Match against multiple IP address in PJSIP?

Hi,

Is there a way to match incoming calls to more than one ip adress for the same endpoint?
My provider sometimes changes it’s IP in the from user field and I need to allow another ip address for my endpoint.

I have the following identity in pjsip.conf:

[MY_PROVIDER]
type = identify
endpoint = MY_PROVIDER
match = XXX.XX.XXX.100

In the sample file it seems like you can have many IP addresses but I cannot find an example of how to do it.
sample file from pjsip.conf.sample

; MODULE PROVIDING BELOW SECTION(S): res_pjsip_endpoint_identifier_ip
;==========================IDENTIFY SECTION OPTIONS=========================
;[identify]
; SYNOPSIS: Identifies endpoints via source IP address
;endpoint= ; Name of Endpoint (default: “”)
;match= ; IP addresses or networks to match against (default: “”)
;type= ; Must be of type identify (default: “”)

You add multiple “match” lines or specify a network (172.16.0.0/255.255.0.0).

That’s what I did at first and it is not working…

[MY_PROVIDER]
type = identify
endpoint = MY_PROVIDER
match = XXX.XX.XXX.100
match = XXX.XX.XXX.101

It is only working if I have one match line.
I’m using version 13.6 by the way

Is anything output on the CLI when it is read in and configured? What does the console log show with debug on when a call comes in? (You may need to be running a newer version for those log messages to be present)

No error from the cli:

dti-asterisk*CLI> module reload res_pjsip
Module ‘res_pjsip’ reloaded successfully.
[Sep 22 13:24:26] – Reloading module ‘res_pjsip.so’ (Basic SIP resource)
[Sep 22 13:24:25] NOTICE[28695]: sorcery.c:1376 sorcery_object_load: Type ‘transport’ is not reloadable, maintaining previous values
[Sep 22 13:24:25] NOTICE[28695]: sorcery.c:1376 sorcery_object_load: Type ‘system’ is not reloadable, maintaining previous values

If I do a wireshark capture, I can see Asterisk giving a 401 to my provider.
The source ip address is my first IP match (.100) and the from user field has my second match line (.101).
My provider is sometime doing sip analysis that’s why I get a different IP address in the from userfield.

I’d suggest providing the debug and log like I mentioned so we can see what is up.

I will. Let me get back to you.

My identity:

[4188954758]
type = identify
endpoint = 4188954758
match = XXX.XXX.XXX.100
match = XXX.XXX.XXX.101

My pjsip debug log:

[Sep 22 15:11:38] VERBOSE[2170] res_pjsip_logger.c: <— Received SIP request (1161 bytes) from UDP:XXX.XXX.XXX.100:5060 —>
INVITE sip:4188954758@XXX.XXX.XXX.3X:5060;transport=udp SIP/2.0
Record-Route: sip:XXX.XXX.XXX.100;r2=on;lr;ftag=XXX.XXX.XXX.101+1+4e8901+567cceb4
Record-Route: sip:206.80.250.20;r2=on;lr;ftag=XXX.XXX.XXX.101+1+4e8901+567cceb4
Via: SIP/2.0/UDP XXX.XXX.XXX.100:5060;branch=z9hG4bKb29c.826ca7d.0
Via: SIP/2.0/UDP XXX.XXX.XXX.101:5060;received=XXX.XXX.XXX.101;rport=5060;branch=z9hG4bK-e345dc63f3c3a037ed0d345e63f33f921-XXX.XXX.XXX.101-1
Allow-Events: message-summary, refer, dialog, line-seize, presence, call-info, as-feature-event
Call-ID: 6C68CB43@XXX.XXX.XXX.101
From: “CARL FORTIN” sip:4185482457@XXX.XXX.XXX.101:5060;transport=udp;tag=XXX.XXX.XXX.101+1+4e8901+567cceb4
To: sip:4188954758@XXX.XXX.XXX.3X
CSeq: 838561269 INVITE
Expires: 180
Organization: MetaSwitch
Supported: resource-priority, 100rel
Content-Length: 199
Content-Type: application/sdp
Max-Forwards: 69
Contact: “CARL FORTIN” sip:4185482457@XXX.XXX.XXX.101:5060;transport=udp

v=0
o=- 1397649074 1397649074 IN IP4 206.80.250.11
s=-
c=IN IP4 206.80.250.102
t=0 0
m=audio 25386 RTP/AVP 18 0 101
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv
a=nortpproxy:yes

[Sep 22 15:11:38] VERBOSE[23910] res_pjsip_logger.c: <— Transmitting SIP response (848 bytes) to UDP:XXX.XXX.XXX.100:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP XXX.XXX.XXX.100:5060;rport=5060;received=XXX.XXX.XXX.100;branch=z9hG4bKb29c.826ca7d.0
Via: SIP/2.0/UDP XXX.XXX.XXX.101:5060;rport=5060;received=XXX.XXX.XXX.101;branch=z9hG4bK-e345dc63f3c3a037ed0d345e63f33f921-XXX.XXX.XXX.101-1
Record-Route: sip:XXX.XXX.XXX.100;lr;r2=on;ftag=XXX.XXX.XXX.101+1+4e8901+567cceb4
Record-Route: sip:206.80.250.20;lr;r2=on;ftag=XXX.XXX.XXX.101+1+4e8901+567cceb4
Call-ID: 6C68CB43@XXX.XXX.XXX.101
From: “CARL FORTIN” sip:4185482457@XXX.XXX.XXX.101;tag=XXX.XXX.XXX.101+1+4e8901+567cceb4
To: sip:4188954758@XXX.XXX.XXX.3X;tag=z9hG4bKb29c.826ca7d.0
CSeq: 838561269 INVITE
WWW-Authenticate: Digest realm=“tor.trk.tprm.ca”,nonce=“1474571498/e08b63ee901e1d79c9039dacc9eb73cd”,opaque=“5cb5ce7a5ebdb9f7”,algorithm=md5,qop="auth"
Server: Asterisk PBX 13.6.0
Content-Length: 0

[Sep 22 15:11:38] VERBOSE[2170] res_pjsip_logger.c: <— Received SIP request (428 bytes) from UDP:XXX.XXX.XXX.100:5060 —>
ACK sip:4188954758@XXX.XXX.XXX.3X:5060;transport=udp SIP/2.0
Via: SIP/2.0/UDP XXX.XXX.XXX.100:5060;branch=z9hG4bKb29c.826ca7d.0
From: “CARL FORTIN” sip:4185482457@XXX.XXX.XXX.101;tag=XXX.XXX.XXX.101+1+4e8901+567cceb4
Call-ID: 6C68CB43@XXX.XXX.XXX.101
To: sip:4188954758@XXX.XXX.XXX.3X;tag=z9hG4bKb29c.826ca7d.0
CSeq: 838561269 ACK
Max-Forwards: 70
User-Agent: OpenSIPS (1.11.5-notls (x86_64/linux))
Content-Length: 0

You’ll need to turn on debug by enabling it to go to the console in logger.conf and executing “core set debug 9”. This will give more information.

I just did and unfortunately I do not seem to get anything more… I get nothing from the console when the problematic incoming call is coming.It does not even get into the dialplan.
All I get is sip trace from setting pjsip logger on.
Do you want still want me to give it to you?

If debug is going to the console (did you alter it and not run logger reload) then you’ll definitely notice. There will be debug log statements.

And I assume you have the res_pjsip_endpoint_identifier_ip module loaded?

Yes:

dti-asterisk*CLI> module show like res_pjsip_endpoint_identifier_ip
Module Description Use Count Status Support Level
res_pjsip_endpoint_identifier_ip.so PJSIP IP endpoint identifier 0 Running core
1 modules loaded

I do have this in my debug log

[Sep 22 16:06:07] DEBUG[6405] res_pjsip_endpoint_identifier_ip.c: Source address XXX.XXX.XXX.100:5060 does not match identify ‘4188954758’
[Sep 22 16:06:07] DEBUG[6405] res_pjsip_endpoint_identifier_ip.c: ‘XXX.XXX.XXX.100:5060’ did not match any identify section rules

The IP address in my match line is right but will only work if I remove the XXX.XXX.XXX.100 and I only have XXX.XXX.XXX.101 left.

I don’t understand how it could work if it was 101… as that obviously would not match.

Well, it matches the IP address in the fromuser sip field.

That module doesn’t look at that, unless you’ve modified it. It only looks at the actual source IP address.

Hum, so if the address in the from field does not matter and it’s really looking at the source ip address, why does it work when I put it in the match line? I’m clueless.

I don’t know with the information you’ve provided. You can also use “pjsip show identifies” to see what was read in from the configuration.