PJSIP Rewritng headers along with protocol

Hai Everyone,

I have an Asterisk box on centos 7.9 with Asterisk Version 16.20.0.

Am using SIP with TLS for my SIP User registration Also I have a SIP Proxy configured for user registration request forwarding towards my asterisk box.

Users who are registering in the Local network.
SIP Proxy have public Internet
And Asterisk Box also have Public Internet
From the USer machine, we have the connectivity to Proxy and From proxy to Asterisk as well. And my sip user will register with a softphone using UDP to Asterisk domain with the proxy address and my proxy send to asterisk with TLS. Here I have everything work perfectly with Chan_sip

Now I need to change that need chan_pjsip and try for registration - But the registration working and the calls are failing. But in SIP it was working fine.

I have a user config for a sip. conf

[123123]
username=123123
type=friend
secret=Asterisk@123123 note that this is NOT a secure password
host=dynamic
qualify=yes
context=from-pstn
dtmfmode=rfc2833
disallow=all
allow=alaw
transport=tls
encryption=yes

And the same user converts to pjsip and below is pjsip.conf
[123123]
username=123123

[123123]
type=aor
max_contacts=1
maximum_expiration=3600
default_expiration=120

[123123]
type=auth
username=123123
password=Asterisk@123123

[123123]
type=endpoint
context=from-pstn
dtmf_mode=rfc4733
disallow=all
allow=alaw
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes
rtp_timeout=60
direct_media=no
trust_id_inbound=no
send_rpid=yes
media_encryption=sdes
inband_progress=no
language=en
auth=123123
outbound_auth=123123
aors=123123

Here when my user registers with UDP and Proxy forward to Asterisk TLS.

1. When using pjsip with rewrite contact the IP is updated with Proxy IP instead of local and calls forwarding to Proxy but doing the forward it also rewrites context header protocol from UDP to TLS. Hence my calls start fail.

I need to rewrite the Contaxt here IP only instead of IP and protocol

Below is the sample log for pjsip which not working fine

<— Received SIP request (684 bytes) from TLS:10.10.10.15:45906 —>
REGISTER sip:10.10.10.10;transport=UDP SIP/2.0
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bKe855.a0e258ca3de5139adf1781ce919e86a7.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—a6f797de0f863346
Max-Forwards: 69
To: sip:658906@10.10.10.10;transport=UDP
From: sip:658906@10.10.10.10;transport=UDP;tag=9d10e428
Call-ID: k4sHrL9AjlELoQ_U6d3mIQ…
CSeq: 1 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Z 5.5.9 v2.10.17.3
Allow-Events: presence, kpml, talk
Content-Length: 0
P-Hint: outbound

<— Transmitting SIP response (613 bytes) to TLS:10.10.10.15:45906 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.10.10.15:5061;rport=45906;received=10.10.10.15;branch=z9hG4bKe855.a0e258ca3de5139adf1781ce919e86a7.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—a6f797de0f863346
Call-ID: k4sHrL9AjlELoQ_U6d3mIQ…
From: sip:658906@10.10.10.10;tag=9d10e428
To: sip:658906@10.10.10.10;tag=z9hG4bKe855.a0e258ca3de5139adf1781ce919e86a7.0
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1645773968/5a1e2515a15ae40c7f982d2cc372f1f1”,opaque=“73421f31588505a4”,algorithm=md5,qop=“auth”
Server: asterisk Telephony
Content-Length: 0

<— Received SIP request (976 bytes) from TLS:10.10.10.15:45906 —>
REGISTER sip:10.10.10.10;transport=UDP SIP/2.0
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bKb855.dc9dc6093e30fd984f39801c2d2208ac.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—d77008763cf147af
Max-Forwards: 69
Contact: sip:658906@10.4.6.119:63731;rinstance=d0aef387ddba6ff0;transport=UDP
To: sip:658906@10.10.10.10;transport=UDP
From: sip:658906@10.10.10.10;transport=UDP;tag=9d10e428
Call-ID: k4sHrL9AjlELoQ_U6d3mIQ…
CSeq: 2 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Z 5.5.9 v2.10.17.3
Authorization: Digest username=“658906”,realm=“asterisk”,nonce=“1645773968/5a1e2515a15ae40c7f982d2cc372f1f1”,uri=“sip:10.10.10.10;transport=UDP”,response=“74ae03622bd7f37b16f1d39da0dd1b75”,cnonce=“f4b85192b0b3d5a91c7f0960f1d1d3a6”,nc=00000001,qop=auth,algorithm=md5,opaque=“73421f31588505a4”
Allow-Events: presence, kpml, talk
Content-Length: 0
P-Hint: outbound

-- Added contact 'sip:658906@10.10.10.15:45906;transport=TLS;rinstance=d0aef387ddba6ff0;x-ast-orig-host=10.4.6.119:63731' to AOR '658906' with expiration of 60 seconds

<— Transmitting SIP response (599 bytes) to TLS:10.10.10.15:45906 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.15:5061;rport=45906;received=10.10.10.15;branch=z9hG4bKb855.dc9dc6093e30fd984f39801c2d2208ac.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—d77008763cf147af
Call-ID: k4sHrL9AjlELoQ_U6d3mIQ…
From: sip:658906@10.10.10.10;tag=9d10e428
To: sip:658906@10.10.10.10;tag=z9hG4bKb855.dc9dc6093e30fd984f39801c2d2208ac.0
CSeq: 2 REGISTER
Date: Fri, 25 Feb 2022 07:26:08 GMT
Contact: sip:658906@10.4.6.119:63731**;transport=TLS**;rinstance=d0aef387ddba6ff0;expires=59
Expires: 60
Server: asterisk Telephony
Content-Length: 0

Sample log for SIP using - which is working

<— SIP read from TLS:10.10.10.15:47536 —>
REGISTER sip:10.10.10.10;transport=UDP SIP/2.0
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bK78fe.05d270ab59ab920ff7f0a87c0190f69e.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—6161c8385bf65a62
Max-Forwards: 69
Contact: sip:658906@10.4.6.119:63731;rinstance=1dce818979687c41;transport=UDP
To: sip:658906@10.10.10.10;transport=UDP
From: sip:658906@10.10.10.10;transport=UDP;tag=fb43864c
Call-ID: 3R4eHBbQdwxlJV_3gdJI5A…
CSeq: 1 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Z 5.5.9 v2.10.17.3
Allow-Events: presence, kpml, talk
Content-Length: 0
P-Hint: outbound

<------------->
— (15 headers 0 lines) —
Sending to 10.10.10.15:47536 (NAT)
Sending to 10.10.10.15:47536 (NAT)

<— Transmitting (NAT) to 10.10.10.15:47536 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bK78fe.05d270ab59ab920ff7f0a87c0190f69e.0;received=10.10.10.15;rport=47536
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—6161c8385bf65a62
From: sip:658906@10.10.10.10;transport=UDP;tag=fb43864c
To: sip:658906@10.10.10.10;transport=UDP;tag=as11404aa6
Call-ID: 3R4eHBbQdwxlJV_3gdJI5A…
CSeq: 1 REGISTER
Server: Phonon Telephony
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“AWSPOC-1”, nonce=“03f0f566”
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘3R4eHBbQdwxlJV_3gdJI5A…’ in 32000 ms (Method: REGISTER)

<— SIP read from TLS:10.10.10.15:47536 —>
REGISTER sip:10.10.10.10;transport=UDP SIP/2.0
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bK48fe.6b5f9894323411723b4bb16791edbb82.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—4216ee0f07b01a37
Max-Forwards: 69
Contact: sip:658906@10.4.6.119:63731;rinstance=1dce818979687c41;transport=UDP
To: sip:658906@10.10.10.10;transport=UDP
From: sip:658906@10.10.10.10;transport=UDP;tag=fb43864c
Call-ID: 3R4eHBbQdwxlJV_3gdJI5A…
CSeq: 2 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Z 5.5.9 v2.10.17.3
Authorization: Digest username=“658906”,realm=“AWSPOC-1”,nonce=“03f0f566”,uri=“sip:10.10.10.10;transport=UDP”,response=“f2f86257be9d891528d93784e913b68e”,algorithm=MD5
Allow-Events: presence, kpml, talk
Content-Length: 0
P-Hint: outbound

<------------->
— (16 headers 0 lines) —
Sending to 10.10.10.15:47536 (NAT)
– Registered SIP ‘658906’ at 10.10.10.15:47536

<— Transmitting (NAT) to 10.10.10.15:47536 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bK48fe.6b5f9894323411723b4bb16791edbb82.0;received=10.10.10.15;rport=47536
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—4216ee0f07b01a37
From: sip:658906@10.10.10.10;transport=UDP;tag=fb43864c
To: sip:658906@10.10.10.10;transport=UDP;tag=as11404aa6
Call-ID: 3R4eHBbQdwxlJV_3gdJI5A…
CSeq: 2 REGISTER
Server: Phonon Telephony
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 60
Contact: sip:658906@10.4.6.119:63731;rinstance=1dce818979687c41;transport=UDP;expires=60
Date: Fri, 25 Feb 2022 07:34:14 GMT
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘3R4eHBbQdwxlJV_3gdJI5A…’ in 32000 ms (Method: REGISTER)

is there an option where we can register pjsip with contact header of public IP without rewriting the protocol ?

There is currently no support for, what I believe you want, which is forced connection reuse without touching the protocol.

Is there a way - where we can achieve like the way sip work in pjsip

Like if you see the 200 OK against the register.

with SIP:
Contact: sip:123123@10.4.6.119:63731;transport=TLS;rinstance=d0aef387ddba6ff0;expires=59
with PJSIP:
Contact: sip:123123@10.4.6.119:63731;rinstance=1dce818979687c41;transport=UDP;expires=60

If i disable the rewrite_contact then am getting the expected contact here but then the peer is going unreachable in pjsip.

The only option is rewrite_contact to alter where traffic goes to the source IP address/port/transport. I’m still confused over what exactly you’re trying to achieve, because it feels like you’re doing things not as they’re supposed to be done within the SIP protocol and proxy, and were previously relying on chan_sip behavior to have it work.

But in this case - Asterisk should have responded back with UDP in the registration contact right ?

— Received SIP request (976 bytes) from TLS:10.10.10.15:45906 —>
REGISTER sip:10.10.10.10;transport=UDP SIP/2.0
Via: SIP/2.0/TLS 10.10.10.15:5061;branch=z9hG4bKb855.dc9dc6093e30fd984f39801c2d2208ac.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—d77008763cf147af
Max-Forwards: 69
Contact: sip:123123@10.4.6.119:63731;rinstance=d0aef387ddba6ff0;transport=UDP
To: sip:123123@10.10.10.10;transport=UDP
From: sip:123123@10.10.10.10;transport=UDP;tag=9d10e428
Call-ID: k4sHrL9AjlELoQ_U6d3mIQ…
CSeq: 2 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Z 5.5.9 v2.10.17.3
Authorization: Digest username=“123123”,realm=“asterisk”,nonce=“1645773968/5a1e2515a15ae40c7f982d2cc372f1f1”,uri=“sip:10.10.10.10;transport=UDP”,response=“74ae03622bd7f37b16f1d39da0dd1b75”,cnonce=“f4b85192b0b3d5a91c7f0960f1d1d3a6”,nc=00000001,qop=auth,algorithm=md5,opaque=“73421f31588505a4”
Allow-Events: presence, kpml, talk
Content-Length: 0
P-Hint: outbound

-- Added contact 'sip:123123@10.10.10.15:45906;transport=TLS;rinstance=d0aef387ddba6ff0;x-ast-orig-host=10.4.6.119:63731' to AOR '123123' with expiration of 60 seconds

<— Transmitting SIP response (599 bytes) to TLS:10.10.10.15:45906 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.15:5061;rport=45906;received=10.10.10.15;branch=z9hG4bKb855.dc9dc6093e30fd984f39801c2d2208ac.0
Via: SIP/2.0/UDP 10.4.6.119:63731;rport=63731;branch=z9hG4bK-524287-1—d77008763cf147af
Call-ID: k4sHrL9AjlELoQ_U6d3mIQ…
From: sip:123123@10.10.10.10;tag=9d10e428
To: sip:123123@10.10.10.10;tag=z9hG4bKb855.dc9dc6093e30fd984f39801c2d2208ac.0
CSeq: 2 REGISTER
Date: Fri, 25 Feb 2022 07:26:08 GMT
Contact: sip:123123@10.4.6.119:63731;transport=TLS;rinstance=d0aef387ddba6ff0;expires=59
Expires: 60
Server: asterisk Telephony
Content-Length: 0

Is rewrite_contact set to “yes” or “no” in that situation?

Yes.In this case rewrite_contact=yes

Then the Contact is rewritten to the source IP/port/transport, and so the Contact would be that.

Oh, you’re saying it shouldn’t be TLS on the 200 OK itself. Yes, that would be a bug. I’m not sure in practice how that would really impact you though.

The logic was likely written not for your specific usage where it’s a SIP proxy forwarding the REGISTER. In that case you normally don’t do rewrite_contact, but instead keep the Contact as-is and use Path to have requests go back via the proxy.

It’s impacting the service - because the SIP client is actually registering using UDP and SIP Proxy server handle based on the Protocol and forward the traffic. Due to this contact header issue sip proxy is unable to forward the calls to the SIP user.

But the same if you take in SIP in respond back properly with the same protocol which received and it does not modify the contact header.

You can file an issue[1]. There is no time frame on when or if it would get looked into.

[1] System Dashboard - Digium/Asterisk JIRA

I’m a little confused, but I don’t see a bug.

It appears to me that you have an inbound only proxy, whereas you actually want an inbound and outbound proxy. That might be a simple as configuring an outbound proxy in Asterisk.

rewrite_contact is intended as a work around for endpoints that are behind NAT, but insist on transmitting local addresses in Contact headers. It is not about retaining an inbound proxy in the signalling path.

Even Record Route doesn’t apply to REGISTER contacts. The Contact in a REGISTER should be usable without information about proxies.

@david551 We preserve the incoming Contact so we can place it in the response, that appears to be working however the transport is not preserved/restored so while the incoming Contact said UDP, on outbound we said TLS. That’s the bug.

How that actually impacts this setup I have no idea because it’s confusing and not using SIP things as is supposed to be done.

It is TLS, because the contact has been rewritten to refer to the immediate source of the request, which is the TLS connection from the proxy.

Yes, and no. Internally we store the rewritten Contact. When we send the response (or subsequent request) we restore the original Contact within the SIP message but use the rewritten Contact as the transport target.

I think I see what you are saying; it’s the funny nature of Contact in REGISTER; it is there to indicate which address was registered, not to be used for actual routing.

However, I still think the OP’s real problem is that they have failed to declare their proxy as an outbound proxy and are trying to work round that with rewrite contact, which is always a work round.

Yes, setting the outbound_proxy I think would do the job.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.