Error :407 \ > proxy authentication required xlite

JamesK · June 1, 2009, 3:23am

I know the issue is with asterisk. I get this error when xlite tries to log in behind nat/firewall and it shows up in the sip debug window. When I delete the secret=password in the sip.conf settings for the xlite soft phone account, the phone can ring the polycom phone just fine otherwise, it generates 407 proxy auth errors.

Nat=yes
externip is set to asterisk ip
insecure=very
contactpermit=192.168.10.0/255.255.255.0
all firewall 5060,10000-20000,4569 udp ports open

So this is some kind of authentication issue. Have yet to resolve totally.

david55 · June 1, 2009, 10:56am

Status 407 is not an error; it is simply a challenge for the authentication credentials. The phone should simply retry with the appropriate user id and password.

If it is not responding at all, that is a problem with the phone. If it is responding but eventually gives up, I think we need to see the full sip set debug trace.

JamesK · June 1, 2009, 2:12pm

I am passing this xlite sip registration outside the firewall to the public isp network and back into my network to test the outside capabilities of my sip connection when I will be on the road.

[199]
; Turn off silence suppression in X-Lite (“Transmit Silence”=YES)!
; Note that Xlite sends NAT keep-alive packets, so qualify=yes is not needed
type=friend
username=199
secret=199
context=internal
regexten=199 ; When they register, create extension 1234
port=5060
callerid= <199>
host=dynamic ; This device needs to register
nat=yes ; X-Lite is behind a NAT router
qualify=no
canreinvite=no
reinvite=no ; Typically set to NO if behind NAT
disallow=all
allow=gsm ; GSM consumes far less bandwidth than ulaw
allow=ulaw
mailbox=199@default ; Subscribe to status of multiple mailboxes

I have register with domain checked simply, it will not register. The sip registration does not show up in the cli. cannot make calls. Now, if it is not checked, the default display in xlite will show registered. If no password is included both on xlite and secret, I can make calls from xlite to polycom.

<------------->
— (12 headers 12 lines) —
Ignoring this INVITE request
Retransmitting #2 (NAT) to 192.168.10.1:20984:
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.10.50:20984;branch=z9hG4bK-d8754z-8f14197c7f5dc840-1—d8754z-;received =192.168.10.1;rport=20984
From: "199"sip:199@24.81.xxx.xx;tag=6a3cee10
To: "200"sip:200@24.81.xxx.xx;tag=as2581a041
Call-ID: NWE3YzJhYjkzODc5MTdiZjI4NTZlOWE4ZDY0YTkyNDk.
CSeq: 1 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Proxy-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="0039ed9b"
Content-Length: 0

Really destroying SIP dialog ‘2585b57a02edef7660902ab533d7e29a@127.0.0.1’ Method: REGISTER
denver*CLI>
<— SIP read from 192.168.10.1:20984 —>
INVITE sip:200@24.81.xxx.xx SIP/2.0
Via: SIP/2.0/UDP 192.168.10.50:20984;branch=z9hG4bK-d8754z-8f14197c7f5dc840-1—d8754z-;rport
Max-Forwards: 70
Contact: sip:199@192.168.10.50:20984
To: "200"sip:200@24.81.xxx.xx
From: "199"sip:199@24.xxx.xxx.xx;tag=6a3cee10
Call-ID: NWE3YzJhYjkzODc5MTdiZjI4NTZlOWE4ZDY0YTkyNDk.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: X-Lite release 1103d stamp 53117
Content-Length: 318

v=0
o=- 6 2 IN IP4 192.168.10.50
s=CounterPath X-Lite 3.0
c=IN IP4 192.168.10.50
t=0 0
m=audio 11834 RTP/AVP 107 0 8 101
a=alt:1 2 : 8rZDdhzU khzLaqxe 169.254.87.33 11834
a=alt:2 1 : CQfNj0GZ 8xo+4PsL 192.168.10.50 11834
a=fmtp:101 0-15
a=rtpmap:107 BV32/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv

david55 · June 1, 2009, 2:24pm

Looks to me as though the SIP responses are not reaching the phone, or not being recognized by it.

The phone is failing to see the Asterisk’s replies, so doesn’t know that it needs to send a password, but simply times out and retransmits the invite.

With authentication off, I’d expect the call to still fail before fully connected, but the called party would still ring, as no successful response from Asterisk is required for that.

The Contact header with the internal address should not be happening if you have pure NAT.

JamesK · June 1, 2009, 2:41pm

David,

Thanks for getting back so quick.

Using xlite and my settings are

display name:199
username:199
auth:199
domain:24.81.xxx.xx

Register with domain: not checked
domain proxy not checked but if it is, I use proxy and my external ip address.The call goes through…just that its not registered with asterisk.

all other tabs left default

What is left to check? Scratching my head on this.

david55 · June 1, 2009, 2:46pm

You need to find out what is adding:

to the inbound INVITE and either make sure that it does its job, or fix it. As I said, this is not behaving like pure NAT. Either the phone has been configured with this address, or there is something trying to act as a SIP proxy.

JamesK · June 1, 2009, 3:29pm

I was using the xlite to call my phone though the firewall.

Basically:

xlite -> firwewall out > firewall in > asterisk box > polycom phone.

I had to read your reply again.

I find it kind of odd that it would show it as 199@192.168.10.50.

.50 is the polycom phones IP address and 199 is the xlite registration. Strange!

The Polycom sip phone registration is 200

I am getting this error in cli when doing a reload. Dont know if it has anything to do with it.

[Jun 1 08:38:40] WARNING[3354]: chan_sip.c:17203 add_realm_authentication: Format for authentication entry is user[:secret]@realm at line 728

david55 · June 1, 2009, 3:36pm

What do you have on the X-Lite’s topology tab?

Transitting two sets of NAT is beginning to get quite tricky!

JamesK · June 1, 2009, 3:48pm

discover global address and discover server.

At one time, had xlite for field work. working but stopped using it. I always leave these settings default.

BTW, just let you know…this is a newer dell server with iptables but I have iptables off. It will have to be configured properly or will block registrations.

My polycom phone registers just fine though it.

JamesK · June 1, 2009, 3:53pm

just tried registering locally and still will not register.

JamesK · June 1, 2009, 4:50pm

Using express talk with same settings.

This is my output of cli

Connected to Asterisk 1.4.24.1 currently running on denver (pid = 3692)
Verbosity is at least 3
– Registered SIP ‘199’ at 192.168.10.50 port 5070
[Jun 1 09:42:57] WARNING[3717]: chan_sip.c:13261 handle_response: Remote host can’t match request NOTIFY to call '7218dd4f3a96f8b077398af408e7f8af@192.168.10.3 '. Giving up.
denver*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status

sipura 201/201 192.168.10.45 D 5060 OK (9 ms)
polycom 200/200 192.168.10.48 D N 5060 OK (51 ms)
express talk 199/199 192.168.10.50 D N 5070 Unmonitored

david55 · June 1, 2009, 4:59pm

I thought you said …50 was the polycom!

Your original problem is for incoming call setup, not register.

You still haven’t explained why the X-Lite invite has a contact header for a local address, when you said it was in a completely different network. …50 would have to be a SIP proxy associated with the firewall for this to work with the X-Lite external.

JamesK · June 1, 2009, 5:23pm

Sorry, it was in the past. DHCP assigned polycom as .48 address.

.50 is this xpwindows with xlite client and .45 is sipura.

So dont know about the failed setup issue. seems to work fine with the other soft phone client.

david55 · June 1, 2009, 5:29pm

Looks like the X-Lite is transmitting an untranslated local address in its contact header.

JamesK · June 1, 2009, 5:59pm

I am getting the same responce with express talk when going outside the firewall.

<------------->
— (10 headers 0 lines) —
Really destroying SIP dialog ‘439e4d50161eee481658adcc3bc6b3f5@192.168.10.3’ Method: OPTIONS
Retransmitting #3 (NAT) to 192.168.10.1:5060:
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 169.254.87.33:5060;branch=z9hG4bK613800;received=192.168.10.1;rport=5060
From: “199” sip:199@24.81.161.79;tag=1626
To: sip:200@24.81.xxx.xx;tag=as194d0bc1
Call-ID: 1243874676-3800-PROACTIVE-NE@169.254.87.33
CSeq: 360 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Proxy-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="5523c137"
Content-Length: 0

Retransmitting #4 (NAT) to 192.168.10.1:5060:
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 169.254.87.33:5060;branch=z9hG4bK613800;received=192.168.10.1;rport=5060
From: “199” sip:199@24.81.161.79;tag=1626
To: sip:200@24.81.161.79;tag=as194d0bc1
Call-ID: 1243874676-3800-PROACTIVE-NE@169.254.87.33
CSeq: 360 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Proxy-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="5523c137"
Content-Length: 0

I wonder if my iptables, nat or what ever in my new dell/asteriask box may have something to do with this?

BTw, whats with this address? Call-ID: 1243874676-3800-PROACTIVE-NE@169.254.87.33

Is this DHCP? I am not in the same network as this address. Everything is 192.168…

david55 · June 1, 2009, 6:04pm

The call ID only has to be unique, although one would expect the address to reflect the caller’s idea of their own address.

What’s 192.168.10.1?

You didn’t include an invite, so I can’t see what contact header was used.

JamesK · June 1, 2009, 6:44pm

You can email me if you like, then do a phone call if you wish. My email is glyfx3d at shaw dot ca