Hello,
we have a problem regarding Re-INVITEs in combination with the sip.conf option “auth” and the standard session-timer option.
Providers session-timer is 900 seconds on inbound calls. So every 900 seconds Asterisk sents an Re-INVITE to the provider, but with false credentials.
The peer in the sip.conf looks like this:
[+497216806xxx]
type=friend
defaultuser=+497216806xxx
secret=PASSWORD
context=Line-incoming
host=tel.t-online.de
dtmfmode=rfc2833
auth=AUTHUSER@t-online.de:PASSWORD@tel.t-online.de
canreinvite=no
disallow=all
allow=alaw
insecure=port,invite
fromdomain=tel.t-online.de
port=5060
qualify=no
outboundproxy=tel.t-online.de
disableexternip=no
transport=udp
encryption=no
discard_remote_hold_retrieval=yes
Here is the call flow of the Re-INVITE after session timer expired:
INVITE sip:sgc_c@217.0.23.4;transport=udp SIP/2.0
Via: SIP/2.0/UDP 192.168.0.97:5060;branch=z9hG4bK04181367
Route: <sip:217.0.23.4;transport=udp;lr>
Max-Forwards: 70
From: <sip:+497216806xxx@tel.t-online.de;user=phone>;tag=as437924be
To: <sip:+49721151xxx@ims.colt.net;user=phone>;tag=h7g4Esbg_p65542t1468846063m825089c72124823s1_1608339498-1953559433
Contact: <sip:6806xxx@192.168.0.97:5060>
Call-ID: p65542t1468846063m825089c72124823s2
CSeq: 102 INVITE
User-Agent: STARFACE PBX
Session-Expires: 1800;refresher=uac
Min-SE: 90
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
X-asterisk-Info: SIP re-invite (Session-Timers)
Content-Type: application/sdp
Content-Length: 228
ACK sip:sgc_c@217.0.23.4;transport=udp SIP/2.0
Via: SIP/2.0/UDP 192.168.0.97:5060;branch=z9hG4bK04181367
Route: <sip:217.0.23.4;transport=udp;lr>
Max-Forwards: 70
From: <sip:+497216806xxx@tel.t-online.de;user=phone>;tag=as437924be
To: <sip:+49721151xxx@ims.colt.net;user=phone>;tag=h7g4Esbg_p65542t1468846063m825089c72124823s1_1608339498-1953559433
Contact: <sip:6806xxx@192.168.0.97:5060>
Call-ID: p65542t1468846063m825089c72124823s2
CSeq: 102 ACK
User-Agent: STARFACE PBX
Content-Length: 0
INVITE sip:sgc_c@217.0.23.4;transport=udp SIP/2.0
Via: SIP/2.0/UDP 192.168.0.97:5060;branch=z9hG4bK45141d17
Route: <sip:217.0.23.4;transport=udp;lr>
Max-Forwards: 70
From: <sip:+497216806xxx@tel.t-online.de;user=phone>;tag=as437924be
To: <sip:+49721151xxx@ims.colt.net;user=phone>;tag=h7g4Esbg_p65542t1468846063m825089c72124823s1_1608339498-1953559433
Contact: <sip:6806xxx@192.168.0.97:5060>
Call-ID: p65542t1468846063m825089c72124823s2
CSeq: 103 INVITE
User-Agent: STARFACE PBX
Session-Expires: 1800;refresher=uac
Min-SE: 90
Proxy-Authorization: Digest username="07216806xxx", realm="tel.t-online.de", algorithm=MD5, uri="sip:192.168.0.97", nonce="E9F6CCC889D38C57000000008FC36E0B", response="fd89d92fac1b23627352882275906a54", qop=auth, cnonce="2ed7590d", nc=00000001
Date: Mon, 18 Jul 2016 13:02:54 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 228
SIP/2.0 403 Forbidden 02035030B
Via: SIP/2.0/UDP 192.168.0.97:5060;received=91.19.9.146;branch=z9hG4bK45141d17
To: <sip:+49721151xxx@ims.colt.net;user=phone>;tag=h7g4Esbg_p65542t1468846063m825089c72124823s1_1608339498-1953559433
From: <sip:+497216806xxx@tel.t-online.de;user=phone>;tag=as437924be
Call-ID: p65542t1468846063m825089c72124823s2
CSeq: 103 INVITE
Content-Length: 0
As you can see the “Digest username” in Proxy-Authorization is the username in sip.conf and not the auth:
Proxy-Authorization: Digest username="07216806xxx", realm="tel.t-online.de", algorithm=MD5, uri="sip:192.168.0.97", nonce="E9F6CCC889D38C57000000008FC36E0B", response="fd89d92fac1b23627352882275906a54", qop=auth, cnonce="2ed7590d", nc=00000001
In the INVITE in outbound calls, the Proxy-Authorization would look like this:
Proxy-Authorization: Digest username="AUTHUSER@t-online.de", realm="tel.t-online.de", algorithm=MD5, uri="sip:192.168.0.97", nonce="E9F6CCC889D38C57000000008FC36E0B", response="fd89d92fac1b23627352882275906a54", qop=auth, cnonce="2ed7590d", nc=00000001
Is this a bug or is there an error in sip.conf?
Our workaround is to set the option session-timer=refuse, but that doesn’t seem to be the right solution.
Thanks.
Best regards,
Norman