Connecting 2 Asterisk PBXs (pjsip.conf, sip.conf)

I used to have a handy link leading to great detail on configuration options for Asterisk PBX servers. It talked about star configuration (the one thing I remember) and other options to connect multiple servers. I can’t find it. :confused:

I had my PBX connected to a 2nd PBX. I’m running pjsip but the remote is still sip.conf. Right now, I’m still just trying to get them re-connected allowing calls in both directions.

My 1st questions are regarding authentication.

Can both servers authenticate (user, pw) to each-other?
I know how the standard SP outbound_auth works (and have that working with my SP).

If memory serves, the document I used as my reference stated:
PBX–outbound-auth–>PBX
PBX<–inbound-auth–PBX
PBX<–peer auth–>PBX
But that document was prePJSIP and perhaps my memory is faulty.

My 1st question is just: are all-3 valid options?

And 2nd–is there a document that covers connecting PBXs and examples (hopefully with a sip.conf-pjsip.conf example, too)?

Thanks!

1 Like

On Tuesday 29 April 2025 at 19:57:56, ThePowerTool via Asterisk Community
wrote:

I used to have a handy link leading to great detail on configuration
options for Asterisk PBX servers. It talked about star configuration

Do you mean a star topology, where multiple servers are network interconnected
with each other, or something else?

My 1st questions are regarding authentication.

Can both servers authenticate (user, pw) to each-other?

Yes, but why bother? If they’re both your servers, just use IP
authentication.

Antony.

These clients are often infected by viruses or other malware and need to be
fixed. If not, the user at that client needs to be fixed…

  • Henrik Nordstrom, on Squid users’ mailing list

Star topology! That’s it! It explained things like 2-way auth and I am fairly certain I last saw it long before PJSIP.

Is there an example of 2-way auth, SIP<->PJSIP?
And is it as simple as just having “auth=” and “outbound_auth=” under “type=registration”?
If there was a sample config I’d probably be set. :slight_smile:

Servers authenticate clients, and Asterisk has both roles in your case.

For chan_sip, you can only have one authorisation name, for both client and server modes, but you set secret to the password when acting as a server, or as both, and remotesecret to the password when acting as a client only, or when it differs from secret.

For chan_pjsip, you point auth to the values when acting as server, and outbound_auth to those when acting as client. Both can point to the same settings.

I’m not aware of any document, but it is a trivial merger of the settings for connecting to a provider and those for connecting to a phone. Points to note, at least one end must have a static address, with no registration from the other end. Both being static is better. It is unlikely that you will want the insecure=invite hack with chan_sip, and that hasn’t really been needed since remotesecret was added.

Preferably there should be no registration. Only outbound_auth is relevant for registration. You will need auth and outbound_auth in the endpoint, in the circumstances described above.

I’m not sure if chan_sip actually checks the remote auth user; that might need some experimentation.

(Registration is not about security, it is about dealing with dynamic addresses.)

Thank you!

I’ve focused on going through things, step-by-step. I now have PBX-A successfully dialing PBX-B. The reverse, sadly, cannot be said. I’m pulling my hair out trying to understand how the “unauthorized” error is caused when PBX-B dials A.

Question (verification) #1: If I see “registered” (belwo) under registrations, that means PBX-A has successfully registered with PBX-B? Am I correct?

Question (verification) #2: If I see PBX-B under endpoints with an IP address (below), does that mean PBX-B has successfully registered with PBX-A?

Question #3: Below please find a cap of registration (PBX-B to A) and dial (auth) failure. Part of my confusion arises from the appearance of initial successful auth (from show reg. and endpts) followed by the dial auth fail. I would really like to understand what information I’m lacking in analyzing this (and, of course) why the call fails. As always, any help is sincerely appreciated!

I have both pjsip.conf and sip.conf to share upon request.

pjsip show registrations

 <Registration/ServerURI..............................>  <Auth..........>  <Status.......>
==========================================================================================

 PBX-B/sip:PBX-B-pubIPaddr:5060                        PBX-B_auth    Registered      
 flowroute/sip:us-east-va.sip.flowroute.com              flowroute_auth    Registered 


pjsip show endpoints
~snip~
 Endpoint:  PBX-B                                            Not in use    0 of inf 
    OutAuth:  PBX-B_auth/PBX-A
     InAuth:  PBX-B_in_auth/PBX-B
        Aor:  PBX-B                                          1
      Contact:  PBX-B/sip:s@x.x.x.x:5060         60413ee16b NonQual         nan   
      Contact:  PBX-B/sip:x.x.x.x:5060           e7e1ce683d NonQual         nan   
  Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5060
   Identify:  PBX-B/PBX-B
        Match: x.x.x.x/32


REGISTRATION capture ------------------------------
 
<--- Received SIP request (437 bytes from UDP:PBX-B-pubIPaddr:5060 --->
REGISTER sip:PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK3ca59963
Max-Forwards: 70
From: <sip:PBX-B@PBX-A-pvtIPaddr:5060>;tag=as2d4bb17f
To: <sip:PBX-B@PBX-A-pvtIPaddr:5060>
Call-ID: 54b7114f7db708ff624f310a1774a0e3@127.0.0.1
CSeq: 102 REGISTER
Supported: replaces, timer
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Expires: 120
Contact: <sip:s@PBX-B-pubIPaddr:5060>
Content-Length: 0


<--- Transmitting SIP response (495 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK3ca59963
Call-ID: 54b7114f7db708ff624f310a1774a0e3@127.0.0.1
From: <sip:PBX-B@PBX-A-pvtIPaddr>;tag=as2d4bb17f
To: <sip:PBX-B@PBX-A-pvtIPaddr>;tag=z9hG4bK3ca59963
CSeq: 102 REGISTER
WWW-Authenticate: Digest realm="asterisk",nonce="1746200686/3d59d22baa97795403d2a627d064b45b",opaque="5469bd491a2cfe16",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (707 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
REGISTER sip:PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK1384a993
Max-Forwards: 70
From: <sip:PBX-B@PBX-A-pvtIPaddr:5060>;tag=as2d4bb17f
To: <sip:PBX-B@PBX-A-pvtIPaddr:5060>
Call-ID: 54b7114f7db708ff624f310a1774a0e3@127.0.0.1
CSeq: 103 REGISTER
Supported: replaces, timer
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-B", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-IPaddr", nonce="1746200686/3d59d22baa97795403d2a627d064b45b", response="bcbef139fa399bac4805fd28cb0f3322", opaque="5469bd491a2cfe16", qop=auth, cnonce="1a1066bb", nc=00000001
Expires: 120
Contact: <sip:s@PBX-B-pubIPaddr:5060>
Content-Length: 0


<--- Transmitting SIP response (474 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK1384a993
Call-ID: 54b7114f7db708ff624f310a1774a0e3@127.0.0.1
From: <sip:PBX-B@PBX-A-pvtIPaddr>;tag=as2d4bb17f
To: <sip:PBX-B@PBX-A-pvtIPaddr>;tag=z9hG4bK1384a993
CSeq: 103 REGISTER
Date: Fri, 02 May 2025 15:44:46 GMT
Contact: <sip:PBX-B-pubIPaddr:5060>
Contact: <sip:s@PBX-B-pubIPaddr:5060>;expires=119
Expires: 120
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Transmitting SIP request (555 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
REGISTER sip:PBX-B-pubIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-A-IPaddr:5060;rport;branch=z9hG4bKPjcf771f6a-83c3-4e8f-b961-841fa1963a99
From: <sip:PBX-A@PBX-A-IPaddr>;tag=53f85f52-d02c-4d79-aea6-188643687768
To: <sip:PBX-A@PBX-A-IPaddr>
Call-ID: 86e3dda5-ee5b-41c5-8b9d-cf7c3d357ad3
CSeq: 18084 REGISTER
Contact: <sip:s@PBX-A-IPaddr:5060>
Expires: 3600
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Max-Forwards: 70
User-Agent: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP response (613 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-A-pvtIPaddr:5060;branch=z9hG4bKPjcf771f6a-83c3-4e8f-b961-841fa1963a99;received=PBX-A-pvtIPaddr;rport=5060
From: <sip:PBX-A@PBX-A-pvtIPaddr:5060>;tag=53f85f52-d02c-4d79-aea6-188643687768
To: <sip:PBX-A@PBX-A-pvtIPaddr:5060>;tag=as6cbae675
Call-ID: 86e3dda5-ee5b-41c5-8b9d-cf7c3d357ad3
CSeq: 18084 REGISTER
Server: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="2a65984c"
Content-Length: 0


<--- Transmitting SIP request (723 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
REGISTER sip:PBX-B-pubIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-A-IPaddr:5060;rport;branch=z9hG4bKPj94a1a2db-a63b-4237-839a-34a8b9175d0a
From: <sip:PBX-A@PBX-A-IPaddr>;tag=53f85f52-d02c-4d79-aea6-188643687768
To: <sip:PBX-A@PBX-A-IPaddr>
Call-ID: 86e3dda5-ee5b-41c5-8b9d-cf7c3d357ad3
CSeq: 18085 REGISTER
Contact: <sip:s@PBX-A-IPaddr:5060>
Expires: 3600
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Max-Forwards: 70
User-Agent: Asterisk PBX 18.4.0
Authorization: Digest username="PBX-A", realm="asterisk", nonce="2a65984c", uri="sip:PBX-B-pubIPaddr:5060", response="87b24d8333ab1880db4fb9f5b05ed1f3", algorithm=MD5
Content-Length:  0


<--- Received SIP response (628 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP PBX-A-pvtIPaddr:5060;branch=z9hG4bKPj94a1a2db-a63b-4237-839a-34a8b9175d0a;received=PBX-A-pvtIPaddr;rport=5060
From: <sip:PBX-A@PBX-A-pvtIPaddr:5060>;tag=53f85f52-d02c-4d79-aea6-188643687768
To: <sip:PBX-A@PBX-A-pvtIPaddr:5060>;tag=as6cbae675
Call-ID: 86e3dda5-ee5b-41c5-8b9d-cf7c3d357ad3
CSeq: 18085 REGISTER
Server: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 3600
Contact: <sip:s@PBX-A-pvtIPaddr:5060>;expires=3600
Date: Fri, 02 May 2025 15:44:42 GMT
Content-Length: 0

---------------------------------------------------------
---------------------------------------------------------
Dial from PBX-B to PBX-A ----------------------------------------------------
<--- Received SIP request (868 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK4f949f55
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Date: Fri, 02 May 2025 15:46:49 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 257

v=0
o=root 269686395 269686395 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13848 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK4f949f55
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK4f949f55
CSeq: 102 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40",opaque="7a2f406759f302bc",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK4f949f55
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK4f949f55
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 102 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0


<--- Received SIP request (1146 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK4c61a544
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 103 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-A", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-ext@PBX-A-IPaddr:5060", nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40", response="56b530541c4c5eceecc74b1efae4bf02", opaque="7a2f406759f302bc", qop=auth, cnonce="3f236d37", nc=00000001
Date: Fri, 02 May 2025 15:46:49 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 257

v=0
o=root 269686395 269686396 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13848 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

[May  2 11:46:49] NOTICE[170705]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>' failed for 'PBX-B-pubIPaddr:5060' (callid: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060) - Failed to authenticate
<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK4c61a544
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK4c61a544
CSeq: 103 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40",opaque="0d9f52793266fa11",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK4c61a544
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK4c61a544
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 103 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0


<--- Received SIP request (1146 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK59cc978e
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 104 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-A", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-ext@PBX-A-IPaddr:5060", nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40", response="0cf8a15685860220b5e316a0e69d24d7", opaque="0d9f52793266fa11", qop=auth, cnonce="59e03c64", nc=00000002
Date: Fri, 02 May 2025 15:46:49 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 257

v=0
o=root 269686395 269686397 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13848 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

[May  2 11:46:49] NOTICE[170705]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>' failed for 'PBX-B-pubIPaddr:5060' (callid: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060) - Failed to authenticate
<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK59cc978e
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK59cc978e
CSeq: 104 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40",opaque="0642391d676725e2",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK59cc978e
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK59cc978e
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 104 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0


<--- Received SIP request (1146 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK6ebfd54e
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 105 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-A", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-ext@PBX-A-IPaddr:5060", nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40", response="76d399c8c2b173a4c3390d11bb0203e2", opaque="0642391d676725e2", qop=auth, cnonce="770db6b3", nc=00000003
Date: Fri, 02 May 2025 15:46:49 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 257

v=0
o=root 269686395 269686398 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13848 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

[May  2 11:46:49] NOTICE[170705]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>' failed for 'PBX-B-pubIPaddr:5060' (callid: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060) - Failed to authenticate
<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK6ebfd54e
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK6ebfd54e
CSeq: 105 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746200809/8e4c756febf545ab46ffb6013a2ddd40",opaque="219ec2566bce5914",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK6ebfd54e
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as01c94746
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK6ebfd54e
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 472162d236667e383d9f996d5181a8b9@PBX-B-pubIPaddr:5060
CSeq: 105 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0

Why are you using registration?

Note necessarily. It depends what you had set for Contact, and whether the list of contacts includes the full URI, not just IP address, that wasn’t specified as a contact.

You have two contacts, and at most one of them could have come from a registration. That’s probably the one that has s@. Only one will normally be used.

NB you seem to be registering both ways, which is never a sensible configuration. In you case I would not expect you to register either way.

Also your logs show PBX-B-pubIPaddr, but your configuration shows x.x.x.x. These should both be the same.

DHCP assigned addresses.
I have high hopes that will change but my current plan is to use user/pass and also white-list the DHCP addresses which are, thankfully, changed infrequently.

Should I remove registrations?

PBX-B sip.conf extract:

register => PBX-B:secret@PBX-A-pubIPaddr:5060
~snip
[PBX-A]
type=friend
user=PBX-B
username=PBX-B
secret=secret
port=5060
host=dynamic
insecure=port
context=internal
disallow=all
allow=ulaw

Does the, above, register line address your comment about the contact containing the full URI?

Sorry! I did a poor job.
x.x.x.x = PBX-B-pubIPaddr and is the correct 4 octets.

Thank you

DHCP addresses can be fixed.

For you to be able to do REGISTER, you need to know the server URI, You end up in catch 22 if you don’t know it any of the sides.

It looks as though you have both max-contacts and contact. You should have one or the other, and if you have the former, you shouldn’t be using REGISTER, from that side.

I’ve forgotten what chan_sip does when you don’t specify a contact user. It might use s, or it might not include a user. If the other side is Asterisk, that shouldn’t matter as Asterisk infers s, if there is no user part. However things will still be more straightforward if you completely throw away registration.

Hi,

I have removed REGIATRATION from my pjsip.conf, per your recommendation–thank you! I also had the “register” line removed from the remote PBX (PBX-B). OF course, both servers got assigned new IP addresses, today. Twice. That’s never happened, before.

Do I still need to address the contact/max-contacts issue as it seems that was specifically tied to REGISTRATION?

I can dial PBX-A → PBX-B.
PBX-B dialing PBX-A still fails on auth (log/debug details below). Given major changes to my pjsip.conf (PBX-A) I am including that, as well.

pjsip.conf(PBX-A):
[PBX-B]
type=endpoint
transport=transport-udp-nat
context=from-trunk
disallow=all
allow=ulaw
auth=PBX-B_in_auth
outbound_auth=PBX-B_auth
aors=PBX-B
;                   ;A few NAT relevant options that may come in handy.
force_rport=yes    ;It's a good idea to read the configuration help for each
direct_media=no    ;of these options.
;ice_support=yes

[PBX-B]
type=aor
max_contacts=2
contact=sip:PBX-B-pubIPaddr:5060

[PBX-B]
type=identify
endpoint=PBX-B
match=PBX-B-pubIPaddr/32

[PBX-B_in_auth]
type=auth
auth_type=userpass
password=secret
username=PBX-B

[PBX-B_auth]
type=auth
auth_type=userpass
password=secret
username=PBX-A
---------------------------------------------------
sip.conf(PBX-B):
[PBX-A]
type=friend
user=PBX-B
username=PBX-B
secret=secret
port=5060
host=dynamic
insecure=port
context=internal
disallow=all
allow=ulaw

[PBX-A_I]
type=friend
user=PBX-B
username=PBX-A
secret=secret
port=5060
host=PBX-A-pubIPaddr
insecure=port
context=internal
disallow=all
allow=ulaw
-------------------------------------------------------------

*CLI> pjsip show registrations

 <Registration/ServerURI..............................>  <Auth..........>  <Status.......>
==========================================================================================

 flowroute/sip:us-east-va.sip.flowroute.com              flowroute_auth    Registered

 Endpoint:  PBX-B                                            Not in use    0 of inf
    OutAuth:  PBX-B_auth/PBX-A
     InAuth:  PBX-B_in_auth/PBX-B
        Aor:  PBX-B                                          2
      Contact:  PBX-B/sip:PBX-B-pubIPaddr:5060           e7e1ce683d NonQual         nan
  Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5060
   Identify:  PBX-B/PBX-B
        Match: PBX-B-pubIPaddr/32
------------------------------------------------------------------------
<--- Received SIP request (870 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK14ffb7a9
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Date: Sat, 03 May 2025 15:16:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 259

v=0
o=root 2121647207 2121647207 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13952 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK14ffb7a9
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK14ffb7a9
CSeq: 102 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2",opaque="0d629a041d5a4b93",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK14ffb7a9
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK14ffb7a9
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 102 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0


<--- Received SIP request (1148 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK7fbf9e98
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 103 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-A", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-ext@PBX-A-pubIPaddr:5060", nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2", response="b41b3fb5e17ff5076f765029cf479203", opaque="0d629a041d5a4b93", qop=auth, cnonce="6fbf6f24", nc=00000001
Date: Sat, 03 May 2025 15:16:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 259

v=0
o=root 2121647207 2121647208 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13952 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

[May  3 11:16:48] NOTICE[174880]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>' failed for 'PBX-B-pubIPaddr:5060' (callid: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060) - Failed to authenticate
<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK7fbf9e98
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK7fbf9e98
CSeq: 103 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2",opaque="78bb4e1873013dd9",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK7fbf9e98
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK7fbf9e98
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 103 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0


<--- Received SIP request (1148 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK30adc543
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 104 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-A", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-ext@PBX-A-pubIPaddr:5060", nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2", response="0ead510bb272806cbb91d397fa0a1201", opaque="78bb4e1873013dd9", qop=auth, cnonce="270ff3cd", nc=00000002
Date: Sat, 03 May 2025 15:16:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 259

v=0
o=root 2121647207 2121647209 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13952 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

[May  3 11:16:48] NOTICE[174880]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>' failed for 'PBX-B-pubIPaddr:5060' (callid: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060) - Failed to authenticate
<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK30adc543
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK30adc543
CSeq: 104 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2",opaque="11ca4df201a4700c",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK30adc543
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK30adc543
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 104 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0


<--- Received SIP request (1148 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
INVITE sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK2572f0e4
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 105 INVITE
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Authorization: Digest username="PBX-A", realm="asterisk", algorithm=MD5, uri="sip:PBX-A-ext@PBX-A-pubIPaddr:5060", nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2", response="e9ad941d165a1cc553f9937db40f9aa1", opaque="11ca4df201a4700c", qop=auth, cnonce="04047e28", nc=00000003
Date: Sat, 03 May 2025 15:16:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 259

v=0
o=root 2121647207 2121647210 IN IP4 PBX-B-pubIPaddr
s=Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
c=IN IP4 PBX-B-pubIPaddr
t=0 0
m=audio 13952 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

[May  3 11:16:48] NOTICE[174880]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>' failed for 'PBX-B-pubIPaddr:5060' (callid: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060) - Failed to authenticate
<--- Transmitting SIP response (510 bytes) to UDP:PBX-B-pubIPaddr:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;rport=5060;received=PBX-B-pubIPaddr;branch=z9hG4bK2572f0e4
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr>;tag=z9hG4bK2572f0e4
CSeq: 105 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1746285408/aadc5ac95b61227fe72b503b63d319c2",opaque="21a7a97c3f6b0434",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (435 bytes) from UDP:PBX-B-pubIPaddr:5060 --->
ACK sip:PBX-A-ext@PBX-A-pvtIPaddr:5060 SIP/2.0
Via: SIP/2.0/UDP PBX-B-pubIPaddr:5060;branch=z9hG4bK2572f0e4
Max-Forwards: 70
From: "PBX-B" <sip:PBX-B@PBX-B-pubIPaddr:5060>;tag=as1464fd14
To: <sip:PBX-A-ext@PBX-A-pvtIPaddr:5060>;tag=z9hG4bK2572f0e4
Contact: <sip:PBX-B@PBX-B-pubIPaddr:5060>
Call-ID: 74bfe29569c349a85a5a4d0b5a293286@PBX-B-pubIPaddr:5060
CSeq: 105 ACK
User-Agent: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Content-Length: 0

You can remove max-contacts.

User DOESN’T exist! If it does, it will be the same as username, which is the obsolete form of default user, and, I believe, of no effect, here, even though the sample config suggests otherwise. To use anything other than from user, you probably want to use auth= (You are getting into areas of chan_sip with which I’m not familiar.)

Delete completely.

type=peer

See above. Moreover in cases where you really need inbound and outbound, the settings should be the same for both.

If you need this, fix whatever is mangling the port numbers, instead.

It’s working!
It’s working!

  • Anakin Skywalker

Here are details plus I have, (hopefully) one or two, questions :slight_smile:

What I did and what happened:

  • maxcontacts removed
  • user= and username= removed
  • PBX-A deleted completely
  • PBX-A_i renamed to PBX-A–you didn’t specify the rename but I guessed renaming to match with extensions would be acceptable. If I’m wrong, please let me know!
  • type=friend changed to type=peer
  • insecure=port deleted

Getting it working: After following your recommendations, I watched the Verbose5 + Debug5 + pjsip log fail (PBX-B dialing A) via the CLI and noticed the Authorization digest was showing username=“PBX-A.”

I had the sip.conf PBX-A section modified with
defaultuser=PBX-B and everything started working. I tested PBX-A dialing B and PBX-B dialing A. All tests were successful. That leads to a surprise and my question:

So I had “Team B” send me the full sip.conf after everything started working. I was surprised to discover the PBX-B section (see updated sip.conf, below).

My first thought, given your comment on just using one “PBX-A” section was remove the PBX-B section of the sip.conf. Removing that section caused the following:
PBX-A dialing PBX-B - success
PBX-B dialing PBX-A - fail

I had the PBX-B section returned to the PBX-B sip.conf and everything worked, again.

So to ask my question:
when PBX-A dials (Dial (PJSIP/ext@PBX-B) it uses username PBX-A.
When PBX-B dials (Dial (SIP/ext@PBX-A) it now uses username (from defaultuser=) PBX-B

Why didn’t adding “secret=differentsecret” to the PBX-B section align with my auth_in? Everything works but I have to use the same password when dialing, either way. I would expect PBX-B dialing PBX-A with username “PBX-B” would allow for a different password (via PBX-A auth-in)

Additional note: the sip.conf stated using type=peer only works for inbound calls. I discovered this during my research after being surprised by the sip.conf PBX-B section. I think it means with “peer” set there must be a separate “outbound” section. Details, below!

Thank you very muchf for your time!

PBX-B chan_sip sip.conf:

[PBX-A]
type=peer
;auth=PBX-A
defaultuser=PBX-A
secret=secret1
port=5060
host=PBX-A-pubIPaddr
context=internal
disallow=all
allow=ulaw

[PBX-B]
;port=5060
type=friend
host=dynamic
context=internal
secret=secret1
canreinvite=no
dtmfmode=rfc2833
qualify=yes
disallow=all
allow=ulaw

PBX-A pjsip.conf

[PBX-B]
type=endpoint
transport=transport-udp-nat
context=from-trunk
disallow=all
allow=ulaw
auth=PBX-B_in_auth
outbound_auth=PBX-B_auth
aors=PBX-B
;                   ;A few NAT relevant options that may come in handy.
force_rport=yes    ;It's a good idea to read the configuration help for each
direct_media=no    ;of these options.
;ice_support=yes

[PBX-B]
type=aor
;max_contacts=2
contact=sip:PBX-B-pubIPaddr:5060
[PBX-B]
type=identify
endpoint=PBX-B
match=PBX-B-pubIPaddr/32

[PBX-B_in_auth]
type=auth
auth_type=userpass
password=secret1
username=PBX-B
;username=PBX-A

[PBX-B_auth]
type=auth
auth_type=userpass
password=secret1
username=PBX-A

Missed that one. You need to use secret for the incoming requests and remotesecret for the outgoing ones. secret sets both ways. remote secret sets the one the remote side expects, overriding secret, in that direction.

Total curve-ball:

Testing, 1st change was simply to add the remotesecret.
PBX-A failed to dial PBX-B
Undid changes.
PBX-A failed to dial PBX-B

Found a strange problem:

<--- Reliably Transmitting (no NAT) to PBX-A-pubIPaddr:1024 --->
SIP/2.0 401 Unauthorized

The 1st clue is “no NAT” and when I look at the To: and From: headers:

From: <sip:PBX-A-callerid@192.168.xx.xx>;tag=1Iv6vFTLf
To: sip:PBX-B-ext@192.168.xx.xx

Note: “callerid” is the callerid rather than the extension. Previously, it was the extension.

Suddenly, the invite is coming from PBX-A’s private 192 IP address instead of the pubIPaddr.

What could cause that? I initially thought I corrupted my pjsip.conf. I restored from backup and redid the changes wihtout success.

I can provide logs–I just don’t have access to the remote PBX at the moment.

I can’t find the definition of transport-udp-nat, which being wrong would cause this.

That would be my fault!
PBX-A pjsip.conf snippet:

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0
local_net=192.168.1.0/24
external_media_address=PBX-A-extIPaddr
external_signaling_address=PBX-A-extIPaddr

Over-redacted. I can’t tell if the first xx is 1.

It is definitely a “1”.

Suddenly, miraculously, it’s working again.

As “Team B” is not there, that makes it a given they didn’t change sip.conf on PBX-B.

I have one thought:
Is it possible their session timeouts caused tuhis if they are the default 30/180?

I’m not sure as I’d expect a contact failure rather than this strange auth failure but it will be the 1st thing I check when Team B returns :slight_smile: Please let me know if you have any thoughts.

PBX-A edge router session timeouts:

~]# sysctl net.netfilter.nf_conntrack_udp_timeout
​net.netfilter.nf_conntrack_udp_timeout = 30
~]# sysctl net.netfilter.nf_conntrack_udp_timeout_stream
​net.netfilter.nf_conntrack_udp_timeout_stream = 180

UDP timeouts updated.

Will keep an eye on servers and develop a preliminary trouble-shooting plan should this occur, again.

Rsuming testing remotesecret, tomorrow.