Hello everyone
I have two Asterisk servers that I am trying to trunk together following this guide:
http://www.asteriskdocs.org/en/2nd_Edition/asterisk-book-html-chunk/connecting_two_asterisk.html
Our two servers are “pbx” and “lab”.
PBX is Asterisk certified/13.18-cert3
Lab is Asterisk 16.8.0-rc2
Relating to the guide, the “pbx” server mirrors “toronto” and the “lab” server mirrors “osaka”.
In our deployment the pbx server has a Digium card installed. We are trying to create a bidirectional SIP trunk from the PSTN <-> pbx <-> lab.
Calls flow as expected from the lab outbound to the PSTN. When a call is placed inbound on the PBX to the Lab we receive a 403 forbidden. Note digest username=“s” in the Authorization line of the SDP. We can’t figure out why the PBX side is sending “s” as the username.
It seems the inbound identity is being attempted instead of the peer specified in the Dial() as evidence by the phrasing of the error:
Failed to authenticate device sip:mynumber@pbxIP;tag=as37a8e715
In the reverse case we see the correct username line supplied as we’d expect from the documentation.
The username should be the one in the register => peer:secret@host/username
Notice that at the end of the registration line we tag on a forward slash and the username of the remote Asterisk box? What this does is tell the remote Asterisk box what digest name to use when it wants to set up a call. If you forget to add this, then when the far end tries to send you a call, you’ll see the following at your Asterisk CLI:
[Apr 22 18:52:32] WARNING[23631]: chan_sip.c:8117 check_auth: username mismatch,
have <toronto>, digest has <s>
The linked document is one of the only hits for the mentioned error.
What have we tried?
-
Changing types of the SIP objects from peers to friends
-
Supplying an auth= line in the [authorization] section.
-
Supplying an auth= line in the pbx peer sip.conf
– sip reload informs us the auth= line expects: Format for authentication entry is user[:secret]@realm at line 2313
– Supplying an authentication like lab:welcome@pbxIp doesn’t change the digest username -
Supplying an “authuser” in the register line like register => pbx:welcome:lab@labIp
– This says the password is incorrect when trying to REGISTER. A step backwards. -
Supplying to and from users in the SIP dial line like Dial(SIP/lab!lab)
– We can alter the to user but it doesn’t change the Digest username sent
– Attempting to set both to and from users sends the user as “touser!fromuser” -
Restarting both servers to ensure this is not a transient issue
SDP received by the lab when a PSTN device is calling in:
<--- SIP read from UDP:pbxIP:5060 --->
INVITE sip:pbx@labIP:5060 SIP/2.0
Via: SIP/2.0/UDP pbxIP:5060;branch=z9hG4bK22e5995c
Max-Forwards: 70
From: <sip:mynumber@pbxIP>;tag=as37a8e715
To: <sip:pbx@labIP:5060>
Contact: <sip:mynumber@pbxIP:5060>
Call-ID: 5180138466ba6c2175efe2c451baa59e@pbxIP:5060
CSeq: 103 INVITE
User-Agent: Asterisk PBX certified/13.18-cert3
Authorization: Digest username="s", realm="asterisk", algorithm=MD5, uri="sip:pbx@labIP:5060", nonce="1e7de242", response="c93c0bec20e759520466e7924daba28d"
Date: Tue, 15 Jun 2021 17:47:01 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 299
v=0
o=root 1249447765 1249447766 IN IP4 pbxIP
s=Asterisk PBX certified/13.18-cert3
c=IN IP4 pbxIP
t=0 0
m=audio 17768 RTP/AVP 0 8 3 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv
<------------->
--- (15 headers 13 lines) ---
Sending to pbxIP:5060 (no NAT)
Using INVITE request as basis request - 5180138466ba6c2175efe2c451baa59e@pbxIP:5060
Found peer 'pbx' for 'mynumber' from pbxIP:5060
[Jun 15 14:47:01] WARNING[38026][C-000000cd]: chan_sip.c:17405 check_auth: username mismatch, have <pbx>, digest has <s>
[Jun 15 14:47:01] NOTICE[38026][C-000000cd]: chan_sip.c:26626 handle_request_invite: Failed to authenticate device <sip:mynumber@pbxIP>;tag=as37a8e715
<--- Reliably Transmitting (no NAT) to pbxIP:5060 --->
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP pbxIP:5060;branch=z9hG4bK22e5995c;received=pbxIP
From: <sip:mynumber@pbxIP>;tag=as37a8e715
To: <sip:pbx@labIP:5060>;tag=as4591fe2e
Call-ID: 5180138466ba6c2175efe2c451baa59e@pbxIP:5060
CSeq: 103 INVITE
Server: company Cloud Interface Engine
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0
<------------>
Scheduling destruction of SIP dialog '5180138466ba6c2175efe2c451baa59e@pbxIP:5060' in 32000 ms (Method: INVITE)
<--- SIP read from UDP:pbxIP:5060 --->
ACK sip:pbx@labIP:5060 SIP/2.0
Via: SIP/2.0/UDP pbxIP:5060;branch=z9hG4bK22e5995c
Max-Forwards: 70
From: <sip:mynumber@pbxIP>;tag=as37a8e715
To: <sip:pbx@labIP:5060>;tag=as4591fe2e
Contact: <sip:mynumber@pbxIP:5060>
Call-ID: 5180138466ba6c2175efe2c451baa59e@pbxIP:5060
CSeq: 103 ACK
User-Agent: Asterisk PBX certified/13.18-cert3
Content-Length: 0
<------------->
--- (10 headers 0 lines) ---
== PBX sip.conf ==
[general]
register => pbx:welcome@labIP/lab
[lab]
type=friend
context=default
host=dynamic
secret=welcome
== PBX extensions.conf ==
exten => 4562,1,Answer()
same => n,Dial(SIP/lab,120)
== Lab sip.conf ==
[general]
register => lab:welcome@pbxIP/pbx
[pbx]
type=peer
host=dynamic
context=to-pstn-sip
secret=welcome
== Lab extensions.conf ==
[to-pstn-sip]
exten => _X.,1,NoOp(Entered extension to-pstn-sip)
same => n,Dial(SIP/pbx/${EXTEN})