Asterisk 18 PJSIP response Unauthorized 401 in a INVITE for a registered trunk

I have an Asterisk 18 PJSIP that response Unauthorized 401 in a INVITE for a registered trunk when receive calls.

Here is the settings:

[6430517999]
type=endpoint
transport=transport-udp
context=incoming
disallow=all
allow=ulaw,alaw
outbound_auth=6430517999
outbound_proxy=sip:187.50.251.28\;lr
from_domain=metapabx.vivo.net.br
aors=6430517999

[6430517999]
type=aor
contact=sip:6430517999@metapabx.vivo.net.br:5060
outbound_proxy=sip:187.50.251.28\;lr

[6430517999]
type=identify
match=187.50.251.28
endpoint=6430517999

[6430517999]
type=registration
client_uri=sip:<login>@metapabx.vivo.net.br
server_uri=sip:metapabx.vivo.net.br
outbound_auth=6430517999
outbound_proxy=sip:187.50.251.28\;lr
retry_interval=60
contact_user=6430517999

[6430517999]
type=auth
auth_type=userpass
username=6430517999
password=password

The trunk is registered, but when it receives calls return 401 “Unauthorized” as bellow:

    -- Contact 100940102/sip:100940102@179.253.236.81:36813;x-ast-orig-host=10.20.30.4:5066 is now Unreachable.  RTT: 0.000 msec
<--- Received SIP request (1007 bytes) from UDP:187.50.251.28:5060 --->
INVITE sip:6430517999@53.67.67.45:5060 SIP/2.0
Via: SIP/2.0/UDP 187.50.251.28:5060;branch=z9hG4bK+0f4f2effab344b09e6994efe6e1c9c3e1+sip+4+affb3393
From: <sip:19999901569@metapabx.vivo.net.br>;tag=187.50.251.28+4+1e453818+77260d8f
To: <sip:6430517999@metapabx.vivo.net.br>
CSeq: 1056043366 INVITE
Expires: 180
Content-Length: 173
Call-Info: <sip:187.50.251.28:5060>;method="NOTIFY;Event=telephone-event;Duration=2000"
Supported: resource-priority,siprec
Contact: <sip:bc09e2ebe56528149443df48b9545573@187.50.251.28:5060>
Content-Type: application/sdp
Allow-Events: message-summary,refer,dialog,line-seize,presence,call-info,as-feature-event,calling-name,ua-profile
Call-ID: 0gQAAC8WAAACBAAALxYAADwFnoyIm9FMzuTXazy9x1kCi4rC76KM3a5xa3Mg/Uww@187.50.251.28
Max-Forwards: 59
Accept: application/sdp, application/dtmf-relay

v=0
o=- 78681103284218 78681103284218 IN IP4 187.50.251.28
s=-
c=IN IP4 187.50.251.28
t=0 0
m=audio 22570 RTP/AVP 8 101
a=rtpmap:101 telephone-event/8000
a=ptime:20

<--- Transmitting SIP response (647 bytes) to UDP:187.50.251.28:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 187.50.251.28:5060;rport=5060;received=187.50.251.28;branch=z9hG4bK+0f4f2effab344b09e6994efe6e1c9c3e1+sip+4+affb3393
Call-ID: 0gQAAC8WAAACBAAALxYAADwFnoyIm9FMzuTXazy9x1kCi4rC76KM3a5xa3Mg/Uww@187.50.251.28
From: <sip:19999901569@metapabx.vivo.net.br>;tag=187.50.251.28+4+1e453818+77260d8f
To: <sip:6430517999@metapabx.vivo.net.br>;tag=z9hG4bK+0f4f2effab344b09e6994efe6e1c9c3e1+sip+4+affb3393
CSeq: 1056043366 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1713493301/04374a3e70b4096eb242776aa9184f8d",opaque="70954d2c55512c9c",algorithm=MD5,qop="auth"
Server: Ligmee
Content-Length:  0


<--- Received SIP request (484 bytes) from UDP:187.50.251.28:5060 --->
ACK sip:6430517999@53.67.67.45:5060 SIP/2.0
Via: SIP/2.0/UDP 187.50.251.28:5060;branch=z9hG4bK+0f4f2effab344b09e6994efe6e1c9c3e1+sip+4+affb3393
From: <sip:19999901569@metapabx.vivo.net.br>;tag=187.50.251.28+4+1e453818+77260d8f
To: <sip:6430517999@metapabx.vivo.net.br>;tag=z9hG4bK+0f4f2effab344b09e6994efe6e1c9c3e1+sip+4+affb3393
CSeq: 1056043366 ACK
Content-Length: 0
Call-ID: 0gQAAC8WAAACBAAALxYAADwFnoyIm9FMzuTXazy9x1kCi4rC76KM3a5xa3Mg/Uww@187.50.251.28
Max-Forwards: 59

Can anyone helps?

Add this IP address to your identify section as well: 187.50.251.28, and then try again.

@ambiorixg12 I changed, same issue.

The difference is that before the Asterisk is logging in console the message bellow, actually doesn’t do that anymore, but I can see the 401 with debug mode.

[Apr 19 10:01:08] NOTICE[741877]: res_pjsip/pjsip_distributor.c:673 log_failed_request: Request ‘INVITE’ from ‘sip:19999901569@metapabx.vivo.net.br’ failed for ‘187.50.251.28:5060’ (callid: 0gQAAC8WAAACBAAALxYAALuIIlkwDU+ztlpjWzKKg26NuHVxmSdh5MuQqFGGHInj@187.50.251.28) - No matching endpoint found

I was comparing this scenario with other trunk we have that works well.

The unique difference is the “To” field another trunks request arrived with our IP “53.67.67.45” and in this scenario the invite arrive as “metapabx.vivo.net.br”. Is it possible ignore the validation on this step, or change the domain to server IP?

To: sip:6430517999@metapabx.vivo.net.br

These other trunks doesnt require authentication.

Asterisk doesn’t use the To header except for registrations (and then it only, normally, uses the user part), or when explicitly read by user code.

Also, this is not a validation problem. It has failed to identify the endpoint, and, until you identify an endpoint, you cannot validate it.

For some reason, your type=identify section appears to be failing. Are you trying to use a minimal set of modules? You may have failed to load the module that matches by IP address.

Well, One point, I am using realtime…

And we have others trunks working perfectly, the difference is these others doesn’t use auths.

The error is failed to identify, not authentication error. Also the only authentication settings you have, in the information you have provided here, are outbound ones, and this is an inbound call.

The reason you are getting a 401 is so that an attacker cannot tell the difference between an unknown caller and a known one with the wrong password. chan_sip had an always_auth_reject one, that caused this behaviour, rather than a more explicit rejection reason, although there would still be rejections, unless you allowed guest callers. I’m not sure if chan_pjsip has an option; it may always send 401 to callers who don’t match anything.

It is sending authentication required when it really means you are not a permitted caller.

@david551 It doesn’t have a toggle for it, it always behaves this way.

This issue was solved, I was filling the field auth of the section endpoint, that was not sending in my settings in the post (It happens because in my tests I changed the params many times).

Thank you to all.

Now I have an issue to make calls, but I will open another topic, if necessary.