(SIP/2.0 488 Not Acceptable Here), when configured with PJSIP/TLS

  • We have build Asterisk 17.6.0 and PJSIP from the source on a VPS
  • We configured TLS, generated client and server certificate
  • Registered the Blink client for testing, success
  • While making a call from Blink_1 to Blink_2 or vice-versa, it fails with an error

{code}
<— Received SIP request (1021 bytes) from TLS:43.249.37.23:54700 —>
INVITE sip:2222@94.140.114.51 SIP/2.0
Via: SIP/2.0/TLS 192.168.75.143:49485;rport;branch=z9hG4bKPj28ae9d1c90c443fbac7f6021e4771d5c;alias
Max-Forwards: 70
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51
Contact: sip:80631759@192.168.75.143:49453;transport=tls
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
CSeq: 16687 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Content-Type: application/sdp
Content-Length: 429

v=0
o=- 3804383127 3804383127 IN IP4 192.168.75.143
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50048 RTP/AVP 113 9 0 8 101
c=IN IP4 192.168.75.143
a=rtcp:50049
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=zrtp-hash:1.10 6171448735d90ecf08cf6a7fefedf5369e0c4b0825c13d3b30741d5182bdff7f
a=sendrecv

<— Transmitting SIP response (566 bytes) to TLS:43.249.37.23:54700 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.75.143:49485;rport=54700;received=43.249.37.23;branch=z9hG4bKPj28ae9d1c90c443fbac7f6021e4771d5c;alias
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51;tag=z9hG4bKPj28ae9d1c90c443fbac7f6021e4771d5c
CSeq: 16687 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1595419528/95038c7ada5d1c4091cb7649c149cd06”,opaque=“5a2d21b867e7b7d7”,algorithm=md5,qop=“auth”
Server: Asterisk PBX 17.6.0
Content-Length: 0

<— Received SIP request (423 bytes) from TLS:43.249.37.23:54700 —>
ACK sip:2222@94.140.114.51 SIP/2.0
Via: SIP/2.0/TLS 192.168.75.143:49485;rport;branch=z9hG4bKPj28ae9d1c90c443fbac7f6021e4771d5c;alias
Max-Forwards: 70
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51;tag=z9hG4bKPj28ae9d1c90c443fbac7f6021e4771d5c
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
CSeq: 16687 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0

<— Received SIP request (1314 bytes) from TLS:43.249.37.23:54700 —>
INVITE sip:2222@94.140.114.51 SIP/2.0
Via: SIP/2.0/TLS 192.168.75.143:49485;rport;branch=z9hG4bKPjbf7e99f726d74c4ebbbb508d7033dea9;alias
Max-Forwards: 70
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51
Contact: sip:80631759@192.168.75.143:49453;transport=tls
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
CSeq: 16688 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“1111”, realm=“asterisk”, nonce=“1595419528/95038c7ada5d1c4091cb7649c149cd06”, uri="sip:2222@94.140.114.51", response=“7b6971ff7f3d73d8cb888640056d6e3e”, algorithm=md5, cnonce=“5bacef95a6f243e19c4cfc0b41ebb5c9”, opaque=“5a2d21b867e7b7d7”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 429

v=0
o=- 3804383127 3804383127 IN IP4 192.168.75.143
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50048 RTP/AVP 113 9 0 8 101
c=IN IP4 192.168.75.143
a=rtcp:50049
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=zrtp-hash:1.10 6171448735d90ecf08cf6a7fefedf5369e0c4b0825c13d3b30741d5182bdff7f
a=sendrecv

== Setting global variable ‘SIPDOMAIN’ to ‘94.140.114.51’
<— Transmitting SIP response (368 bytes) to TLS:43.249.37.23:54700 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.75.143:49485;rport=54700;received=43.249.37.23;branch=z9hG4bKPjbf7e99f726d74c4ebbbb508d7033dea9;alias
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51
CSeq: 16688 INVITE
Server: Asterisk PBX 17.6.0
Content-Length: 0

<— Transmitting SIP response (422 bytes) to TLS:43.249.37.23:54700 —>
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 192.168.75.143:49485;rport=54700;received=43.249.37.23;branch=z9hG4bKPjbf7e99f726d74c4ebbbb508d7033dea9;alias
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51;tag=a7cdfce3-d8be-42b1-b0db-47e437493be3
CSeq: 16688 INVITE
Server: Asterisk PBX 17.6.0
Content-Length: 0

<— Received SIP request (418 bytes) from TLS:43.249.37.23:54700 —>
ACK sip:2222@94.140.114.51 SIP/2.0
Via: SIP/2.0/TLS 192.168.75.143:49485;rport;branch=z9hG4bKPjbf7e99f726d74c4ebbbb508d7033dea9;alias
Max-Forwards: 70
From: “1111” sip:1111@94.140.114.51;tag=54c6492c375e44bf8a3599fe8047016f
To: sip:2222@94.140.114.51;tag=a7cdfce3-d8be-42b1-b0db-47e437493be3
Call-ID: 73fa29d60a5a4ea7989d2d175ea91342
CSeq: 16688 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0
{code}

  • pjsip.conf:

{code}
[default]
type=transport
protocol=tls
bind=94.140.114.51:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[1111]
type=aor
max_contacts=1
remove_existing=yes

[1111]
type=auth
auth_type=userpass
username=1111
password=1111

[1111]
type=endpoint
aors=1111
auth=1111
context=default
disallow=all
allow=GSM
allow=ulaw
allow=g726
allow=g729
allow=speex
allow=g722
allow=iLBC
dtmf_mode=rfc4733
media_encryption=sdes

[2222]
type=aor
max_contacts=1
remove_existing=yes

[2222]
type=auth
auth_type=userpass
username=2222
password=2222

[2222]
type=endpoint
aors=2222
auth=2222
context=default
disallow=all
allow=GSM
allow=ulaw
allow=g726
allow=g729
allow=speex
allow=g722
allow=iLBC
dtmf_mode=rfc4733
media_encryption=sdes

[3333]
type=aor
max_contacts=1
remove_existing=yes

[3333]
type=auth
auth_type=userpass
username=3333
password=3333

[3333]
type=endpoint
aors=3333
auth=3333
context=default
disallow=all
allow=gsm
allow=ulaw
allow=g726
allow=g729
dtmf_mode=rfc4733
media_encryption=sdes
{code}

  • extensions.conf

{code}
[general]
static=yes
writeprotect=no
priorityjumping=no
autofallthrough=yes
clearglobalvars=no

;[local]
;exten=>1111,1,Dial(PJSIP/1111,20)
;exten=>2222,1,Dial(PJSIP/2222,20)
;exten=>3333,1,Dial(PJSIP/3333,20)

[default]
exten => 1111,1,Dial(PJSIP/1111,20)
exten => 2222,1,Dial(PJSIP/2222,20)
exten => 3333,1,Dial(PJSIP/3333,20)
{code}

You have configured SDES media encryption in PJSIP, but Blink is not using it. It therefore fails to negotiate. You would need to remove “media_encryption=sdes” or enable SDES in Blink.

Thanks @jcolp
After removing “media_encryption=sdes”, we don’t have the (488 Not Acceptable here) error message.
But now after making the call from Blink_a to Blink_b, or vice-versa, the call doesn’t go through completely (means no ring on reciever) and blink reports DECLINED.

We have below logs on the Asterisk server:

– Executing [1111@default:1] Dial(“PJSIP/2222-00000000”, “PJSIP/1111,20”) in new stack
– Called PJSIP/1111
– Nobody picked up in 20000 ms
– Auto fallthrough, channel ‘PJSIP/2222-00000000’ status is ‘NOANSWER’

You would need to provide an actual SIP trace (pjsip set logger on) to show where the traffic is going and what is happening. As well if NAT is in use then you would need to enable the options[1] for that or else things will not work as you expect.

[1] https://wiki.asterisk.org/wiki/display/AST/Configuring+res_pjsip+to+work+through+NAT