403 Unauthorized

I am upgrading my BSD box (which Asterisk runs on), and run into this problem. All SIP call gets an 403 response from the Asterisk server.

The SIP conversation between the client © and the Asterisk server (S) goes like this:

C->S: Invite
S->C: 401 Unauthorized
C->S: Invite with Digest Authorization
S->C: 403 Forbidden

It puzzled me. All the configuration files are the same as it was before the upgrade of my BSD box. I don’t remember what version of Asterisk I was running before the upgrade. But now (after upgraded my OS) I have tried both Asterisk 1.8 and 11 (with the same configuration files), and they both gave the same 403.

My current guess is that it must be some simple setting I forgot to do. Could anyone here point me to the right direction or how I can find the log to trace what triggered the 403? Your help is very much appreciated.


I am not sure but you can check the allowed IPs in sip.conf configuration.
I got the same issue. I did " permit = X.X.X.X/X.X.X.X " the x’s here are the range of ip address you need to register.
Reload sip after the configuration.

Thanks for the idea, Monk.

I have just tried to set both lines (I tested by calling from one extension to another) with “permit=”. I got still the same SIP exchange.

I can see the setting has already taken effect at “sip show peers”, as both extensions is now with an “A” under “ACL”. It was not there before. By the way, both extensions are registered fine with Asterisk. So it has got to be another simple setting I need to fix.

Any more ideas? Thanks a lot.

By the way, I have captured the register exchanges between my extension © and the asterisk server (S). It went well.

S->C: 401 Unauthorized
C->S: REGISTER with DIGEST Authentication
S->C: 200 OK (to C REGISTER)
C->S: 200 OK (to S OPTIONS)
C->S: 200 OK (to S NOTIFY)

So at least we know the DIGEST authentication works alright. The client registration works alright. It is only the call INVITE somehow does not work.

Anyway to do a closer trace or log? Thanks.

I have managed to solve the problem. The simple answer is that there is no RTP module loaded. For some reason, the Asterisks on this version of BSD is built without RTP so the module has to be loaded (to be specified in modules.conf). Here are more details on how I figured it out and hopefully it will help others with similar problems later.

First thing is to get to the log. That seems obvious, but it puzzled me for some time. Somehow just “asterisk -rvvvvvv” won’t show me any error message at all. “sip set debug on” gives me the SIP trace I posted earlier, but it did not tell me why it is responding with 403. After some reading I figured out that the detail of log is not just controlled by the verbose level, but also by a configuration file (logger.conf). Changing a line to “console => notice,warning,error,debug” will show me the debug info on console. I think there is a commandline option to do that too.

Once there, I reconnected with “-rvvvvvv”, repeated the dialing process, and I got a “No RTP engine was found” message. Aha, that is the problem! “module show” gives me the modules that are loaded, verifying no RTP. Go to my module directory (/usr/local/lib/asterisk/modules on BSD), there are two RTP modules (res_rtp_asterisk.so and res_rtp_multicast.so). Hand loaded it with “module load res_rtp_asterisk.so”, and repeated the test. It works!

In my setting, to conserve resources I specify the exact modules to be loaded in my modules.conf instead of using “autoload = yes”. It worked before, but for some reason this version does not have RTP built in, and hence the trouble.

Hope it helps. Thanks.

Sharing the solution always helps .

One thing to note here if your are expecting heavy traffic on your server than for boosting the performance you sholuld comment the notice and warnings and keep only the error settings in logger.conf (when in production).