Random invalid password

Hi
Occasionally, one client trying to make a call received a 403 to his invite. This is with chan_sip.

Client register first with credential
He places some calls, INVITE, 401, INVITE with cred, OK

However, sometimes, instead of a OK (100, 180, 200 ok), Asterisk sends 403 Forbidden - the security log show SecurityEvent=“InvalidPassword”. I’ve recalculated the MD5 response, and it is correct.

Only issue there is the AccountID logged is the user part of the R-URI of the invite while successful INVITEs have the username - Authorization string is absolutely correct (username, nonce, response) - and INVITEs are identical

Any ideas as to what could be happening ?

I am running an old asterisk, 11.21 and chan_sip, but unfortunately, not really possible to upgrade.

Thanks

Would be good post a SIP trace of both INVITE , also as you already know in case it is a bug you will need to fix it yourself in case you can’t upgrade your Asterisk version,

Here the SIP exchange that fails - I understand that if this is a bug, I’m doomed ! However, I’d think its more a stupid thing configurable !
The client is an IPBX behind a nat, the asterisk server is not natted. I would not expect this to be the issue

  INVITE sip:0123456789@sip.serveur.ip SIP/2.0..Via: SIP/2.0/UDP 192.168.1.8:5060;branch=z9hG4bK1918071680-103862275..Route: <sip:sip.serveur.ip:5060;lr>..Max-Forwards: 26..Allow:
   INVITE,BYE,CANCEL,ACK,INFO,PRACK,OPTIONS,SUBSCRIBE,NOTIFY,REFER,REGISTER,UPDATE..From: "DISPLAYNAME" <sip:6306@192.168.1.8>;tag=0_1918071680-103862276..To: <sip:0123456789@194.3.152
  .245>..Call-ID: 1918071680-103862274..CSeq: 1 INVITE..Contact: "DISPLAYNAME" <sip:6306@192.168.1.8:5060;transport=udp>..Content-Type: application/sdp..P-Asserted-Identity: "DISPLAYNAME
  " <sip:6306@192.168.1.8>..Supported: replaces..Content-Length: 203....v=0..o=- 5983 5983 IN IP4 192.168.1.104..s=-..c=IN IP4 192.168.1.104..t=0 0..m=audio 50188 RTP/AVP 18 101..a=r
  tpmap:18 G729/8000..a=fmtp:18 annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-15..                                                                                       
#
U sip.serveur.ip:5060 -> client.public.ip:21612 #2
  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 192.168.1.8:5060;branch=z9hG4bK1918071680-103862275;received=client.public.ip;rport=21612..From: "DISPLAYNAME" <sip:6306@192.168.1.8>;tag=0_1918
  071680-103862276..To: <sip:0123456789@sip.serveur.ip>;tag=as617fa46b..Call-ID: 1918071680-103862274..CSeq: 1 INVITE..Server: IPERServer..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, RE
  FER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE..Supported: replaces, timer..WWW-Authenticate: Digest algorithm=MD5, realm="myrealm.com", nonce="7895ff86"..Content-Length: 0.... 
#
U client.public.ip:21612 -> sip.serveur.ip:5060 #3
  ACK sip:0123456789@sip.serveur.ip SIP/2.0..Via: SIP/2.0/UDP 192.168.1.8:5060;branch=z9hG4bK1918071680-103862275..Route: <sip:sip.serveur.ip:5060;lr>..Max-Forwards: 70..From: "V.
  THENENE" <sip:6306@192.168.1.8>;tag=0_1918071680-103862276..To: <sip:0123456789@sip.serveur.ip>;tag=as617fa46b..Call-ID: 1918071680-103862274..CSeq: 1 ACK..Contact: "DISPLAYNAME" <sip
  :6306@192.168.1.8:5060;transport=udp>..Content-Length: 0....                                                                                                                        
#
U client.public.ip:21612 -> sip.serveur.ip:5060 #4
  INVITE sip:0123456789@sip.serveur.ip SIP/2.0..Via: SIP/2.0/UDP 192.168.1.8:5060;branch=z9hG4bK1918141680-103862278..Route: <sip:sip.serveur.ip:5060;lr>..Max-Forwards: 26..Author
  ization: Digest username="999999USERCODE",realm="myrealm.com",nonce="7895ff86",uri="sip:0123456789@sip.serveur.ip",response="f34d288a4f7499716704c21ea868d428",algorithm=MD5..All
  ow: INVITE,BYE,CANCEL,ACK,INFO,PRACK,OPTIONS,SUBSCRIBE,NOTIFY,REFER,REGISTER,UPDATE..From: "DISPLAYNAME" <sip:6306@192.168.1.8>;tag=0_1918071680-103862276..To: <sip:0123456789@194.3.
  152.245>..Call-ID: 1918071680-103862274..CSeq: 3 INVITE..Contact: "DISPLAYNAME" <sip:6306@192.168.1.8:5060;transport=udp>..P-Asserted-Identity: "DISPLAYNAME" <sip:6306@192.168.1.8>..Su
  pported: replaces..Content-Type: application/sdp..Content-Length: 203....v=0..o=- 5983 5983 IN IP4 192.168.1.104..s=-..c=IN IP4 192.168.1.104..t=0 0..m=audio 50188 RTP/AVP 18 101..
  a=rtpmap:18 G729/8000..a=fmtp:18 annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-15..                                                                                    
#
U sip.serveur.ip:5060 -> client.public.ip:21612 #5
  SIP/2.0 403 Forbidden..Via: SIP/2.0/UDP 192.168.1.8:5060;branch=z9hG4bK1918141680-103862278;received=client.public.ip;rport=21612..From: "DISPLAYNAME" <sip:6306@192.168.1.8>;tag=0_1918071
  680-103862276..To: <sip:0123456789@sip.serveur.ip>;tag=as617fa46b..Call-ID: 1918071680-103862274..CSeq: 3 INVITE..Server: IPERServer..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
  , SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE..Supported: replaces, timer..Content-Length: 0....                                                                                      
#

it is hard to read your logs as you posted it but auth looks OK as far as you re sending correct auth details

Sorry - let me know of any other format / method more appropiate.

I’ve actually recalculated the response MD5 and it is correct - the only thing that seems off, is that the error message in security indicated Accountid=0123456789 and not the username from authorization.

I’m looking in the code where the InvalidPassword message is being produced, but couldnt find anything usefull so far

J.

  • AccountID - The Service account associated with the security event notification.

I think It should be the same username

https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+ManagerEvent_ChallengeSent