SIP/2.0 401 Unauthorized Inbound Calls

Asterisk Asterisk SIP
1

Hello Everyone,

     I'm getting a weird 401 unauthorized on my system after rebooting it. I receive the 401 unauthorized on inbound calls only and outbound calls flow with no issues. In front of my asterisk system is a SBC. If I let the system sit for a few hours, inbound calls flow through with no issues. I'm running version 13.12.2.

Prior to the reboot, an invite is sent from the SBC to the PBX and the PBX returns a 100 trying and then a 200 OK SDP so forth.

After the reboot, an invite is sent from the SBC to the PBX and the PBX returns a 401 unauthorized.

Trunk settings:

Outgoing:
host=SBC private IP
port=5080
type=peer
qualify=yes
insecure=very
context=from-trunk

Incoming:
host=SBC private IP
port=5080
type=peer
qualify=yes
keepalive=30
insecure=invite
dtmfmode=rfc2833
context=from-trunk
disallow=all
allow=ulaw

Capture with sip debug on:
CID is the caller id from the person calling in
BTN is the DID the caller is calling in on
Sip Trunk provider is the domain name of the trunk provider (sip.provider.com)
This is for an inbound call

<--- SIP read from UDP:SBCPrivateIP:5080 --->

OPTIONS sip:PBXPrivateIP SIP/2.0
Via: SIP/2.0/UDP SBCPrivateIP:5080;branch=z9hG4bKcJvLkaOl;rport
From: sip:SBCPrivateIP:5080;tag=7b0c630c18276abb8d6f912484d91e9a
To: sip:PBXPrivateIP
CSeq: 40385 OPTIONS
Call-ID: 2F81F158-58F62AE50002D4DD-E9455700
Max-Forwards: 0
Content-Length: 0

<------------->
— (8 headers 0 lines) —
Sending to SBCPrivateIP:5080 (NAT)
Looking for s in from-sip-external (domain PBXPrivateIP)

<— Transmitting (NAT) to SBCPrivateIP:5080 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP SBCPrivateIP:5080;branch=z9hG4bKcJvLkaOl;received=SBCPrivateIP;rport=5080
From: sip:SBCPrivateIP:5080;tag=7b0c630c18276abb8d6f912484d91e9a
To: sip:PBXPrivateIP;tag=as17e14a1b
Call-ID: 2F81F158-58F62AE50002D4DD-E9455700
CSeq: 40385 OPTIONS
Server: FPBX-13.0.190.7(13.12.2)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: sip:PBXPrivateIP:5060
Accept: application/sdp
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘2F81F158-58F62AE50002D4DD-E9455700’ in 32000 ms (Method: OPTIONS)

<— SIP read from UDP:SBCPrivateIP:5080 —>
INVITE sip: BTN @ SBCPublicIP:5060 SIP/2.0
Via: SIP/2.0/UDP SBCPrivateIP:5080;branch=z9hG4bK0X~O3ad7;rport
From: “CID” <sip:CID@ SipTrunkProvider >;tag=446A39EC-58F62AE80000061F-E59DF700
To: <sip: BTN @ SBCPublicIP:5060>
CSeq: 10 INVITE
Call-ID: 1AC8B9F0-58F62AE800000625-E59DF700
Max-Forwards: 66
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,MESSAGE,INFO,UPDATE,NOTIFY
k: timer,path,replaces
u: talk,hold,conference,refer
Privacy: none
Content-Disposition: session
X-Tags: CCSi,Open
P-Asserted-Identity: " CID "<sip: CID @ SipTrunkProvider >
Content-Type: application/sdp
Content-Length: 240
Contact: sip:446A39EC-58F62AE80000061F-E59DF700@SBCPrivateIP:5080;transport=udp

v=0
o=- 1492505369 1492505370 IN IP4 SBCPrivateIP
s=-
c=IN IP4 SBCPrivateIP
t=0 0
m=audio 12710 RTP/AVP 0 9 101
a=rtpmap:0 PCMU/8000
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=ptime:20
<------------->
— (17 headers 12 lines) —
Sending to SBCPrivateIP:5080 (NAT)
Sending to SBCPrivateIP:5080 (NAT)
Using INVITE request as basis request - 1AC8B9F0-58F62AE800000625-E59DF700
Found peer ‘321’ for ’ CID ’ from SBCPrivateIP:5080

<— Reliably Transmitting (NAT) to SBCPrivateIP:5080 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP SBCPrivateIP:5080;branch=z9hG4bK0X~O3ad7;received=SBCPrivateIP;rport=5080
From: " CID " <sip: CID @ SipTrunkProvider >;tag=446A39EC-58F62AE80000061F-E59DF700
To: <sip: BTN @SBCPublicIP:5060>;tag=as3a66670b
Call-ID: 1AC8B9F0-58F62AE800000625-E59DF700
CSeq: 10 INVITE
Server: FPBX-13.0.190.7(13.12.2)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="1bd3f7ce"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘1AC8B9F0-58F62AE800000625-E59DF700’ in 6400 ms (Method: INVITE)

<— SIP read from UDP: SBCPrivateIP:5080 —>
ACK sip:BTN@SBCPublicIP:5060 SIP/2.0
Via: SIP/2.0/UDP SBCPrivateIP:5080;branch=z9hG4bK0X~O3ad7;rport
From: “CID” sip:CID@SipTrunkProvider;tag=446A39EC-58F62AE80000061F-E59DF700
To: sip:BTN@SBCPublicIP:5060;tag=as3a66670b
Call-ID: 1AC8B9F0-58F62AE800000625-E59DF700
CSeq: 10 ACK
Content-Length: 0

<------------->
— (7 headers 0 lines) —
Really destroying SIP dialog ‘6CF8CFD7-58F62AC70002D4D9-E9455700’ Method: OPTIONS
Really destroying SIP dialog ‘1AC8B9F0-58F62AE800000625-E59DF700’ Method: ACK

2

Unless you mark the log as preformatted text, it isn’t going to be much use! (Why did we have to change to a forum that was so badly broken in this way - no-one realises they need to do this).

However, in the mean time, please note that very is deprecated and that the options, including secure, that affect incoming calls must be specified on all sip.conf entries that match the same address, as Asterisk could well use your outgoing entry for incoming calls; having them different is not useful.

I think there are two possibilities here, either very has been removed, rather than just deprecated, and the reconfiguration has affected which of incoming and outgoing matches first for incoming calls, or the source address is not the one you have configured and you are using alwayauthreject.

The 401 is the result of authentication not being disabled, which would mean that insecure=invite had not been honoured.

3

Took a look and made some adjustments and no luck. What’s even weirder is I have the same trunk settings on my backup PBX and calls flow in with no issues at all. Once I reboot the SBC, no issues. Maybe a SBC issue?