SIP/2.0 401 Unathorized

Asterisk Asterisk Support
1

I am experiencing a problem with a Cisco 7960 with SIP Ver. 8(12) firmware. I have double and triple checked Auth Names and Passwords! I am able to connect to the AsteriskNow server from “the outside world” with x-lite soft phones. I am having no problems with the 7960s that are on the same subnet as the * box but the 7960 that is connected from a public IP (NAT’d from behind a Cisco Router) is making me crazy! The * box is also behind a Cisco Router. * is statically NAT’d and I have an ACL that is allowing ALL traffic from the 7960’s public IP.

Router logs do not indicate any blocked packets (to or from the IP concerned).

I find it a little strange that the SIP debugs even “know” the private IP address of the phone.

Here is the “snippet” of my debug: ANY HELP OR SUGGESTIONS APRECIATED!

Brian

<— SIP read from UDP:69.51.111.90:50348 —>
REGISTER sip:10.1.3.11 SIP/2.0
Via: SIP/2.0/UDP 192.168.51.100:5060;branch=z9hG4bK02424f65
From: sip:7539@10.1.3.11;tag=0015c69f11c300024027a08a-3be65a59
To: sip:7539@10.1.3.11
Call-ID: 0015c69f-11c30002-483193cc-16ae5d88@192.168.51.100
Max-Forwards: 70
Date: Sun, 17 Oct 2010 06:09:56 GMT
CSeq: 101 REGISTER
User-Agent: Cisco-CP7960G/8.0
Contact: sip:7539@192.168.51.100:5060;transport=udp;+sip.instance=“urn:uuid:00000000-0000-0000-0000-0015c69f11c3”;+u.sip!model.ccm.cisco.com="7"
Content-Length: 0
Expires: 3600

<------------->
— (12 headers 0 lines) —
Sending to 192.168.51.100 : 5060 (no NAT)
<— Transmitting (NAT) to 69.51.111.90:50348 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.51.100:5060;branch=z9hG4bK02424f65;received=69.51.111.90
From: sip:7539@10.1.3.11;tag=0015c69f11c300024027a08a-3be65a59
To: sip:7539@10.1.3.11;tag=as2287ae84
Call-ID: 0015c69f-11c30002-483193cc-16ae5d88@192.168.51.100
CSeq: 101 REGISTER
Server: Asterisk PBX 1.6.2.11
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="2bdaa291"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘0015c69f-11c30002-483193cc-16ae5d88@192.168.51.100’ in 32000 ms (Method: REGISTER)

2

Can you post sip.conf? Also try adding nat=yes to the peer definition in sip.conf

3

Thanks for the response Root52!
I have tried nat = yes, nat = no and nat = never in the sip.conf file, as well as in the users.conf file.
I should also note that I tried adding “voip_control_port: 5060” to the SIPDefault.cnf on my TFTP server.

I am using the "Auto generated sip.conf file, so I striped out all of the line which we commented out.
(I left several – I did try editing and un-commenting these to no avail)

The Phone that is giving me the grief is a Cisco 7960 - its extention is 7539 - its NAT’d public address is 69.51.111.90 - its private IP is 192.168.51.100 - I have an ACL on the router between the Asterisk Box that allows ALL traffice between 69.51.111.90 and 69.51.81.220 (the * box).

Extensions 7541 - 7544 are “x-lite” soft phones – they are external to my network and seem to be working fine!

I have also included the SIP(mac).cnf file contents for this phone, from my tftp server at the bottom of this post.

;!
;! Automatically generated configuration file
;! Filename: sip.conf (/etc/asterisk/sip.conf)
;! Generator: Manager
;! Creation Date: Sat Oct 16 10:36:30 2010

[general]
context = default ; Default context for incoming calls

allowoverlap = no ; Disable overlap dialing support. (Default is yes)

udpbindaddr = 0.0.0.0 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)

tcpenable = no ; Enable server for incoming TCP connections (default is no)
tcpbindaddr = 0.0.0.0 ; IP address for TCP server to bind to (0.0.0.0 binds to all interfaces)

srvlookup = yes ; Enable DNS SRV lookups on outbound calls
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints

;----------------------------------------- NAT SUPPORT ------------------------

;localnet = 10.1.0.0/255.255.248.0 ; Also RFC1918

;externip = 69.51.81.220:5060 ; use this address and port.
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints
subscribecontext = device-hints

[6001]
type = friend
host = dynamic
dtmfmode = auto
nat = no
username = 6001
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Brian2"
mailbox = 6001@default
[7536]
type = friend
host = dynamic
dtmfmode = auto
nat = no
username = 7536
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Brian Chernish"
mailbox = 7536@default
[7537]
type = friend
host = dynamic
dtmfmode = auto
nat = no
username = 7537
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Brian Chernish"
mailbox = 7537@default
[7538]
type = friend
host = dynamic
dtmfmode = auto
nat = no
username = 7538
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Brian"
mailbox = 7538@default
[7539]
type = friend
host = dynamic
dtmfmode = auto
nat = yes
username = 7539
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Brian"
mailbox = 7539@default

[7541]
type = friend
host = dynamic
dtmfmode = auto
nat = yes
username = 7541
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "BDCSoftphone"
mailbox = 7541@default
[7542]
type = friend
host = dynamic
dtmfmode = auto
nat = yes
username = 7542
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Bob"
mailbox = 7542@default
[7543]
type = friend
host = dynamic
dtmfmode = auto
nat = yes
username = 7543
secret = mysecretpassword
context = from-sip
canreinvite = yes
callerid = "Softphone2"
mailbox = 7543@default
[7544]
type = friend
host = dynamic
dtmfmode = auto
nat = yes
username = 7544
secret = mysecretpassword
context = from-sip
canreinvite = no
callerid = "Softphone3"
mailbox = 7544@default

###########################################
SIP(mac).conf
###########################################

image_version: P0S3-8-12-00
line1_name: 7539
line1_authname: "7539"
line1_shortname: “406-541-7539” ; displayed on the phones softkey
line1_password: "mysecretpassword"
line1_displayname: “Brian2”; the caller id
proxy1_port: 5060
proxy1_address: 69.51.81.220

Phone Label (Text desired to be displayed in upper right corner)

phone_label: "EMRCC " ; add a space at the end, looks neater
phone_password: “cisco” ; Limited to 31 characters (Default - cisco)
user_info: none
telnet_level: 2
logo_url: “http://www.chernish.ca/images/caduceus.bmp

4

Some Cisco phones don’t support NAT.