdp
Content-Length: 314

v=0
o=root 1926227073 1926227073 IN IP4 13.127.140.40
s=Asterisk PBX 16.2.1~dfsg-2ubuntu1
c=IN IP4 13.127.140.40
t=0 0
m=audio 10160 RTP/AVP 3 0 8 101
a=rtpmap:3 GSM/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv


-- Called SIP/wings/9496683053

<— SIP read from UDP:218.248.233.142:80 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 13.127.140.40:5060;branch=z9hG4bK1377eea3;rport=5060
Call-ID: 616c913e7928a2c4698a42157d293695@kl.voip.ims.bsnl.in
From: sip:+919188990155@kl.voip.ims.bsnl.in;tag=as425d1849
To: sip:9496683053@kl.voip.ims.bsnl.in
CSeq: 102 INVITE
Content-Length: 0

<------------->
— (7 headers 0 lines) —

<— SIP read from UDP:218.248.233.142:80 —>
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 13.127.140.40:5060;branch=z9hG4bK1377eea3;rport
Call-ID: 616c913e7928a2c4698a42157d293695@kl.voip.ims.bsnl.in
From: sip:+919188990155@kl.voip.ims.bsnl.in;tag=as425d1849
To: sip:9496683053@kl.voip.ims.bsnl.in;tag=sbc05079i1393hp
CSeq: 102 INVITE
Content-Length: 0

<------------->
— (7 headers 0 lines) —
Transmitting (NAT) to 218.248.233.142:80:
ACK sip:9496683053@kl.voip.ims.bsnl.in SIP/2.0
Via: SIP/2.0/UDP 13.127.140.40:5060;branch=z9hG4bK1377eea3;rport
Max-Forwards: 70
From: sip:+919188990155@kl.voip.ims.bsnl.in;tag=as425d1849
To: sip:9496683053@kl.voip.ims.bsnl.in;tag=sbc05079i1393hp
Contact: sip:+919188990155@13.127.140.40:5060
Call-ID: 616c913e7928a2c4698a42157d293695@kl.voip.ims.bsnl.in
CSeq: 102 ACK
User-Agent: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Content-Length: 0


This is the complete log. I can’t figure out anything from this. Could you please help me out?

As you haven’t been challenged for authentication, it seems likely that your request doesn’t identify you a a known customer.

But then I have successfully registered and am able to get incoming calls as well. So, my auth details isn’t the problem. Could it be something at the provider’s side?

I suppose they could be authenticating on IP only for the INVITEs. In which case, I would note that you use + in some URIs, but not in others.

There are always elements from both sides when you get a 403. You get it because you have breached some policy of the provider.

I really appreciate your quick response. You have been a great help.

<------------->
— (7 headers 0 lines) —

<— SIP read from UDP:218.248.233.142:80 —>
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 13.127.140.40:5060;branch=z9hG4bK78ff6371;rport
Call-ID: 148583680eec0db366bc720a46738c7a@kl.voip.ims.bsnl.in
From: sip:+919188990155@kl.voip.ims.bsnl.in;tag=as34691776
To: sip:+918974862888@kl.voip.ims.bsnl.in;tag=sbc05041rjxr8z0
CSeq: 102 INVITE
Content-Length: 0

<------------->

I did try adding + to it, but same 403 Forbidden error. I will try once again talking to my service provider.

I migrated to PJSIP, but now I can hear only one side audio on internal calls and I can neither place outgoing calls nor receive incoming calls from my service provider, although PJSIP says SIP registration happened successfully. What could be the reason?

One way audio is usually due to misconfiguration of firewalls or NAT.

There is insufficient information to speculate on the lack of incoming calls.

I have used sip_to_pjsip converter and haven’t changed anything in the file. Just made sure things were okay and ran the script after disabling chan_sip module.

NAT/Firewall config are all the same from SIP config. Audio was fine while in SIP as well but in PJSIP, it fails.

My second softphone is on the laptop which uses my mobile hotspot and the first softphone on the same phone. Could that be a problem?

And regarding the incoming calls. Nothing happens in the CLI, no logs nothing.

When I try to call, it just gets disconnected without even ringing for a minute.

Is the Contact header in the REGISTER request correct (domain name)?

Is the address in the Via headers correct?

Yes, the domain is correct.
What is a Via header?

https://tools.ietf.org/html/rfc3261#section-20.42

It is a mandatory header in all requests, so you could not have answered my question about the Contact header properly without seeing it.

My problem is with the provider, because two of my calls connected today and then from the 3rd one I got 403 Forbidden error again. Thank you for the help!