InvalidPassword / Failed to authenticate device

cerien.jean · October 9, 2023, 7:59pm

Hello
Using Chan_sip (and cant move to pjsip), I have a strange situation.

Client sends an INVITE, with credentials, he gets a 401 Unauthorized, and sends back an invite with the credential and response field => and gets a 403 Forbidden - immediately after, he retries and the INVITE is accepted. Same 401, different nonce of course, and then 200OK - (no other message is sent between the two calls)
The security log says invalid password. I’ve recalculated the MD5 hashes for both calls, and they are correct.
So why would one fail, and not the other ?

Here is the SIP Traces (for the last register before the call and the INVITE)

proto:UDP 2023-10-09T16:26:36.976197Z  IPCALLER:65284 ---> IPAsteriskServer:5060

REGISTER sip:sip.mydomain.fr SIP/2.0
Via: SIP/2.0/UDP 192.168.0.250:5060;rport;branch=z9hG4bKdb70ff3402080936dd32f7e6d7ed0850
From: <sip:myuserid@sip.mydomain.fr>;tag=b48dd4bdb75490cf
To: <sip:myuserid@sip.mydomain.fr>
Call-ID: c0f76a5b1b29f30e6a67b4b166cc9d7b
CSeq: 469761476 REGISTER
Contact: <sip:myuserid@192.168.0.250:5060;transport=udp>
Expires: 3600
Max-Forwards: 70
User-Agent: IP Office 9.1.9.0 build 182
Supported: timer
Content-Length: 0


proto:UDP 2023-10-09T16:26:36.976537Z  IPAsteriskServer:5060 ---> IPCALLER:65284

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.0.250:5060;branch=z9hG4bKdb70ff3402080936dd32f7e6d7ed0850;received=IPCALLER;rport=65284
From: <sip:myuserid@sip.mydomain.fr>;tag=b48dd4bdb75490cf
To: <sip:myuserid@sip.mydomain.fr>;tag=as1219befe
Call-ID: c0f76a5b1b29f30e6a67b4b166cc9d7b
CSeq: 469761476 REGISTER
Server: IPERServerVOIP
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="mydomain.fr", nonce="23df0a8b"
Content-Length: 0


proto:UDP 2023-10-09T16:26:37.045236Z  IPCALLER:65284 ---> IPAsteriskServer:5060

REGISTER sip:sip.mydomain.fr SIP/2.0
Via: SIP/2.0/UDP 192.168.0.250:5060;rport;branch=z9hG4bK95a39939a82ca38d5fddc7d2da9b5911
From: <sip:myuserid@sip.mydomain.fr>;tag=b48dd4bdb75490cf
To: <sip:myuserid@sip.mydomain.fr>
Call-ID: c0f76a5b1b29f30e6a67b4b166cc9d7b
CSeq: 469761477 REGISTER
Contact: <sip:myuserid@192.168.0.250:5060;transport=udp>
Expires: 3600
Authorization: Digest username="myuserid",realm="mydomain.fr",nonce="23df0a8b",response="b51c64cde3d829285f96b38e6cc15035",uri="sip:sip.mydomain.fr"
Max-Forwards: 70
User-Agent: IP Office 9.1.9.0 build 182
Supported: timer
Content-Length: 0


proto:UDP 2023-10-09T16:26:37.045926Z  IPAsteriskServer:5060 ---> IPCALLER:65284

SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.0.250:5060;branch=z9hG4bK95a39939a82ca38d5fddc7d2da9b5911;received=IPCALLER;rport=65284
From: <sip:myuserid@sip.mydomain.fr>;tag=b48dd4bdb75490cf
To: <sip:myuserid@sip.mydomain.fr>;tag=as1219befe
Call-ID: c0f76a5b1b29f30e6a67b4b166cc9d7b
CSeq: 469761477 REGISTER
Server: IPERServerVOIP
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 900
Contact: <sip:myuserid@192.168.0.250:5060;transport=udp>;expires=900
Date: Mon, 09 Oct 2023 16:26:37 GMT
Content-Length: 0




proto:UDP 2023-10-09T16:37:08.035297Z  IPCALLER:65284 ---> IPAsteriskServer:5060

INVITE sip:0696000000@sip.mydomain.fr. SIP/2.0
Via: SIP/2.0/UDP 192.168.0.250:5060;rport;branch=z9hG4bKee1775593a61cf44e89ba5157fd516ea
From: "Caller Name" <sip:402@sip.mydomain.fr>;tag=5255224433a7acc2
To: <sip:0696000000@sip.mydomain.fr.>
Call-ID: a532937b805268d163ae90ee41e49609
CSeq: 642928774 INVITE
Contact: "Caller Name" <sip:402@192.168.0.250:5060;transport=udp>
Max-Forwards: 70
Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,INFO,REFER,NOTIFY,UPDATE
Supported: timer
User-Agent: IP Office 9.1.9.0 build 182
Content-Type: application/sdp
Content-Length: 221

v=0
o=UserA 1758480391 2792208143 IN IP4 192.168.0.250
s=Session SDP
c=IN IP4 192.168.0.250
t=0 0
m=audio 46750 RTP/AVP 8 4 18
a=rtpmap:8 PCMA/8000
a=rtpmap:4 G723/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no

proto:UDP 2023-10-09T16:37:08.035712Z  IPAsteriskServer:5060 ---> IPCALLER:65284

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.0.250:5060;branch=z9hG4bKee1775593a61cf44e89ba5157fd516ea;received=IPCALLER;rport=65284
From: "Caller Name" <sip:402@sip.mydomain.fr>;tag=5255224433a7acc2
To: <sip:0696000000@sip.mydomain.fr.>;tag=as682a34d1
Call-ID: a532937b805268d163ae90ee41e49609
CSeq: 642928774 INVITE
Server: IPERServerVOIP
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="mydomain.fr", nonce="6b9cd38f"
Content-Length: 0


proto:UDP 2023-10-09T16:37:08.103265Z  IPCALLER:65284 ---> IPAsteriskServer:5060

ACK sip:0696000000@sip.mydomain.fr. SIP/2.0
Via: SIP/2.0/UDP 192.168.0.250:5060;rport;branch=z9hG4bKee1775593a61cf44e89ba5157fd516ea
From: "Caller Name" <sip:402@sip.mydomain.fr>;tag=5255224433a7acc2
To: <sip:0696000000@sip.mydomain.fr.>;tag=as682a34d1
Call-ID: a532937b805268d163ae90ee41e49609
CSeq: 642928774 ACK
Max-Forwards: 70
Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,INFO,REFER,NOTIFY,UPDATE
User-Agent: IP Office 9.1.9.0 build 182
Content-Length: 0


proto:UDP 2023-10-09T16:37:08.107363Z  IPCALLER:65284 ---> IPAsteriskServer:5060

INVITE sip:0696000000@sip.mydomain.fr. SIP/2.0
Via: SIP/2.0/UDP 192.168.0.250:5060;rport;branch=z9hG4bKa9464f4e2a717a1a2fdf67a7c3668cc3
From: "Caller Name" <sip:402@sip.mydomain.fr>;tag=5255224433a7acc2
To: <sip:0696000000@sip.mydomain.fr.>
Call-ID: a532937b805268d163ae90ee41e49609
CSeq: 642928775 INVITE
Contact: "Caller Name" <sip:402@192.168.0.250:5060;transport=udp>
Max-Forwards: 70
Authorization: Digest username="myuserid",realm="mydomain.fr",nonce="6b9cd38f",response="d41f2b17cd363f52daf9444ae89ec22c",uri="sip:0696000000@sip.mydomain.fr."
Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,INFO,REFER,NOTIFY,UPDATE
Supported: timer
User-Agent: IP Office 9.1.9.0 build 182
Content-Type: application/sdp
Content-Length: 221

v=0
o=UserA 1758480391 2792208143 IN IP4 192.168.0.250
s=Session SDP
c=IN IP4 192.168.0.250
t=0 0
m=audio 46750 RTP/AVP 8 4 18
a=rtpmap:8 PCMA/8000
a=rtpmap:4 G723/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no

proto:UDP 2023-10-09T16:37:08.107828Z  IPAsteriskServer:5060 ---> IPCALLER:65284

SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 192.168.0.250:5060;branch=z9hG4bKa9464f4e2a717a1a2fdf67a7c3668cc3;received=IPCALLER;rport=65284
From: "Caller Name" <sip:402@sip.mydomain.fr>;tag=5255224433a7acc2
To: <sip:0696000000@sip.mydomain.fr.>;tag=as682a34d1
Call-ID: a532937b805268d163ae90ee41e49609
CSeq: 642928775 INVITE
Server: IPERServerVOIP
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0


proto:UDP 2023-10-09T16:37:08.175205Z  IPCALLER:65284 ---> IPAsteriskServer:5060

ACK sip:0696000000@sip.mydomain.fr. SIP/2.0
Via: SIP/2.0/UDP 192.168.0.250:5060;rport;branch=z9hG4bKa9464f4e2a717a1a2fdf67a7c3668cc3
From: "Caller Name" <sip:402@sip.mydomain.fr>;tag=5255224433a7acc2
To: <sip:0696000000@sip.mydomain.fr.>;tag=as682a34d1
Call-ID: a532937b805268d163ae90ee41e49609
CSeq: 642928775 ACK
Max-Forwards: 70
Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,INFO,REFER,NOTIFY,UPDATE
User-Agent: IP Office 9.1.9.0 build 182
Content-Length: 0

Peer definition:
[myuserid]
type=friend
defaultuser=myuserid
accountcode=myuserid
regexten=myuserid
amaflags=billing
secret=secretkey
nat=force_rport,comedia
dtmfmode=RFC2833
qualify=no
disallow=all
allow=g729
allow=gsm
host=dynamic
context=billing
insecure=port,invite
regseconds=0
cancallforward=yes
transport=udp

FrancoSmash · October 9, 2023, 8:39pm

Call-ID: c0f76a5b1b29f30e6a67b4b166cc9d7b

This is the cause of your issue. Are you the Trunk/ Carrier?

cerien.jean · October 9, 2023, 8:51pm

yes I am the carrier - what is the issue with the callid ?

FrancoSmash · October 9, 2023, 9:08pm

As you are service provider, you’re asking for authentication, hence your authentication ID / Call-ID is not being recognized.

cerien.jean · October 9, 2023, 9:20pm

I understand that - The callid is sent by the remote party and looks correct to me in both dialogs (register and invite) - credentials provided in the INVITE are correct (I’ve recalculated the md5 with the nonce). So I dont understand why asterisk is issuing a Invalid Password in the security log, and reject the call with a 403

david551 · October 9, 2023, 10:21pm

The callid is valid. There is no requirement for an “@”

cerien.jean · October 10, 2023, 11:59am

Thanks - the strange thing I see is that the actual username is correctly sent in the digest of the INVITE, yet asterisk security log report the To/URI in the accountID field of the log - when an Invite is accepted, the accountID in the security file is populated with the actual username (which seems to be correct)

To clarify, the client sends the register which is accepted. He can then send several INVITE with no problem. At some point in time, it stops working and the INVITE with the correct credentials gets a 403. A new REGISTER allows calls to be accepted again. The moment the INVITE are rejected are well within the timers negotiated,

jcolp · October 10, 2023, 12:01pm

You’ve configured it such that when registered it won’t be challenged for authentication on incoming INVITEs, due to the use of “insecure=port,invite”. If the registration is gone, then that wouldn’t occur, and it would challenge. Why auth fails in that case I don’t know.

cerien.jean · October 10, 2023, 12:19pm

Many thanks, that is exactly my issue - what is weird is that the INVITE is challenged, while well within the REGISTER expiry timer, and rejected while the credentials are correct.

How could I debug this further ?

jcolp · October 10, 2023, 12:31pm

I don’t know, that is the extent of my remaining chan_sip memory.

cerien.jean · October 10, 2023, 12:35pm

thanks anyway

david551 · October 10, 2023, 1:43pm

Putting insecure=port,invite in sip.conf is normally the result of cut and paste coding. The port part is generally just insecure, for UDP, and it is unusual to need insecure=invite for incoming registrations. I’m sure there are cases where it is necessary for those, but the decision to do this really should be documented in your system design, as it is an unusual requirement. Consider removing the insecure= line.

The main valid use for insecure=invite is with outgoing registration, to ITSPs, who don’t generally authenticate themselves to the customer. For many years now, a better solution for that is to use remotesecret, rather than secret, as I consider that that is more directly addressing the requirement.

cerien.jean · October 10, 2023, 2:00pm

I will try - the insecure=port is to accept invites when a router changes the port on the way

david551 · October 10, 2023, 2:22pm

Note I meant to say “unusual to need insecure=invite”.

If you have a valid reason for insecure=port, keep the port part.

cerien.jean · October 10, 2023, 2:52pm

I finally found the issue, another REGISTER arrives from a different IP, that supersedes the original REGISTER. Then INVITES from the first ip are rejected.

Thanks for the help !

system · November 9, 2023, 2:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Invalid password for a good password Asterisk SIP	2	173	August 11, 2023
Random invalid password Asterisk SIP	6	397	November 7, 2019
Chan_sip.c:26179 handle_request_invite: Failed to authenticate device Asterisk SIP	6	12309	June 7, 2017
Problem with authentication Asterisk Support	1	395	April 25, 2012
SIP - Failed to Authenticate Asterisk SIP	4	70	November 30, 2024

InvalidPassword / Failed to authenticate device

Related topics