Inbound calls rejected

ZeroXT52 · August 30, 2016, 7:28am

Note: IP addresses, phone numbers and account id’s are masked.

When trying to call inbound, sometimes we get this error:

chan_sip.c:26125 handle_request_invite: Failed to authenticate device "Company B.V." sip:0031543000000@domain.com:5080>;tag=as4a58d8cb

The call will be rejected and Asterisk hangs up. When i do an “sip reload” or “core reload”, inbound calls will be accepted for a while but will eventually be rejected again. Our provider says they get a 403 response from our Asterisk server.

The error in AMI is:

Asterisk event: { event: 'InvalidPassword',
  privilege: 'security,all',
  sequencenumber: '111045',
  file: 'manager.c',
  line: '1695',
  func: 'manager_default_msg_cb',
  eventtv: '2016-08-30T08:25:25.891+0000',
  severity: 'Error',
  service: 'SIP',
  eventversion: '2',
  accountid: '31543000000',
  sessionid: '0x7fe75800d9b8',
  localaddress: 'IPV4/UDP/134.100.100.100/5060',
  remoteaddress: 'IPV4/UDP/91.100.100.100/5060',
  challenge: '',
  receivedchallenge: '',
  receivedhash: '' }

We are not using fail to ban. We thought this was a NAT problem, so we turned down the firewall but even then it fails.

Can anyone help please?

jcolp · August 30, 2016, 10:16am

What is your configuration? It’s possible that they may be using a few different IPs, and calls start coming from one which does not match and chan_sip then challenges for authentication.

ZeroXT52 · August 31, 2016, 7:54am

Thank you for your reply. This is the sip.conf configuration:

[general]
udpbindaddr=0.0.0.0
port=5060
srvlookup=yes
tcpenable=yes
tcpbindaddr=0.0.0.0
callcounter=yes
alwaysauthreject=yes
realm=XXX.XXX.XXX.XXX
register=>XXXXX:XXXXX@XXXXXX.com
maxexpiry=18000
minexpiry=60
nat=force_rport,comedia
directmedia=no
context=inbound
alwaysauthreject=no
insecure=port,invite
type=friend
allowguest=yes

[MottoVoip]
type=friend
defaultuser=XXXXXX
fromuser=XXXXXX
secret=XXXXXX
nat=force_rport,comedia
context=inbound
dtmfmode=rfc2833
insecure=port,invite
diallow=all
allow=ulaw
allow=alaw
host=XXXXXX.com
fromdomain=XXXXXX.com


; SIP phone templates
[Reseller](!)
type=peer
host=dynamic
secret=XXXXXXXXXXXXX
nat=force_rport,comedia
disallow=all
allow=alaw
allow=ulaw
canreinvite=no
dtmfmode=auto
port=5060


; SIP Phones
[1000-XXXXXXXXXXXXX](Reseller)
secret=XXXXXXXXXXXXX

[1001-XXXXXXXXXXXXX](Reseller)
secret=XXXXXXXXXXXXX

jcolp · August 31, 2016, 10:05am

As you have masked out the hostname I am unable to tell you if this is the case or not. You can check yourself by resolving the hostname manually and seeing if it has multiple ‘A’ records. If it does then only one would be used. If the call comes in from another one then it would not match and be rejected.

mkozusnik · September 1, 2016, 12:19am

If the company is using an SRV record, that may also suffice.

ZeroXT52 · September 2, 2016, 10:31am

I resolved the hostname and the result was that there where two ip-addresses. So i changed the configuration to:

[general]
udpbindaddr=0.0.0.0
port=5060
srvlookup=yes
tcpenable=yes
tcpbindaddr=0.0.0.0
callcounter=yes
alwaysauthreject=yes
realm=XXX.XXX.XXX.XXX
register=>XXXXX:XXXXX@XXXXXX.com
maxexpiry=18000
minexpiry=60
nat=force_rport,comedia
directmedia=no
context=inbound
alwaysauthreject=no
insecure=port,invite
type=friend
allowguest=yes

[MottoVoip](!)
type=friend
defaultuser=XXXXXX
fromuser=XXXXXX
secret=XXXXXX
nat=force_rport,comedia
context=inbound
dtmfmode=rfc2833
insecure=port,invite
diallow=all
allow=ulaw
allow=alaw
host=XXXXXX.com
fromdomain=XXXXXX.com


[MottoVoip-A](MottoVoip)
host=XXX.XXX.XXX.XXX
fromdomain=XXX.XXX.XXX.XXX


[MottoVoip-B](MottoVoip)
host=XXX.XXX.XXX.XXX
fromdomain=XXX.XXX.XXX.XXX


; SIP phone templates
[Reseller](!)
type=peer
host=dynamic
secret=XXXXXXXXXXXXX
nat=force_rport,comedia
disallow=all
allow=alaw
allow=ulaw
canreinvite=no
dtmfmode=auto
port=5060


; SIP Phones
[1000-XXXXXXXXXXXXX](Reseller)
secret=XXXXXXXXXXXXX

[1001-XXXXXXXXXXXXX](Reseller)
secret=XXXXXXXXXXXXX

Now it seems to be working. Thank you all very much.

surp · September 6, 2016, 12:31pm

I see this happen all the time. chan_sip resolves and uses the first returned dns IP on registration so if the provider uses multiple IP address it’s a crap shoot each call and each registration and the SIP trunk provider does not care if your PBX can deal with it or not. You need to create a separate trunk config for each IP or use chan_pjsip which resolves all returned IP’s from the dns name.