Inbound SIP calls - fake auth rejection


I’m trying to setup an inbound SIP trunk on SAIL 3.1.1-22 which uses Asterisk 1.8 but am getting the following error:

[NOTICE[3408] chan_sip.c: Sending fake auth rejection for device sip:07*********@;tag=6976142C-24DA

Here are the Peer config settings I’ve got set for the Trunk:

type=peer host=newsip.[sip provider].net qualify=3000 canreinvite=no username= fromuser= secret= insecure=port,invite allowguest=yes context=from-sip-external disallow=all allow=g729 allow=alaw allow=ulaw

Any ideas?

It’s a notice, not an error.

The source IP doesn’t match the domain name.

Sorry, I don’t understand… do you mean the IP address on the incoming call doesn’t match the host domain set in the trunk config?

Yes (although Asterisk doesn’t distinguish between “trunks” and “extensions”).

But I’ve had different IP addresses on different incoming call attempts so how would I get around this problem?

Multiple sip.conf sections.

:confused: I either don’t get what you’re saying, or maybe I’m not making the issue clear…

I have an old version of of SAIL which uses Asterisk 1.4 and this SIP trunk works just fine with the host=[our SIP provider]

I’m upgrading to a new version of SAIL which uses Asterisk 1.8. The interface for SAIL has changed quite a lot, and obviously there will be differences with Asterisk too. Incoming calls are failing with the notice posted in the OP.

david55 - It sounds like you want me to add either a host entry or an IP address of the host into the sip.conf file. Shouldn’t this information be specific to the SIP trunk rather than the main sip.conf? Also, if the calls are coming in on different IP addresses then how can I predict what they’re going to be?

Asterisk doesn’t have SIP trunks. I presume these are a construct created by S.A.I.L.

Ok… the problem was I needed allowguest=yes in the SAIL specific sark_customer_sip_header.conf file (this would be sip.conf for other asterisk based PBXs I think). Not sure how secure this is so I need to do more research, but it works atleast.

I wondered about suggesting that.

As you will not be authenticating the ITSP, you will receive lots of toll fraud attempts. These will definitely pollute your logs, but you had better make very sure that there is no way that the context can be tricked into making outgoing calls, or you should restrict your firewall to only allow 5060 from the ITSP’s address range.

Although a bit of a hassle, muliple SIP peer entries will mean that you can do the source address screening in Asterisk itself.

David is correct in case that your provider’s core topology means:

  • outgoing calls are sent to only one server
  • incoming calls are initiated from multiple servers (IP addresses)

When incoming call reaches Asterisk, Asterisk takes the IP address that is in the SIP headers and starts matching sip.conf entrys (sip peers). If the IP address in the SIP Header matches any IP address of SIP peers, the call is processed in the DialPlan. If not, the call is rejected.

allowguest=yes is usually a very bad idea if you don’t know what EXACTLY you are doing.