SIP/2.0 403 Proxy auth uri does not match SIP "to" uri

Asterisk Asterisk SIP
1

To header from log:
To: sip:+919X99XXXXXX@sip.example.com

Proxy-Authorization header from log:
Proxy-Authorization: Digest username=“my-username”, realm=“my.realm”, nonce=“6e6f88792f787e6a”, uri="sip:+919X99XXXXXX@sip.example.com;transport=tls", response=“9d611cc3a6e16be4de8eaf933b7ad596”, algorithm=MD5, cnonce=“6b316364748e49ad8c9677dbd91ebf3c”, opaque=“3a7426c25f482831”, qop=auth, nc=00000001

Later in log I can see below error:
SIP/2.0 403 Proxy auth uri does not match SIP “to” uri

Is there a way to add ;transport=tls in To header?

2

You haven’t provided enough information. There are two channel drivers, you haven’t specified which one. You haven’t provided configuration. You’ve provided only partial SIP trace.

3

I am using PJSIP

4

i was facing the same error

my pjsip conf

[meta_sip]
type=endpoint
transport=transport-tls
context=from-meta
disallow=all
allow=ulaw,alaw
outbound_auth=meta_auth
aors=meta_aor
direct_media=no
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes

from_domain=emaple.example.com
from_user=+91123456789
contact_user=asterisk
send_pai=yes
send_rpid=yes

[meta_aor]
type=aor
contact=sip:wa.meta.vc

[meta_auth]
type=auth
auth_type=userpass
username=
password=

[outbound-to-meta]
exten => _+X.,1,NoOp(Outbound call to Meta SIP)
same => n,Dial(PJSIP/${EXTEN}@meta_sip;transport=tls)
same => n,Hangup()

5

@jcolp Have a look at config by @depak
I think at Meta end they have very strict auth.

6

Please don’t tag me. If I have anything to add, then I’ll respond. I’ll also say that a full trace hasn’t been provided from either of you.

7

sorry for that

Here i’ll add the full trace @jcolp ,Me using pjsip.conf

– Transmitting SIP request (1025 bytes) to TLS:x.x.x.x:5061 —>
INVITE sip:+x@wa.meta.vc;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.x:5061;rport;branch=z9hG4bKPj8fc7c188-188a-4492-93de-2cbeb47cbfc5;alias
From: sip:+x@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+x@wa.meta.vc
Contact: sip:+x@x.x.x.x:5061;transport=TLS
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
CSeq: 2653 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE, INFO
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Content-Type: application/sdp
Content-Length: 261

v=0
o=- 1822455207 1822455207 IN IP4 xx.xx.xxx.xx
s=Asterisk
c=IN IP4 xx.xx.xxx.xx
t=0 0
m=audio 10632 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

[Aug 20 18:22:29] ERROR[2890247]: pjproject: <?>: tlsc0x72f3780a2088 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
[Aug 20 18:22:29] NOTICE[2890247]: res_pjsip/pjsip_transport_events.c:179 verify_log_result: Transport ‘transport-tls’ to remote ‘wa.meta.vc’ - The server identity does not match to any identities specified in the certificate
<— Received SIP response (711 bytes) from TLS:57.144.211.157:5061 —>
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=24922;received=2803:6080:c978:72aa:f68:dd51:400:0;branch=z9hG4bKPj8fc7c188-188a-4492-93de-2cbeb47cbfc5;alias
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
From: sip:+x@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+x@wa.meta.vc;tag=z9hG4bKPj8fc7c188-188a-4492-93de-2cbeb47cbfc5
CSeq: 2653 INVITE
Proxy-Authenticate: Digest realm=“wa.meta.vc”,nonce=“712380e716617c2e”,opaque=“2af89ebc1e235441”,algorithm=SHA-256,qop=“auth”
Proxy-Authenticate: Digest realm=“wa.meta.vc”,nonce=“1187fa0e72decb2e”,opaque=“72cff445605dc3a5”,algorithm=MD5,qop=“auth”
Content-Length: 0

<— Transmitting SIP request (502 bytes) to TLS:57.144.211.157:5061 —>
ACK sip:+91xxxxxxxxxx@wa.meta.vc;transport=tls SIP/2.0
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport;branch=z9hG4bKPj8fc7c188-188a-4492-93de-2cbeb47cbfc5;alias
From: sip:+91xxxxxxxxxx@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+91xxxxxxxxxx@wa.meta.vc;tag=z9hG4bKPj8fc7c188-188a-4492-93de-2cbeb47cbfc5
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
CSeq: 2653 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Content-Length: 0

<— Transmitting SIP request (1665 bytes) to TLS:57.144.211.157:5061 —>
INVITE sip:+91xxxxxxxxxx@wa.meta.vc;transport=tls SIP/2.0
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport;branch=z9hG4bKPj6a7b5df4-e714-4806-9b75-94fcc9c4ce20;alias
From: sip:+91xxxxxxxxxx@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+91xxxxxxxxxx@wa.meta.vc
Contact: sip:+91xxxxxxxxxx@xx.xx.xxx.xx:5061;transport=TLS
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
CSeq: 2654 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE, INFO
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Proxy-Authorization: Digest username=“91xxxxxxxxxx”, realm=“wa.meta.vc”, nonce=“712380e716617c2e”, uri=“sip:+91xxxxxxxxxx@wa.meta.vc;transport=tls”, response=“0e9b1ed460def65088cb0860bcd19fc51f3cf9b25f187303ab9389a1e729cf8a”, algorithm=SHA-256, cnonce=“fb464fe7a22945c791d4946f90f95014”, opaque=“2af89ebc1e235441”, qop=auth, nc=00000001
Proxy-Authorization: Digest username=“91xxxxxxxxxx”, realm=“wa.meta.vc”, nonce=“1187fa0e72decb2e”, uri=“sip:+91xxxxxxxxxx@wa.meta.vc;transport=tls”, response=“3c898e9bf0628b4043d0a4626dce5c83”, algorithm=MD5, cnonce=“fb464fe7a22945c791d4946f90f95014”, opaque=“72cff445605dc3a5”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 261

v=0
o=- 1822455207 1822455207 IN IP4 xx.xx.xxx.xx
s=Asterisk
c=IN IP4 xx.xx.xxx.xx
t=0 0
m=audio 10632 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<— Received SIP response (388 bytes) from TLS:57.144.211.157:5061 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=24922;received=2803:6080:c978:72aa:f68:dd51:400:0;branch=z9hG4bKPj6a7b5df4-e714-4806-9b75-94fcc9c4ce20;alias
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
From: sip:+91xxxxxxxxxx@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+91xxxxxxxxxx@wa.meta.vc
CSeq: 2654 INVITE
Content-Length: 0

<— Received SIP response (753 bytes) from TLS:57.144.211.157:5061 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=24922;received=2803:6080:c978:72aa:f68:dd51:400:0;branch=z9hG4bKPj6a7b5df4-e714-4806-9b75-94fcc9c4ce20;alias
Record-Route: sip:onevc-sip-proxy.fbinfra.net:8191;transport=tls;lr
Record-Route: sip:wa.meta.vc;transport=tls;lr
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
From: sip:+91xxxxxxxxxx@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+91xxxxxxxxxx@wa.meta.vc;tag=2724dab8-cd78-49d3-921e-05ad4deee1cd
CSeq: 2654 INVITE
Contact: sip:+91xxxxxxxxxx@wa.meta.vc;transport=tls;ob;X-FB-Sip-Smc-Tier=collaboration.sip_gateway.sip.prod;isfocus
Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, OPTIONS
X-FB-External-Domain: wa.meta.vc
Content-Length: 0

-- PJSIP/meta_sip-00000032 is ringing

<— Transmitting SIP response (544 bytes) to WSS:14.194.165.174:59698 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/WSS 7vnqtg49krpv.invalid;rport=59698;received=14.194.165.174;branch=z9hG4bK9657267
Call-ID: 052pml5uvs9p1rascg6l
From: sip:7003@x.x.com;tag=vf2vjf32nn
To: sip:+91xxxxxxxxxx@wa.meta.vc;tag=61805fd2-4694-474a-b864-2177211794ff
CSeq: 2 INVITE
Server: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Contact: sip:10.160.0.54:8089;transport=ws
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE, INFO
Content-Length: 0

<— Received SIP response (739 bytes) from TLS:57.144.211.157:5061 —>
SIP/2.0 403 Proxy auth uri does not match SIP “to” uri
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=24922;received=2803:6080:c978:72aa:f68:dd51:400:0;branch=z9hG4bKPj6a7b5df4-e714-4806-9b75-94fcc9c4ce20;alias
Record-Route: sip:onevc-sip-proxy.fbinfra.net:8191;transport=tls;lr
Record-Route: sip:wa.meta.vc;transport=tls;lr
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
From: sip:+91xxxxxxxxxx@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+91xxxxxxxxxx@wa.meta.vc;tag=2724dab8-cd78-49d3-921e-05ad4deee1cd
CSeq: 2654 INVITE
Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, OPTIONS
X-FB-External-Domain: wa.meta.vc
Warning: 399 wa.meta.vc “Proxy auth uri does not match SIP “to” uri”
Content-Length: 0

<— Transmitting SIP request (493 bytes) to TLS:57.144.211.157:5061 —>
ACK sip:+91xxxxxxxxxx@wa.meta.vc;transport=tls SIP/2.0
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport;branch=z9hG4bKPj6a7b5df4-e714-4806-9b75-94fcc9c4ce20;alias
From: sip:+91xxxxxxxxxx@x.x.com;tag=1de5c28f-a3cf-4dbb-b68b-2c036c8c9dbc
To: sip:+91xxxxxxxxxx@wa.meta.vc;tag=2724dab8-cd78-49d3-921e-05ad4deee1cd
Call-ID: ff411fec-bac9-4b2e-871a-6e20f80fd3bc
CSeq: 2654 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Content-Length: 0

== Everyone is busy/congested at this time (1:0/0/1)
– Executing [+91xxxxxxxxxx@outbound-to-meta:3] Hangup(“PJSIP/7003-00000031”, “”) in new stack
== Spawn extension (outbound-to-meta, +91xxxxxxxxxx, 3) exited non-zero on ‘PJSIP/7003-00000031’
<— Transmitting SIP response (524 bytes) to WSS:14.194.165.174:59698 —>
SIP/2.0 403 Forbidden
Via: SIP/2.0/WSS 7vnqtg49krpv.invalid;rport=59698;received=14.194.165.174;branch=z9hG4bK9657267
Call-ID: 052pml5uvs9p1rascg6l
From: sip:x@x.x.com;tag=vf2vjf32nn
To: sip:+91xxxxxxxxxx@wa.meta.vc;tag=61805fd2-4694-474a-b864-2177211794ff
CSeq: 2 INVITE
Server: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE, INFO
Reason: Q.850;cause=21
Content-Length: 0

Help me out and why proxy auth header is sending twice is that causing the issue

8

Here is the full trace of the problem: They are trying to initiate a call to a WhatsApp number. Meta responds with a 407 challenge, but the response is invalid because the URI is different.

INVITE sip:+558166666666@wa.meta.vc SIP/2.0
Via: SIP/2.0/TLS 35.35.35.35:5061;rport;branch=z9hG4bKPj0e6ab609-b7e8-49bf-88dd-0494e09fbd55;alias
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>
Contact: <sip:asterisk@35.35.35.35:5061;transport=TLS>
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
CSeq: 24878 INVITE
Allow: OPTIONS, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
P-Asserted-Identity: <sip:+551155555555@mysipserver.com>
Remote-Party-ID: <sip:+551155555555@mysipserver.com>;party=calling;privacy=off;screen=no
Max-Forwards: 70
User-Agent: FPBX-17.0.19.28(20.9.3)
Content-Type: application/sdp
Content-Length:   414

v=0
o=- 755279159 755279159 IN IP4 35.35.35.35
s=Asterisk
c=IN IP4 35.35.35.35
t=0 0
m=audio 17370 RTP/SAVP 107 101 103
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:p2Ummr717q5rYVGJQIezmUe6XYTLktZVr3FlCN0B
a=rtpmap:107 opus/48000/2
a=fmtp:107 useinbandfec=1
a=rtpmap:101 telephone-event/48000
a=fmtp:101 0-16
a=rtpmap:103 telephone-event/8000
a=fmtp:103 0-16
a=ptime:20
a=maxptime:20
a=sendrecv

<--- Received SIP response (716 bytes) from TLS:157.240.222.209:5061 --->
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/TLS 35.35.35.35:5061;rport=38896;received=2803:6081:713c:96d6:215a:454d:400:0;branch=z9hG4bKPj0e6ab609-b7e8-49bf-88dd-0494e09fbd55;alias
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>;tag=z9hG4bKPj0e6ab609-b7e8-49bf-88dd-0494e09fbd55
CSeq: 24878 INVITE
Proxy-Authenticate: Digest realm="wa.meta.vc",nonce="7bc2fbe97cea19a8",opaque="57e5869f0cc01da3",algorithm=SHA-256,qop="auth"
Proxy-Authenticate: Digest realm="wa.meta.vc",nonce="51cae3ff0e371f17",opaque="73b7ec296db0d256",algorithm=MD5,qop="auth"
Content-Length:  0


<--- Transmitting SIP request (466 bytes) to TLS:157.240.222.209:5061 --->
ACK sip:+558166666666@wa.meta.vc SIP/2.0
Via: SIP/2.0/TLS 35.35.35.35:5061;rport;branch=z9hG4bKPj0e6ab609-b7e8-49bf-88dd-0494e09fbd55;alias
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>;tag=z9hG4bKPj0e6ab609-b7e8-49bf-88dd-0494e09fbd55
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
CSeq: 24878 ACK
Max-Forwards: 70
User-Agent: FPBX-17.0.19.28(20.9.3)
Content-Length:  0

<--- Transmitting SIP request (1919 bytes) to TLS:157.240.222.209:5061 --->
INVITE sip:+558166666666@wa.meta.vc SIP/2.0
Via: SIP/2.0/TLS 35.35.35.35:5061;rport;branch=z9hG4bKPj354ffa88-24aa-4f34-b466-e53987fce918;alias
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>
Contact: <sip:asterisk@35.35.35.35:5061;transport=TLS>
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
CSeq: 24879 INVITE
Allow: OPTIONS, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: FPBX-17.0.19.28(20.9.3)
Proxy-Authorization: Digest username="551155555555", realm="wa.meta.vc", nonce="7bc2fbe97cea19a8", uri="sip:+558166666666@wa.meta.vc", response="220eeb623555ddab53b3243665e955ef7022d5af3a67faabca8e8539f9aa246e", algorithm=SHA-256, cnonce="bae27b359d904f6a80267e37c5c52566", opaque="57e5869f0cc01da3", qop=auth, nc=00000001
Proxy-Authorization: Digest username="551155555555", realm="wa.meta.vc", nonce="51cae3ff0e371f17", uri="sip:+558166666666@wa.meta.vc", response="f6db3a8c16aca00a7e72996053381e13", algorithm=MD5, cnonce="bae27b359d904f6a80267e37c5c52566", opaque="73b7ec296db0d256", qop=auth, nc=00000001
P-Asserted-Identity: <sip:+551155555555@mysipserver.com>
Remote-Party-ID: <sip:+551155555555@mysipserver.com>;party=calling;privacy=off;screen=no
Content-Type: application/sdp
Content-Length:   414

v=0
o=- 755279159 755279159 IN IP4 35.35.35.35
s=Asterisk
c=IN IP4 35.35.35.35
t=0 0
m=audio 17370 RTP/SAVP 107 101 103
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:p2Ummr717q5rYVGJQIezmUe6XYTLktZVr3FlCN0B
a=rtpmap:107 opus/48000/2
a=fmtp:107 useinbandfec=1
a=rtpmap:101 telephone-event/48000
a=fmtp:101 0-16
a=rtpmap:103 telephone-event/8000
a=fmtp:103 0-16
a=ptime:20
a=maxptime:20
a=sendrecv

<--- Received SIP response (393 bytes) from TLS:157.240.222.209:5061 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 35.35.35.35:5061;rport=38896;received=2803:6081:713c:96d6:215a:454d:400:0;branch=z9hG4bKPj354ffa88-24aa-4f34-b466-e53987fce918;alias
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>
CSeq: 24879 INVITE
Content-Length:  0

<--- Received SIP response (758 bytes) from TLS:157.240.222.209:5061 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 35.35.35.35:5061;rport=38896;received=2803:6081:713c:96d6:215a:454d:400:0;branch=z9hG4bKPj354ffa88-24aa-4f34-b466-e53987fce918;alias
Record-Route: <sip:onevc-sip-proxy.fbinfra.net:8191;transport=tls;lr>
Record-Route: <sip:wa.meta.vc;transport=tls;lr>
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>;tag=341914bb-9bbc-4e22-a151-c4f6c553d369
CSeq: 24879 INVITE
Contact: <sip:+558166666666@wa.meta.vc;transport=tls;ob;X-FB-Sip-Smc-Tier=collaboration.sip_gateway.sip.prod>;isfocus
Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, OPTIONS
X-FB-External-Domain: wa.meta.vc
Content-Length:  0

<--- Received SIP response (744 bytes) from TLS:157.240.222.209:5061 --->
SIP/2.0 403 Proxy auth uri does not match SIP "to" uri
Via: SIP/2.0/TLS 35.35.35.35:5061;rport=38896;received=2803:6081:713c:96d6:215a:454d:400:0;branch=z9hG4bKPj354ffa88-24aa-4f34-b466-e53987fce918;alias
Record-Route: <sip:onevc-sip-proxy.fbinfra.net:8191;transport=tls;lr>
Record-Route: <sip:wa.meta.vc;transport=tls;lr>
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>;tag=341914bb-9bbc-4e22-a151-c4f6c553d369
CSeq: 24879 INVITE
Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, OPTIONS
X-FB-External-Domain: wa.meta.vc
Warning: 399 wa.meta.vc "Proxy auth uri does not match SIP "to" uri"
Content-Length:  0


<--- Transmitting SIP request (457 bytes) to TLS:157.240.222.209:5061 --->
ACK sip:+558166666666@wa.meta.vc SIP/2.0
Via: SIP/2.0/TLS 35.35.35.35:5061;rport;branch=z9hG4bKPj354ffa88-24aa-4f34-b466-e53987fce918;alias
From: <sip:+551155555555@mysipserver.com>;tag=e4722df8-361a-4976-95ff-a95cc54bbd10
To: <sip:+558166666666@wa.meta.vc>;tag=341914bb-9bbc-4e22-a151-c4f6c553d369
Call-ID: 65ac17c0-83b3-4013-b247-8ca5071ed179
CSeq: 24879 ACK
Max-Forwards: 70
User-Agent: FPBX-17.0.19.28(20.9.3)
Content-Length:  0
9

@mandinhogsj It looks the same to me in yours. The To URI appears to match the URI in the auth.

10

I think the proxy authentication failure is being sent after they have accepted the credentials! Something is very broken with their system! You can’t actually ring the destination and then claim that caller was not correctly identified!

I think the message should say it doesn’t match the From user (the actual value used is based on the From user). In any case it matches neither, as the actual source and destination users begin with “+”, but the authentication user doesn’t.

11

you can see in this docs

as in example invite they send exactly as same as mine

12

The documentation on meta ( Configure Session Initiation Protocol (SIP) - WhatsApp Cloud API - Documentation - Meta for Developers ) has an example of SIP flow. And they say that we have to use a parameter on the SIP server (;transport=tls) thats why @depak added that on the dialplan.
When Asterisk is building the digest (“response”) the URI does not contain the parameter ;transport=tls . I think that’s the problem

13

Instead of this you can do:

contact=sip:wa.meta.vc\;transport=tls

That may do it.

14 
-- Transmitting SIP request (503 bytes) to TLS:57.144.211.157:5061 --->
ACK sip:+911234567891@wa.meta.vc;transport=tls SIP/2.0
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport;branch=z9hG4bKPj63212304-7064-4ec3-9503-491bf4199e42;alias
From: <sip:+911234567890@example.example.com>;tag=36ca1b78-ace2-4b9c-a32f-a5c1e31eeca9
To: <sip:+911234567891@wa.meta.vc>;tag=z9hG4bKPj63212304-7064-4ec3-9503-491bf4199e42
Call-ID: 3eaf5dea-9a8f-41c9-94df-3fd24dbed0db
CSeq: 14021 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Content-Length:  0


<--- Transmitting SIP request (2153 bytes) to TLS:57.144.211.157:5061 --->
INVITE sip:+911234567891@wa.meta.vc;transport=tls SIP/2.0
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport;branch=z9hG4bKPj6563e62f-5e50-4434-81b4-6ff6ee1c98d1;alias
From: <sip:+911234567890@example.example.com>;tag=36ca1b78-ace2-4b9c-a32f-a5c1e31eeca9
To: <sip:+911234567891@wa.meta.vc>
Contact: <sip:+911234567890@xx.xx.xxx.xx:5061;transport=TLS>
Call-ID: 3eaf5dea-9a8f-41c9-94df-3fd24dbed0db
CSeq: 14022 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE, INFO
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Proxy-Authorization: Digest username="911234567890", realm="wa.meta.vc", nonce="3d5a353534380128", uri="sip:+911234567891@wa.meta.vc;transport=tls", response="37e1186a6a50aafc763e16f084548bad8513ce028f46a5ea11da9cdf006cc324", algorithm=SHA-256, cnonce="561955d2ced74ed6948d768c73068681", opaque="51a40a9344df9cd5", qop=auth, nc=00000001
Proxy-Authorization: Digest username="911234567890", realm="wa.meta.vc", nonce="35fedc542148ab9f", uri="sip:+911234567891@wa.meta.vc;transport=tls", response="a7b05d6c3beb52ce192ab45b43aa2de9", algorithm=MD5, cnonce="561955d2ced74ed6948d768c73068681", opaque="49e1fd6f525aa69e", qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length:   748

v=0
o=- 1829698868 1829698868 IN IP4 xx.xx.xxx.xx
s=Asterisk
c=IN IP4 xx.xx.xxx.xx
t=0 0
m=audio 14488 UDP/TLS/RTP/SAVP 0 8 101
a=connection:new
a=setup:active
a=fingerprint:SHA-256 
a=ice-ufrag:7cdd11a606bd419705c201180e204630
a=ice-pwd:1958c90d4058e0f00a3c9f28106afe5c
a=candidate:Haa00036 1 UDP 2130706431 10.160.0.54 14488 typ host
a=candidate:S222fad32 1 UDP 1694498815 xx.xx.xxx.xx 14488 typ srflx raddr 10.160.0.54 rport 14488
a=candidate:Haa00036 2 UDP 2130706430 10.160.0.54 14489 typ host
a=candidate:S222fad32 2 UDP 1694498814 xx.xx.xxx.xx 14489 typ srflx raddr 10.160.0.54 rport 14489
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Received SIP response (390 bytes) from TLS:57.144.211.157:5061 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=65084;received=2803:6080:c91c:9c40:3d98:df51:400:0;branch=z9hG4bKPj6563e62f-5e50-4434-81b4-6ff6ee1c98d1;alias
Call-ID: 3eaf5dea-9a8f-41c9-94df-3fd24dbed0db
From: <sip:+911234567890@example.example.com>;tag=36ca1b78-ace2-4b9c-a32f-a5c1e31eeca9
To: <sip:+911234567891@wa.meta.vc>
CSeq: 14022 INVITE
Content-Length:  0


<--- Received SIP response (755 bytes) from TLS:57.144.211.157:5061 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=65084;received=2803:6080:c91c:9c40:3d98:df51:400:0;branch=z9hG4bKPj6563e62f-5e50-4434-81b4-6ff6ee1c98d1;alias
Record-Route: <sip:onevc-sip-proxy.fbinfra.net:8191;transport=tls;lr>
Record-Route: <sip:wa.meta.vc;transport=tls;lr>
Call-ID: 3eaf5dea-9a8f-41c9-94df-3fd24dbed0db
From: <sip:+911234567890@example.example.com>;tag=36ca1b78-ace2-4b9c-a32f-a5c1e31eeca9
To: <sip:+911234567891@wa.meta.vc>;tag=25385288-6767-4d26-914e-15782fd4a556
CSeq: 14022 INVITE
Contact: <sip:+911234567891@wa.meta.vc;transport=tls;ob;X-FB-Sip-Smc-Tier=collaboration.sip_gateway.sip.prod>;isfocus
Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, OPTIONS
X-FB-External-Domain: wa.meta.vc
Content-Length:  0


    -- PJSIP/meta_sip-0000006a is ringing
<--- Transmitting SIP response (544 bytes) to WSS:14.194.165.174:41832 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/WSS u6skq6do1o9s.invalid;rport=41832;received=14.194.165.174;branch=z9hG4bK7652439
Call-ID: 3elru4ruli03mapab8df
From: <sip:7003@example.example.com>;tag=dnh967rr8m
To: <sip:+911234567891@wa.meta.vc>;tag=8b9160f5-c37a-486c-bb2f-a894e9e4d6c7
CSeq: 2 INVITE
Server: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Contact: <sip:10.160.0.54:8089;transport=ws>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE, INFO
Content-Length:  0


<--- Received SIP response (741 bytes) from TLS:57.144.211.157:5061 --->
SIP/2.0 403 Proxy auth uri does not match SIP "to" uri
Via: SIP/2.0/TLS xx.xx.xxx.xx:5061;rport=65084;received=2803:6080:c91c:9c40:3d98:df51:400:0;branch=z9hG4bKPj6563e62f-5e50-4434-81b4-6ff6ee1c98d1;alias
Record-Route: <sip:onevc-sip-proxy.fbinfra.net:8191;transport=tls;lr>
Record-Route: <sip:wa.meta.vc;transport=tls;lr>
Call-ID: 3eaf5dea-9a8f-41c9-94df-3fd24dbed0db
From: <sip:+911234567890@example.example.com>;tag=36ca1b78-ace2-4b9c-a32f-a5c1e31eeca9
To: <sip:+911234567891@wa.meta.vc>;tag=25385288-6767-4d26-914e-15782fd4a556
CSeq: 14022 INVITE
Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, OPTIONS
X-FB-External-Domain: wa.meta.vc
Warning: 399 wa.meta.vc "Proxy auth uri does not match SIP "to" uri"
Content-Length:  0

Still receiving the same error

15

Looks like To header is a complete red herring. and the current speculation is about the “uri”, in the authentication, not the user. I still think the 403 is being sent after it has accepted authentication.

Whatever is used for the authentication should be what is in the request URI (not the To header), and it appears that Asterisk is correctly sending what is expected there.

I don’t see where Contact header comes in. Any \;transport=… would need to be in the dial string.

16

This is over-redacted. I’m not going to look at it in detail. If your test call really was made back to your own system, that is not helpful, as one needs distinct from and to numbers to debug properly.

17

No,Business number is different and another number is different ,i can receive inbound calls from that number as meta is sending invite and i can handle it but when i make outbound calls to that whastapp user the above error occurs

1 Like
18

There is a discussion on this issue on when sending whatsapp business initiated calls invite to meta sip server ,receiving this error SIP/2.0 403 Proxy auth uri does not match SIP "to" uri - Developer Community Forum - Meta for Developers

19

That is created by me only,No reply over there

20

Hello everyone, I am following the topic all the time, and I noticed that the report opened in the meta community was deleted.