Originate command - forbidden from anonymous

Asterisk Asterisk Support
#1

Hi,

I have a asterix 11.0.1 running on a vm. When I try to originate a call from cli or a java application I get the following error

Received response: “Forbidden” from '“Anonymous” sip:username@anonymous.invalid;

The command I am using on cli is originate sip/troncodovono/<phone_number> extension

My sip.conf is as follows:

[code][general]
externip=<public_ip>
localnet=10.0.0.0/255.0.0.0
bindport=5060
bindaddr=0.0.0.0
srvlookup=yes
sendrpid=yes
trustrpid=no

[troncodovono]
type=peer
username=
secret=
domain=vono.net.br
fromuser=substractum
fromdomain=vono.net.br
host=vono.net.br
insecure=invite,port
qualify=no
port=5060
nat=no
disallow=all
allow=ulaw
dtmfmode=rfc2833
context=recebe_vono
reinvite=no
canreinvite=no
[/code]

Enabling sip debug I get:

[code] == Using SIP RTP CoS mark 5
Audio is at 17670
Adding codec 100003 (ulaw) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (no NAT) to <public_ip>:5060:
INVITE sip:<phone_number>@vono.net.br:5060 SIP/2.0
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK759831c2
Max-Forwards: 70
From: “Anonymous” <sip:@anonymous.invalid>;tag=as0387b755
To: <sip:<phone_number>@vono.net.br:5060>
Contact: <sip:@201.22.86.160:5060>
Call-ID: 563d86d3076ae7907965c55617394371@vono.net.br
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.0.1
Date: Thu, 27 Dec 2012 12:07:01 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 235

v=0
o=root 207473238 207473238 IN IP4 201.22.86.160
s=Asterisk PBX 11.0.1
c=IN IP4 201.22.86.160
t=0 0
m=audio 17670 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

<— SIP read from UDP:<public_ip>:5060 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK759831c2
From: “Anonymous” <sip:@anonymous.invalid>;tag=as0387b755
To: <sip:<phone_number>@vono.net.br:5060>
Call-ID: 563d86d3076ae7907965c55617394371@vono.net.br
CSeq: 102 INVITE

<------------->
— (6 headers 0 lines) —

<— SIP read from UDP:<public_ip>:5060 —>
SIP/2.0 403 Forbidden - Wrong domain or Username format
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK759831c2
From: “Anonymous” <sip:@anonymous.invalid>;tag=as0387b755
To: <sip:<phone_number>@vono.net.br:5060>;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.682c
Call-ID: 563d86d3076ae7907965c55617394371@vono.net.br
CSeq: 102 INVITE
Server: Plataforma Vono
Content-Length: 0

<------------->
— (8 headers 0 lines) —
Transmitting (no NAT) to <public_ip>:5060:
ACK sip:<phone_number>@vono.net.br:5060 SIP/2.0
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK759831c2
Max-Forwards: 70
From: “Anonymous” <sip:@anonymous.invalid>;tag=as0387b755
To: <sip:<phone_number>@vono.net.br:5060>;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.682c
Contact: <sip:@201.22.86.160:5060>
Call-ID: 563d86d3076ae7907965c55617394371@vono.net.br
CSeq: 102 ACK
User-Agent: Asterisk PBX 11.0.1
Content-Length: 0

[Dec 27 10:07:01] WARNING[1490][C-00000000]: chan_sip.c:22376 handle_response_invite: Received response: “Forbidden” from '“Anonymous” <sip:@anonymous.invalid>;tag=as0387b755’
Scheduling destruction of SIP dialog ‘563d86d3076ae7907965c55617394371@vono.net.br’ in 32000 ms (Method: INVITE)
Really destroying SIP dialog ‘563d86d3076ae7907965c55617394371@vono.net.br’ Method: INVITE[/code]

Can anybody help?

Thanks

#2

The as the source or destination of the packet should actually be the IP of the ITSP. If it is not, something is seriously broken. The trace is behaving as though eternip was set to 201.22.86.160.

What you have as anonymous.invalid should be vono.net.br. If it is not, something is again seriously wrong.

What you have as should be substractum, and there should definitely be no <>.

As all of the above are either public knowledge or in your configuration, there is no reason why you should have obfuscated them.

I think you may have exposed a bug where a “presentation not allowed” status, possibly combined with the use of RPID has resulted in the wrong handling of the From header, and, in particular, not enough weight been given to fromuser and formdomain, but you need to check your obfuscation very carefully before submitting a bug report, and avoid using <> in the obfuscation. You will also need to run with debugging set to at least 5 and capture the output (which probably means enabling it in logger.conf, and using a log file, not the CLI).

There is no “reinvite” option and “canreinvite” should be “directedia”, although the old name may still be accepted.

“username” is deprecated, but fromuser should take precedence.

Only use insecure=invite,port if insecure=invite doesn’t work.

#3

I tried what was suggested but no luck

My sip.conf is now this:

[general]
externip=201.22.86.160
localnet=10.0.0.0/255.0.0.0
bindport=5060
bindaddr=0.0.0.0

[troncodovono]
type=peer
;username=substractum
secret=passwd
domain=vono.net.br
fromuser=substractum
fromdomain=vono.net.br
host=vono.net.br
insecure=invite,port
qualify=no
port=5060
nat=no
disallow=all
allow=ulaw
dtmfmode=rfc2833
context=recebe_vono
;reinvite=no
canreinvite=directedia

And after setting the debug level to 5 I get this:

Using SIP RTP CoS mark 5
Audio is at 19108
Adding codec 100003 (ulaw) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (no NAT) to 201.86.87.35:5060:
INVITE sip:my_phone@vono.net.br:5060 SIP/2.0
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK6bc6abf8
Max-Forwards: 70
From: “Anonymous” sip:substractum@anonymous.invalid;tag=as5233ebdc
To: sip:my_phone@vono.net.br:5060
Contact: sip:substractum@201.22.86.160:5060
Call-ID: 119b268e6141d1526ed5271665221ad7@vono.net.br
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.0.1
Date: Thu, 27 Dec 2012 13:37:58 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 237

v=0
o=root 1540506762 1540506762 IN IP4 201.22.86.160
s=Asterisk PBX 11.0.1
c=IN IP4 201.22.86.160
t=0 0
m=audio 19108 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

<— SIP read from UDP:201.86.87.35:5060 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK6bc6abf8
From: “Anonymous” sip:substractum@anonymous.invalid;tag=as5233ebdc
To: sip:my_phone@vono.net.br:5060
Call-ID: 119b268e6141d1526ed5271665221ad7@vono.net.br
CSeq: 102 INVITE

<------------->
— (6 headers 0 lines) —

<— SIP read from UDP:201.86.87.35:5060 —>
SIP/2.0 403 Forbidden - Wrong domain or Username format
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK6bc6abf8
From: “Anonymous” sip:substractum@anonymous.invalid;tag=as5233ebdc
To: sip:my_phone@vono.net.br:5060;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.9fe1
Call-ID: 119b268e6141d1526ed5271665221ad7@vono.net.br
CSeq: 102 INVITE
Server: Plataforma Vono
Content-Length: 0

<------------->
— (8 headers 0 lines) —
Transmitting (no NAT) to 201.86.87.35:5060:
ACK sip:my_phone@vono.net.br:5060 SIP/2.0
Via: SIP/2.0/UDP 201.22.86.160:5060;branch=z9hG4bK6bc6abf8
Max-Forwards: 70
From: “Anonymous” sip:substractum@anonymous.invalid;tag=as5233ebdc
To: sip:my_phone@vono.net.br:5060;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.9fe1
Contact: sip:substractum@201.22.86.160:5060
Call-ID: 119b268e6141d1526ed5271665221ad7@vono.net.br
CSeq: 102 ACK
User-Agent: Asterisk PBX 11.0.1
Content-Length: 0

[Dec 27 11:37:58] WARNING[2782][C-00000001]: chan_sip.c:22376 handle_response_invite: Received response: “Forbidden” from ‘“Anonymous” sip:substractum@anonymous.invalid;tag=as5233ebdc’
Scheduling destruction of SIP dialog '119b268e6141d1526ed5271665221ad7@vono.net.br’ in 32000 ms (Method: INVITE)
Really destroying SIP dialog '119b268e6141d1526ed5271665221ad7@vono.net.br’ Method: INVITE

#4

frumuser is now working, but the “presentation not allowed” status is still overriding the from domain. I think that is a bug, but it probably doesn’t affect that many people as most ITSPs probably don’t check the domain part. The easiest to use ones rely on the IP address, and don’t check the user, either. The main advantage of matching on From (type=user in Asterisk terms - but on the other side of the trunk) is that you can use multiple single user accounts, rather than a single business account.

You may be able to get round it by forcing presentation allowed in the dialplan, or by turning off RPID (so you can’t pass caller ID at all).

However, I think you should report this as a bug.

#5

Just to register it here… I tried the options you suggested and it did not work. I will open a bug report.

#6

Please include a link to this thread in the report.

Also note that you should concentrate on the failure to honour fromdomain, although I think that fromuser should override defaultuser.

#7

Just to add… I tried installing asterisk 1.8.19.0 and the same problem happens…

In asterisk 1.6.0.1 it works.

#8

With the bug tracker, you must release the issue once you have finished providing requested feedback. If you just leave it, it will get overlooked for a long time.

The issue tracker reference for this issues is: issues.asterisk.org/jira/browse/ASTERISK-20841

#9

I’m currently using Asterisk 1.8.11, and I’m having this issue. It looks like this bug is still open. issues.asterisk.org/jira/browse … t-tabpanel
As issue 20841. I really need to do originates, but my SIP provider is responding with 403 forbidden because the user is anonymous. There is a patch that was once published by a user named Dmitry Panov, but then removed. I’d love to have that patch. Has this been patched in a subsequent Asterisk release? If not, where can I find that patch?

#10

The patch cannot be used in official versions because its author did not provide the proper legal releases for its inclusion in Asterisk.

Incidentally, I think you will find that most business oriented ITSPs do not require fromdomain setting, and, therefore, are not affected by this problem.