Remote Extension(SIP) softphone works, aastra not register

Ok, i’ve been working on this problem for a few days.

The asterisk server (running FreePBX) is behind a firewall with the following ports routed:
5060 TCP & UDP
UPD:
3000
6060
10000
14200-14219
16420-16439

I thought only 5060 and a range of higher ports for RTP needed to be forwarded, but have opened the rest based on various things I’ve read in various forums.

The softphone (x-lite 3.0) registers with no problem, and can make inbound/outbound/internal calls.

The hardphone - an aastra 9133i - does not work.

We configured the phone with the obvious settings (name, auth, secret, proxy, registrar) - and nothing worked. We set the NAT to the remote office’s router’s IP, and then it could make limited outbound calls, but still not register with the server (by limited, i mean we tried a few things, depending on what was done it could either dial out, or call VoIP phones, or dial PSTN phones, but was never registering as a peer of the phone).

Before we bought the phone - the softphone worked just fine, we had multiple softphones registering with the server and operating as extensions of the pbx without a problem.

when I ran a debug, when the phone tried to register with the server it gave a 403 bad password error.

The only similiar problem i’ve seen on any forum that was resolved was this one:
forums.digium.com/viewtopic.php? … n+register

but I don’t see how the dhtp would effect the difference in the hardphone and softphone …

Thanks for any direction you can point me in.

To update. here is the logfile

I have intentionally replaced some IP addresses with .x.x.x

The extension is extension 711

It still can not register with the SIP phone.


Sep 3 17:31:15 VERBOSE[3158] logger.c: Transmitting (NAT) to 71.x.x.x:51745:
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bK8efbc11a3;received=71.x.x.x
From: 711 ;tag=5f9c8d5e707a967
To: 711 ;tag=as6d0ae6d9
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537048 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0


Sep 3 17:31:15 NOTICE[3158] chan_sip.c: Registration from ‘711 ’ failed for ‘71.x.x.x’ - Wrong password
Sep 3 17:31:15 VERBOSE[3158] logger.c: Scheduling destruction of call '56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x’ in 15000 ms
Sep 3 17:31:15 DEBUG[3158] chan_sip.c: SIP message could not be handled, bad request: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
Sep 3 17:31:30 DEBUG[3158] chan_sip.c: Auto destroying call '56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
Sep 3 17:31:30 VERBOSE[3158] logger.c: Destroying call '56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
Sep 3 17:32:12 DEBUG[3207] manager.c: Manager received command 'Command’
Sep 3 18:00:12 DEBUG[3207] manager.c: Manager received command 'Command’
Sep 3 18:01:15 VERBOSE[3158] logger.c:
<-- SIP read from 71.x.x.x:51745:
REGISTER sip:192.168.1.140:5060 SIP/2.0
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bKc8272c596
Max-Forwards: 70
Content-Length: 0
To: 711
From: 711 ;tag=5f9c8d5e707a967
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537049 REGISTER
Contact: 711 ;expires=300
Allow-Events: talk,hold,conference
Allow:NOTIFY,REFER,OPTIONS,INVITE,ACK,CANCEL,BYE,INFO
Expires: 300
Authorization:Digest response=“3e2d5749ef435f6359f8cb67fa8116f6”,username=“711”,realm=“asterisk”,nonce=“050766c0”,algorithm=MD5,uri="sip:192.168.1.140:5060"
User-Agent: Aastra 9133i/1.4.2.3000 Brcm Callctrl/1.5.1.0 MxSF/v3.2.8.45

Sep 3 18:01:15 VERBOSE[3158] logger.c: — (14 headers 0 lines) —
Sep 3 18:01:15 DEBUG[3158] acl.c: ##### Testing 71.x.x.x with 192.168.1.0
Sep 3 18:01:15 DEBUG[3158] chan_sip.c: Target address 71.x.x.x is not local, substituting externip
Sep 3 18:01:15 VERBOSE[3158] logger.c: Using latest REGISTER request as basis request
Sep 3 18:01:15 VERBOSE[3158] logger.c: Sending to 71.x.x.x : 5060 (NAT)
Sep 3 18:01:15 VERBOSE[3158] logger.c: Transmitting (NAT) to 71.x.x.x:51745:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bKc8272c596;received=71.x.x.x
From: 711 ;tag=5f9c8d5e707a967
To: 711
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537049 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact:
Content-Length: 0


Sep 3 18:01:15 VERBOSE[3158] logger.c: Transmitting (NAT) to 71.x.x.x:51745:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bKc8272c596;received=71.x.x.x
From: 711 ;tag=5f9c8d5e707a967
To: 711 ;tag=as00d21192
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537049 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="5761e4b4"
Content-Length: 0


Sep 3 18:01:15 VERBOSE[3158] logger.c: Scheduling destruction of call '56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x’ in 15000 ms
Sep 3 18:01:15 VERBOSE[3158] logger.c:
<-- SIP read from 71.x.x.x:51745:
REGISTER sip:192.168.1.140:5060 SIP/2.0
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bK622be4119
Max-Forwards: 70
Content-Length: 0
To: 711
From: 711 ;tag=5f9c8d5e707a967
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537050 REGISTER
Contact: 711 ;expires=300
Allow-Events: talk,hold,conference
Allow:NOTIFY,REFER,OPTIONS,INVITE,ACK,CANCEL,BYE,INFO
Expires: 300
Authorization:Digest response=“6adae960aabee814d4d4696e4aed9e7e”,username=“711”,realm=“asterisk”,nonce=“5761e4b4”,algorithm=MD5,uri="sip:192.168.1.140:5060"
User-Agent: Aastra 9133i/1.4.2.3000 Brcm Callctrl/1.5.1.0 MxSF/v3.2.8.45

Sep 3 18:01:15 VERBOSE[3158] logger.c: — (14 headers 0 lines) —
Sep 3 18:01:15 VERBOSE[3158] logger.c: Using latest REGISTER request as basis request
Sep 3 18:01:15 VERBOSE[3158] logger.c: Sending to 71.x.x.x : 5060 (NAT)
Sep 3 18:01:15 VERBOSE[3158] logger.c: Transmitting (NAT) to 71.x.x.x:51745:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bK622be4119;received=71.x.x.x
From: 711 ;tag=5f9c8d5e707a967
To: 711
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537050 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact:
Content-Length: 0


Sep 3 18:01:15 VERBOSE[3158] logger.c: Transmitting (NAT) to 71.x.x.x:51745:
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 71.x.x.x:5060;branch=z9hG4bK622be4119;received=71.x.x.x
From: 711 ;tag=5f9c8d5e707a967
To: 711 ;tag=as00d21192
Call-ID: 56a4acd85fa339664c7d5c108cc05b9b@71.x.x.x
CSeq: 1840537050 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

And for my sip_nat.conf file …

nat=yes
externip=219.x.x.x
externrefresh=5
localnet=192.168.1.0/255.255.255.0

Ok I had the same damn problem and I think I fixed it by forwarding port 28260 from the remote side back to the phone IP address.

Seems like this is the port for monitoring the call, during a sip debug I noticed the send back request to port 28260 so I forwarded the port on the other end and now the phone registers.

next step… see if I can make calls

Thanks for the suggestion.

Right now there are no ports forwarded on the remote side - a softphone on both AIX2 and SIP worked fine from that remote office, as did connecting directly with a service provider (Vitelity) - so i was operating under the assumption no remote ports needed to be forwarded back to the phone - so thanks for the idea!

I’m guessing from your comment that the sip debug showed 28260 was being used for monitoring - and i’ll try and figure out if that is a static port or dynamically signaled through port 5060 or something else.

I have now installed a second computer with a different version of asterisk (so now i have 1.2. and 1.4. running to do some testing) and I got the same 403 forbidden error from a registration request from another remote phone at a different location - this phone also had AIX2 protocol which was registering but possibly not functioning as well (the testing ended before i could be sure the outbound calling was not working, as the person at the other end may not have been using the proper outbound dialing sequence).

thanks for the suggestion! more troubleshooting to be done!

Well I was wrong

And your correct about the watcher port

Still have the same problem


<--- Transmitting (NAT) to XX.XXX.XXX.XXX:28260 --->
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;branch=z9hG4bKd182f135c9f75bf7;received=xxx.xxx.xxx.xxx
From: "109" <sip:109@10.120.239.254>;tag=bf91070154a55a6c
To: <sip:109@10.120.239.254>;tag=as03791abe
Call-ID: c5eb3832fe81410f@192.168.253.108
CSeq: 10003 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0


<------------>
[Sep 11 17:35:46] NOTICE[5461]: chan_sip.c:15075 handle_request_register: Registration from '<sip:109@10.120.239.254>' failed for 'XXX.XXX.XXX.XXX' - Wrong password
Scheduling destruction of SIP dialog 'c5eb3832fe81410f@192.168.253.108' in 32000 ms (Method: REGISTER)
pbx*CLI> sip set debug off

Strange enough it seems as though the password never reaches the box, even if I leave the password in the phone configuration and remove the secret line from sip.conf the phone will register.

I’ve tried using an md5secret as well with no success

I’ve tried spoofing the header message as it comes into the box, no success

I put the phone outside the firewall no success

With the phone still outside the firewall I put the asterisk box wide open as well, still no success.

I tried also changing the realm of the extension, no success

I can however make calls and everything without registering the phone
(thanks to insecure=very) but that really doesn’t help my purpose.

I’m gonna read some more into this, let me know if you figure anything out and I’ll do the same for you.

Good luck!

if anyone is following along, here is a good place to start:
fridu.org/content/view/29/55/

This, however, doesn’t help me too much … unless there is something in my extensions that isn’t jiving correctly.

We got an a phone that can use both SIP and the IAX2 protocol, with stun server support, and we get the same error.

The IAX2 protocol I have not spent much time on, but where the softphone works, the hardphone does not work (it’s not the ports - and i did read somewhere that IAX2 requires TCP 4569 for some reason). The IAX2 registers and receives calls with no problem, I haven’t tried to configure outbound calls yet (i’d have to make another trunk to test with outside lines).

I also realized that we were using codecs that were not installed (type “show translation” from the asterisk server) - but this seems to have effected nothing, as because we were not forcing g729.

I did notice something changed when i set the dtmfmode to rfc2833 instead of inband on one extension (which was configured like that to work with our old service provider).

So, any ideas?