PJSIP inbound trunk issues with IP authentication

Ronaldvg · June 24, 2022, 6:54pm

inbound calls from Vitelity fail with the following errors “no matching endpoint found”, “Failed to authenticate”.

[Jun 24 17:14:08] NOTICE[15881]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>' failed for '<<vitelity public ip>>:5060' (callid: 23a5ce3640d560e27ce7cf2c6339f1f8@10.44.109.39:5060) - No matching endpoint found
[Jun 24 17:14:08] NOTICE[15881]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>' failed for '<<vitelity public ip>>:5060' (callid: 23a5ce3640d560e27ce7cf2c6339f1f8@10.44.109.39:5060) - No matching endpoint found
[Jun 24 17:14:08] NOTICE[15881]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>' failed for '<<vitelity public ip>>:5060' (callid: 23a5ce3640d560e27ce7cf2c6339f1f8@10.44.109.39:5060) - Failed to authenticate

My pjsip.conf

[vitel-inbound]
type=identify
endpoint=vitel-inbound
match=<<vitelity public ip2>>
match=<<vitelity public ip>>

[vitel-inbound]
type=endpoint
context=vitel-inbound
disallow=all
allow=ulaw
allow=alaw
allow=gsm
transport=udp-transport-nat
rewrite_contact=yes
from_domain=<<vitelity public ip>>
direct_media=no
dtmf_mode=auto

pjsip logger output

<--- Transmitting SIP response (550 bytes) to UDP:<<vitelity public ip>>:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP <<vitelity public ip>>:5060;rport=5060;received=<<vitelity public ip>>;branch=z9hG4bK5shokl206g6uaf9k7pl0.1
Call-ID: 632701844e1fc26719777e1228b68ed4@10.44.109.17:5060
From: "<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>;tag=as0bf54330
To: <sip:<<did on my pbx>>@<<aws public ip>>;tag=z9hG4bK5shokl206g6uaf9k7pl0.1
CSeq: 103 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1656078882/23a114898764389e99c2fe51fc772bf5",opaque="42f5e43e7e66e565",algorithm=MD5,qop="auth"
Server: Asterisk PBX GIT-18-801317ae05
Content-Length:  0


<--- Received SIP request (366 bytes) from UDP:64.2.142.90:5060 --->
ACK sip:<<did on my pbx>>@<<aws public ip>>:5060 SIP/2.0
Via: SIP/2.0/UDP 64.2.142.90:5060;branch=z9hG4bK5shokl206g6uaf9k7pl0.1
CSeq: 103 ACK
Max-Forwards: 68
To: <sip:<<did on my pbx>>@<<aws public ip>>>;tag=z9hG4bK5shokl206g6uaf9k7pl0.1
From: "<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>;tag=as0bf54330
Call-ID: 632701844e1fc26719777e1228b68ed4@10.44.109.17:5060
Content-Length: 0


<--- Received SIP request (1247 bytes) from UDP:<<vitelity public ip>>:5060 --->
INVITE sip:<<did on my pbx>>@<<aws public ip>>:5060 SIP/2.0
Via: SIP/2.0/UDP <<vitelity public ip>>:5060;branch=z9hG4bKa46alt006grhaenr1e10.1
Max-Forwards: 68
To: <sip:<<did on my pbx>>@<<aws public ip>>>
From: "<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>;tag=as0bf54330
Contact: <sip:<<my cell>>@<<vitelity public ip>>:5060;transport=udp>
Call-ID: 632701844e1fc26719777e1228b68ed4@10.44.109.17:5060
CSeq: 104 INVITE
User-Agent: packetrino
Authorization: Digest username="pt", realm="asterisk", algorithm=MD5, uri="sip:pt@10.44.108.197:5060", nonce="1656078882/23a114898764389e99c2fe51fc772bf5", response="eebac428596606e53f58bce5dbe16a29", opaque="42f5e43e7e66e565", qop=auth, cnonce="4c8d2cce", nc=00000002
Date: Fri, 24 Jun 2022 13:54:42 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
X-OutboundProxy: <<aws public ip>>
Content-Type: application/sdp
Content-Length: 343

v=0
o=root 1763224748 1763224750 IN IP4 <<vitelity public ip>>
s=Asterisk PBX 16.8.0
c=IN IP4 <<vitelity public ip>>
t=0 0
m=audio 34266 RTP/AVP 0 8 3 18 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

[Jun 24 13:54:42] NOTICE[15220]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>' failed for '<<vitelity public ip>>:5060' (callid: 632701844e1fc26719777e1228b68ed4@10.44.109.17:5060) - No matching endpoint found
[Jun 24 13:54:42] NOTICE[15220]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"<<my cell>>" <sip:<<my cell>>@<<vitelity public ip>>>' failed for '<<vitelity public ip>>:5060' (callid: 632701844e1fc26719777e1228b68ed4@10.44.109.17:5060) - Failed to authenticate

Vitelity support send me this from their end, showing failed authentication (401)

[56, 09:59:40:031785, 401 Unauthorized, 596 bytes, <<aws public ip>>, <<vitelity public ip>>, 5060, 5060]
Summary:
Response Code: 401
Response Reason: Unauthorized
Call-ID: 60dfd91804a4ac6d34d267523c80d0da@10.44.109.85:5060
From: "<<my cell>>" sip:<<my cell>>@<<vitelity public ip>>>;tag=as22e2e87a
To: sip:<<did on my pbx>>@<<aws public ip>>>;tag=z9hG4bKvg57v70020nh8tgjcqu0.1
CSeq: 102 INVITE

Any advice much appreciated.
Ronald

david551 · June 24, 2022, 9:32pm

401 is not failed authentication; it is a request to authenticate, giving the method and random challenge. The problem here is that no authentication is needed, so none should have been requested. Somewhat strangely, Vitelity have actually tried to authenticate, which means they think they know a password to use.

I don’t understand why you have redacted addresses which I assume have to be in the public domain.

Did you reload or restart Asterisk after changing the configuration? Where there any errors or warnings when loading the configuration during startup?

Is res_pjsip_endpoint_identifier_ip.so loaded? What does “pjsip show identifiers” say?

Why do you have rewrite contact set when it appears to be correct already?

Ronaldvg · June 25, 2022, 1:35pm

Yes, I’ve reloaded the pjsip config after each change. I’ve also gracefully restarted the core, either method didn’t yield any results (yet).

res_pjsip_endpoint_identifier_ip is loaded and running.

Here is the output from pjsip show endpoints

 Endpoint:  esc116                                               Not in use    0 of inf
     InAuth:  esc116/116
        Aor:  esc116                                             1
      Contact:  esc116/sip:esc116@104.254.xxx.xxx:57186;x-a 4fabd520e0 Avail        12.883
  Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5060

 Endpoint:  esc200                                               Not in use    0 of inf
     InAuth:  esc200/200
        Aor:  esc200                                             1
      Contact:  esc200/sip:esc200@104.254.xxx.xxx:57384;x-a d48823b96b Avail        13.545
  Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5060

 Endpoint:  vitel-inbound                                        Unavailable   0 of inf
   Identify:  vitel-inbound/vitel-inbound
        Match: <<vitelity-public-ip2>>
        Match: <<vitelity-public-ip>>

 Endpoint:  vitel-outbound                                       Unavailable   0 of inf
   Identify:  vitel-outbound/vitel-outbound
        Match: <<vitelity-public-ip3>>

I set rewrite contact, to see if it made a difference. i’ve seen endpoints (voip phones) attempt to re-register and failing with max contacts set to 1.

We’ve been using chan_sip for over a decade without issues, now that we are working to implement s/s we want to move to pjsip. Trying to get the best most efficient configuration.

Right now this system is setup for testing, once it works we’re going to move our port our first pbx onto it.

The public ip’s are redacted for security sake. security through obscurity. if it helps solve the problem i would have no issues decloaking them.

thanks again for your help. Unfortunately Vitelity does not provide customer support for PJSIP…

david551 · June 25, 2022, 3:35pm

You didn’t mention the outbound one. You probably don’t need it, and if it is really outbound, it doesn’t need an identify section, but it does need a contact.

All I can suggest is to turn up the debugging and see if that gives any clues.

Ronaldvg · June 27, 2022, 1:46pm

From the debug log i get this:

Jun 27 13:16:42] DEBUG[24120] res_pjsip_endpoint_identifier_user.c: Attempting identify by From username '<<my cell>>' domain '<<vitelity_public_ip>>'
[Jun 27 13:16:42] DEBUG[24120] res_pjsip_endpoint_identifier_user.c: Endpoint not found for From username '<<my cell>>' domain '<<vitelity_public_ip>>'

this occurs twice, before it tries (and fails) on a different username

[Jun 27 13:16:42] DEBUG[24120] res_pjsip_endpoint_identifier_user.c: Attempting identify by Authorization username 'pt' realm 'asterisk'
[Jun 27 13:16:42] DEBUG[24120] res_pjsip_endpoint_identifier_user.c: Endpoint not found for Authentication username 'pt' realm 'asterisk'

Additionally, this is in the debug log also…which is really strange. because that ip is exactly what is in the match of the identify record.

[Jun 27 13:16:42] DEBUG[24120] res_pjsip_endpoint_identifier_ip.c: Source address <<vitelity_public_ip>>:5060 does not match identify 'vitel-inbound'

for completeness, here is the incoming SIP request from Vitelity and the pjsip reg for vitel-inbound

[vitel-inbound]
type=identify
endpoint=vitel-inbound
match=<<vitel_public_ip>>

[vitel-inbound]
type=endpoint
context=vitel-inbound
disallow=all
allow=ulaw
allow=alaw
allow=gsm
transport=udp-transport-nat
from_domain=<<vitel-public_ip>>
direct_media=no
dtmf_mode=auto


<--- Received SIP request (1245 bytes) from UDP:<<vitelity_public_ip:5060 --->
INVITE sip:757702xxxx@<<aws_public_ip>>:5060 SIP/2.0
Via: SIP/2.0/UDP <<vitelity_public_ip>>:5060;branch=z9hG4bKlnmf6f00bodl49p4l0h0.1
Max-Forwards: 68
To: <sip:757702xxxx@<<aws_public_ip>>>
From: "5714518683" <sip:<<my cell>>@<<vitelity_public_ip>>>;tag=as3944783f
Contact: <sip:<<my cell>>@<<vitelity_public_ip>>;transport=udp>
Call-ID: 15681b6d03b416e96de8f519334a56f9@10.44.109.76:5060
CSeq: 104 INVITE
User-Agent: packetrino
Authorization: Digest username="pt", realm="asterisk", algorithm=MD5, uri="sip:pt@10.44.108.197:5060", nonce="1656335802/e4dc12eecc1f97b844c3160094c303ac", response="fb58501c652c77ae86068b10ee61d98a", opaque="05cc59f16e0d1c5c", qop=auth, cnonce="1d742a58", nc=00000002
Date: Mon, 27 Jun 2022 13:16:42 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
X-OutboundProxy: <<aws_public_ip>>
Content-Type: application/sdp
Content-Length: 341

v=0
o=root 229858234 229858236 IN IP4 <<vitelity_public_ip>>
s=Asterisk PBX 16.8.0
c=IN IP4 <<vitelity_public_ip>>
t=0 0
m=audio 31970 RTP/AVP 0 8 3 18 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

Ronaldvg · June 27, 2022, 2:35pm

SOLVED

Retyped the match field in the vitel-inbound identify record. reloaded the pjsip config and it works now.

While i don’t believe there was a space behind the original match ip address, i cannot be certain.

Thank everyone for thinking along with me in solving this issue.
Ronald

system · July 27, 2022, 2:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PJSIP No Matching endpoint found + Failed to authenticate (inbound) Asterisk SIP	4	12998	January 21, 2019
No matching endpoint found for incoming call Asterisk SIP	23	4472	June 9, 2022
Inbound call : No matching endpoint found than Failed to authenticate Asterisk SIP	20	946	December 9, 2023
[SOLVED] PJSIP - No matching endpoint found Asterisk SIP	4	43028	March 25, 2022
401 Unauthorized with multiple PJSIP registrations Asterisk SIP	6	1595	November 8, 2021

PJSIP inbound trunk issues with IP authentication

Related topics