Inbound trunk pjsip authentication not working

We have 6 servers which are currently Asterisk 11 and these pass calls between themselves when required for conference calls for example which need to reside on the same server.

We are migrating to Asterisk 13 and I have configured pjsip. This works for calls from asterisk 13 to asterisk 11 but the other way around we get the following error on asterisk 13
res_pjsip/pjsip_distributor.c:666 log_failed_request: Request 'INVITE' from '<sip:gw@1.1.1.21>' failed for '1.1.1.21:5060' - Failed to authenticate

I have a type=identity set to match the IP addresses of the other servers and point them towards the ‘gateways’ endpoint. This endpoint has auth= defined and I have confirmed that the credentials are identical. I didn’t know if an ‘aors=’ line was needed so I tried it with and without and hence why only ‘gw1’ is there as that is the server I have been testing from.

It is probably something simple I am missing but I wasn’t able to find any examples as they all seem to be how to setup pjsip for an outbound trunk and none I could find for inbound.

Here is the config with the io’s and password removed

[intergateway_auth]
type=auth
auth_type=userpass
username=intergw
password=securepassword

; Test entry to permit incoming connections from all other gateways. Never used for outgoing connections.
[gateways]
type=endpoint
trust_id_inbound=yes
context=intergateway
disallow=all
allow=alaw
allow=ulaw
auth=intergateway_auth
aors=gw1

[gateways]
type=identify
endpoint=gateways
match=1.1.1.21
match=1.1.1.22
match=1.1.1.23
match=1.1.1.24
match=1.1.1.25
match=1.1.1.26
match=1.1.1.27

[gw1]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw1

[gw2]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw2

[gw3]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw3

[gw4]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw4

[gw5]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw5

[gw6]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw6

[gw7]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergateway_auth
aors=gw7

[gw1]
type=aor
contact=sip:1.1.1.21:5060
qualify_frequency=15
qualify_timeout=2

[gw2]
type=aor
contact=sip:1.1.1.22:5060
qualify_frequency=15
qualify_timeout=2

[gw3]
type=aor
contact=sip:1.1.1.23:5060
qualify_frequency=15
qualify_timeout=2

[gw4]
type=aor
contact=sip:1.1.1.24:5060
qualify_frequency=15
qualify_timeout=2

[gw5]
type=aor
contact=sip:1.1.1.25:5060
qualify_frequency=15
qualify_timeout=2

[gw6]
type=aor
contact=sip:1.1.1.26:5060
qualify_frequency=15
qualify_timeout=2

[gw7]
type=aor
contact=sip:1.1.1.27:5060
qualify_frequency=15
qualify_timeout=2

I would suggest showing the configuration on the remote side, as well as the SIP traffic itself (pjsip set logger on).

You are using the same auth object for incoming and outgoing authentication. You should create an auth object for incoming use and another for outgoing use in case they have to be different for some reason.

Depending upon the Asterisk 13 version you are using you may be encountering this issue:
https://issues.asterisk.org/jira/browse/ASTERISK-26799

1 Like

Thank you for the replies. We are using version 13.27.0 so it should not be affected by that bug but I have split the inbound and outbound auth anyway.

Here is the corresponding configuration from asterisk 11. It works fine sending calls between the asterisk 11 boxes.

[gw7]
type=peer
sendrpid=yes
trustrpid=yes
context=intergateway
host=1.1.1.27
defaultuser=authuser
password=securepassword
;qualify=50
;qualifyfreq=15
disallow=all
allow=alaw
allow=ulaw

I turned on debugging when performing a test but I don’t really anything helpful there.

Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg INVITE/cseq=102 (rdata0x7ff5e8003b18)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg INVITE/cseq=102 (rdata0x7ff5e8003b18)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg INVITE/cseq=102 (rdata0x7ff5e8003b18)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg INVITE/cseq=102 (rdata0x7ff5e800d778)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	              endpoint .Response msg 401/INVITE/cseq=102 (tdta0x7ff6500027f8) created
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:454 digest_check_auth: Using default realm 'asterisk' on incoming auth 'intergw_in'.
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	    tdta0x7ff6500027f8 .Destroying txdata Response msg 401/INVITE/cseq=102 (tdta0x7ff6500027f8)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg ACK/cseq=102 (rdata0x7ff5e8002fd8)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg ACK/cseq=102 (rdata0x7ff5e8002fd8)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg ACK/cseq=102 (rdata0x7ff5e8002fd8)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg INVITE/cseq=103 (rdata0x7ff5e8002fd8)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg ACK/cseq=102 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg INVITE/cseq=103 (rdata0x7ff5e8002fd8)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg INVITE/cseq=103 (rdata0x7ff5e8002fd8)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg INVITE/cseq=103 (rdata0x7ff5e80193f8)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	              endpoint .Response msg 401/INVITE/cseq=103 (tdta0x7ff650000f68) created
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:454 digest_check_auth: Using default realm 'asterisk' on incoming auth 'intergw_in'.
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:259 check_nonce: Calculated nonce 1564046114/255ffe705ebf868bc9fc1f25756741c4. Actual nonce is 1564046114/255ffe705ebf868bc9fc1f25756741c4
[Jul 25 10:15:14] NOTICE[21367]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request 'INVITE' from '<sip:03454752225@1.1.1.21>' failed for '1.1.1.21:5060' (callid: 17f6b4e14384a1f676639a7312506ddb@1.1.1.21:5060) - Failed to authenticate
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	    tdta0x7ff650000f68 .Destroying txdata Response msg 401/INVITE/cseq=103 (tdta0x7ff650000f68)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg ACK/cseq=103 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg ACK/cseq=103 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg ACK/cseq=103 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg ACK/cseq=103 (rdata0x7ff5e80193f8)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg INVITE/cseq=104 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg INVITE/cseq=104 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg INVITE/cseq=104 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg INVITE/cseq=104 (rdata0x7ff5e80193f8)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	              endpoint .Response msg 401/INVITE/cseq=104 (tdta0x7ff650000f68) created
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:454 digest_check_auth: Using default realm 'asterisk' on incoming auth 'intergw_in'.
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:259 check_nonce: Calculated nonce 1564046114/255ffe705ebf868bc9fc1f25756741c4. Actual nonce is 1564046114/255ffe705ebf868bc9fc1f25756741c4
[Jul 25 10:15:14] NOTICE[21367]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request 'INVITE' from '<sip:03454752225@1.1.1.21>' failed for '1.1.1.21:5060' (callid: 17f6b4e14384a1f676639a7312506ddb@1.1.1.21:5060) - Failed to authenticate
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	    tdta0x7ff650000f68 .Destroying txdata Response msg 401/INVITE/cseq=104 (tdta0x7ff650000f68)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg ACK/cseq=104 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg ACK/cseq=104 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg ACK/cseq=104 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg ACK/cseq=104 (rdata0x7ff5e80193f8)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg INVITE/cseq=105 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg INVITE/cseq=105 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg INVITE/cseq=105 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg INVITE/cseq=105 (rdata0x7ff5e80193f8)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	              endpoint .Response msg 401/INVITE/cseq=105 (tdta0x7ff650000f68) created
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:454 digest_check_auth: Using default realm 'asterisk' on incoming auth 'intergw_in'.
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_authenticator_digest.c:259 check_nonce: Calculated nonce 1564046114/255ffe705ebf868bc9fc1f25756741c4. Actual nonce is 1564046114/255ffe705ebf868bc9fc1f25756741c4
[Jul 25 10:15:14] NOTICE[21367]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request 'INVITE' from '<sip:03454752225@1.1.1.21>' failed for '1.1.1.21:5060' (callid: 17f6b4e14384a1f676639a7312506ddb@1.1.1.21:5060) - Failed to authenticate
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	    tdta0x7ff650000f68 .Destroying txdata Response msg 401/INVITE/cseq=105 (tdta0x7ff650000f68)
[Jul 25 10:15:14] DEBUG[18714]: pjproject: <?>: 	        sip_endpoint.c Processing incoming message: Request msg ACK/cseq=105 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:384 find_dialog: Could not find matching transaction for Request msg ACK/cseq=105 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[18714]: res_pjsip/pjsip_distributor.c:462 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000039 to use for Request msg ACK/cseq=105 (rdata0x7ff5e800e788)
[Jul 25 10:15:14] DEBUG[21367]: pjproject: <?>: 	        sip_endpoint.c Distributing rdata to modules: Request msg ACK/cseq=105 (rdata0x7ff5e80193f8)
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:240 ip_identify_match_check: Source address 1.1.1.21:5060 matches identify 'gateways'
[Jul 25 10:15:14] DEBUG[21367]: res_pjsip_endpoint_identifier_ip.c:273 common_identify: Identify 'gateways' SIP message matched to endpoint gateways

Here is the first INVITE with the authentication included and the reply send back.

*CLI> pjsip show history entry 3
<--- History Entry 3 Received from 1.1.1.21:5060 at 1564046114 --->
INVITE sip:conference@1.1.1.27 SIP/2.0
Via: SIP/2.0/UDP 1.1.1.21:5060;received=1.1.1.21;branch=z9hG4bK5f202436
Max-Forwards: 70
From: <sip:03454752225@1.1.1.21>;tag=as61d8e2c0
To: <sip:conference@1.1.1.27>
Contact: <sip:03454752225@1.1.1.21:5060>
Call-ID: 17f6b4e14384a1f676639a7312506ddb@1.1.1.21:5060
CSeq: 103 INVITE
User-Agent: Asterisk PBX 11.6-cert8
Authorization: Digest username="authuser", realm="asterisk", nonce="1564046114/255ffe705ebf868bc9fc1f25756741c4", uri="sip:conference@1.1.1.27", response="740d1bf4b058067fc9dae4193e4b8e55", algorithm=MD5, cnonce="459eeade", opaque="0f9781a902768258", qop=auth, nc=00000001
Date: Thu, 25 Jul 2019 09:15:14 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Remote-Party-ID: "03454752225" <sip:03454752225@1.1.1.21>;party=calling;privacy=off;screen=no
Content-Type: application/sdp
Content-Length: 290
Content-Type: application/sdp
Content-Length:   290

v=0
o=root 2002911273 2002911274 IN IP4 1.1.1.21
s=Asterisk PBX 11.6-cert8
c=IN IP4 1.1.1.21
t=0 0
m=audio 18444 RTP/AVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
a=ptime:20
a=sendrecv

*CLI> pjsip show history entry 4
<--- History Entry 4 Sent to 1.1.1.21:5060 at 1564046114 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 1.1.1.21:5060;rport=5060;received=1.1.1.21;branch=z9hG4bK5f202436
Call-ID: 17f6b4e14384a1f676639a7312506ddb@1.1.1.21:5060
From: <sip:03454752225@1.1.1.21>;tag=as61d8e2c0
To: <sip:conference@1.1.1.27>;tag=z9hG4bK5f202436
CSeq: 103 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1564046114/255ffe705ebf868bc9fc1f25756741c4",opaque="08180708774e62fc",algorithm=md5,qop="auth"
Server: Asterisk PBX 13.27.0
Content-Length:  0

Finally the new pjsip configuration. The only other changes I made was to turn off qualify just to make the debug output cleaner.

type=auth
auth_type=userpass
username=authuser
password=securepassword

[intergw_out]
type=auth
auth_type=userpass
username=authuser
password=securepassword

; Test entry to permit incoming connections from all other gateways. Never used for outgoing connections.
[gateways]
type=endpoint
trust_id_inbound=yes
context=intergateway
disallow=all
allow=alaw
allow=ulaw
auth=intergw_in
aors=gw1

[gateways]
type=identify
endpoint=gateways
match=1.1.1.21
match=1.1.1.22
match=1.1.1.23
match=1.1.1.24
match=1.1.1.25
match=1.1.1.26
match=1.1.1.27

[gw1]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw1

[gw2]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw2

[gw3]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw3

[gw4]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw4

[gw5]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw5

[gw6]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw6

[gw7]
type=endpoint
send_rpid=yes
trust_id_outbound=yes
disallow=all
allow=alaw
allow=ulaw
outbound_auth=intergw_out
aors=gw7

[gw1]
type=aor
contact=sip:1.1.1.21:5060
;qualify_frequency=15
;qualify_timeout=2

[gw2]
type=aor
contact=sip:1.1.1.22:5060
;qualify_frequency=15
;qualify_timeout=2

[gw3]
type=aor
contact=sip:1.1.1.23:5060
;qualify_frequency=15
;qualify_timeout=2

[gw4]
type=aor
contact=sip:1.1.1.24:5060
;qualify_frequency=15
;qualify_timeout=2

[gw5]
type=aor
contact=sip:1.1.1.25:5060
;qualify_frequency=15
;qualify_timeout=2

[gw6]
type=aor
contact=sip:1.1.1.26:5060
;qualify_frequency=15
;qualify_timeout=2

[gw7]
type=aor
contact=sip:1.1.1.27:5060
;qualify_frequency=15
;qualify_timeout=2