SIP 401 in response to auth challenge response

Asterisk Asterisk SIP
1

Hello. When I send an INVITE request from user 7003, I’m challenged with 401 Unauthorized. In response, I re-send the INVITE request with an Authorization header included. The response seems to be calculated correctly (I’ve re-computed), but I’m met with another 401 Unauthorized including a new nonce. I’m not sure what I’m missing. Must be something else in the headers perhaps? Oddly enough, registration, implemented in a similar manner, works OK.

Appreciate any insight.

These are the requests:

<--- SIP read from UDP:192.168.1.31:50348 --->
INVITE sip:7002@192.168.1.8 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.31:50348;branch=z9hG4bKMD18iuFpu7DmWoi1apKgWLD
Max-Forwards: 70
From: <sip:7003@192.168.1.8>;tag=pt7m1kUWm0FY91ICyksBJxZZSMrvga
To: <sip:7002@192.168.1.8>
Call-ID: KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
CSeq: 1958465712 INVITE
Contact: <sip:7003@192.168.1.31:50348>
Supported: 100rel, timer
Min-SE: 90
Content-Type: application/sdp
Content-Length: 185

v=0
o=- 3946228169 3946228169 IN IP4 192.168.1.31
s=pjmedia
t=0 0
a=X-nat:0
m=audio 4000 RTP/AVP 0
c=IN IP4 192.168.1.31
a=rtcp:4001 IN IP4 192.168.1.31
a=sendrecv
a=rtpmap:0 PCMU/8000
<------------->
--- (12 headers 10 lines) ---
Sending to 192.168.1.31:50348 (NAT)
Sending to 192.168.1.31:50348 (NAT)
Using INVITE request as basis request - KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
Found peer '7003' for '7003' from 192.168.1.31:50348

<--- Reliably Transmitting (NAT) to 192.168.1.31:50348 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.31:50348;branch=z9hG4bKMD18iuFpu7DmWoi1apKgWLD;received=192.168.1.31;rport=50348
From: <sip:7003@192.168.1.8>;tag=pt7m1kUWm0FY91ICyksBJxZZSMrvga
To: <sip:7002@192.168.1.8>;tag=as3aa1461d
Call-ID: KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
CSeq: 1958465712 INVITE
Server: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="2f7fad15"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w' in 32000 ms (Method: INVITE)

<--- SIP read from UDP:192.168.1.31:50348 --->
ACK sip:7002@192.168.1.8 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.31:50348;branch=z9hG4bKMD18iuFpu7DmWoi1apKgWLD
From: <sip:7003@192.168.1.8>;tag=pt7m1kUWm0FY91ICyksBJxZZSMrvga
To: <sip:7002@192.168.1.8>;tag=as3aa1461d
Call-ID: KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
CSeq: 1958465712 ACK
Content-Length: 0

<------------->
--- (7 headers 0 lines) ---

<--- SIP read from UDP:192.168.1.31:50348 --->
INVITE sip:7002@192.168.1.8 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.31:50348;branch=z9hG4bKn426mgNDFsyR0LGReHwOxTN
Max-Forwards: 70
From: <sip:7003@192.168.1.8>;tag=pt7m1kUWm0FY91ICyksBJxZZSMrvga
To: <sip:7002@192.168.1.8>
Call-ID: KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
CSeq: 1958465712 INVITE
Contact: <sip:7003@192.168.1.31:50348>
Supported: 100rel, timer
Min-SE: 90
Content-Type: application/sdp
Authorization: Digest username="7003", realm="asterisk", nonce="2f7fad15", uri="sip:7002@192.168.1.8", response="656de7cb3c2f45045c9582ee824a704d"
Content-Length: 185

v=0
o=- 3946228169 3946228169 IN IP4 192.168.1.31
s=pjmedia
t=0 0
a=X-nat:0
m=audio 4000 RTP/AVP 0
c=IN IP4 192.168.1.31
a=rtcp:4001 IN IP4 192.168.1.31
a=sendrecv
a=rtpmap:0 PCMU/8000

<------------->
--- (13 headers 10 lines) ---
Sending to 192.168.1.31:50348 (NAT)
Sending to 192.168.1.31:50348 (NAT)
Using INVITE request as basis request - KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
Found peer '7003' for '7003' from 192.168.1.31:50348

<--- Reliably Transmitting (NAT) to 192.168.1.31:50348 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.31:50348;branch=z9hG4bKn426mgNDFsyR0LGReHwOxTN;received=192.168.1.31;rport=50348
From: <sip:7003@192.168.1.8>;tag=pt7m1kUWm0FY91ICyksBJxZZSMrvga
To: <sip:7002@192.168.1.8>;tag=as1e9211c0
Call-ID: KyTrpAVo8VJE7eIJGZsB0XjaYHwN7w
CSeq: 1958465712 INVITE
Server: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="0b413c31"
Content-Length: 0

This is my asterisk config:

[general]
context=internal
allowguest=no
allowoverlap=no
bindport=5060
bindaddr=0.0.0.0
srvlookup=no
disallow=all
allow=ulaw
alwaysauthreject=yes
canreinvite=no
nat=yes
session-timers=refuse
localnet=192.168.1.0/255.255.255.0

[7001]
type=friend
host=dynamic
secret=7001
context=internal

[7002]
type=friend
host=dynamic
secret=7002
context=internal

[7003]
type=friend
host=dynamic
secret=7003
context=internal

I’m able to REGISTER the peer without any issues:

<--- SIP read from UDP:192.168.1.31:46247 --->
REGISTER sip:192.168.1.8 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.31:46247;branch=z9hG4bKyzGtxKIYYMKVZzxx2XkSswU
From: <sip:7003@192.168.1.8>;tag=AfUoI4Qg8JaWXJthXKlunHLfXIAtrU
To: <sip:7003@192.168.1.8>
Call-ID: idBIscltrZYEno0kaRy7hCqHNQGfpb
CSeq: 882319620 REGISTER
Expires: 30
Contact: <sip:7003@192.168.1.31:46247>
Content-Length: 0

<------------->
--- (9 headers 0 lines) ---
Sending to 192.168.1.31:46247 (NAT)
Sending to 192.168.1.31:46247 (NAT)

<--- Transmitting (NAT) to 192.168.1.31:46247 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.31:46247;branch=z9hG4bKyzGtxKIYYMKVZzxx2XkSswU;received=192.168.1.31;rport=46247
From: <sip:7003@192.168.1.8>;tag=AfUoI4Qg8JaWXJthXKlunHLfXIAtrU
To: <sip:7003@192.168.1.8>;tag=as5ecf5f73
Call-ID: idBIscltrZYEno0kaRy7hCqHNQGfpb
CSeq: 882319620 REGISTER
Server: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="3b7bf6bf"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'idBIscltrZYEno0kaRy7hCqHNQGfpb' in 32000 ms (Method: REGISTER)

<--- SIP read from UDP:192.168.1.31:46247 --->
REGISTER sip:192.168.1.8 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.31:46247;branch=z9hG4bKXb6IbnzMJnKetF7avEDE7B1
From: <sip:7003@192.168.1.8>;tag=AfUoI4Qg8JaWXJthXKlunHLfXIAtrU
To: <sip:7003@192.168.1.8>
Call-ID: idBIscltrZYEno0kaRy7hCqHNQGfpb
CSeq: 882319621 REGISTER
Expires: 30
Contact: <sip:7003@192.168.1.31:46247>
Authorization: Digest username="7003", realm="asterisk", nonce="3b7bf6bf", uri="sip:192.168.1.8", response="42a412714fab924ed1a84ce90766c732"
Content-Length: 0

<------------->
--- (10 headers 0 lines) ---
Sending to 192.168.1.31:46247 (NAT)

<--- Transmitting (NAT) to 192.168.1.31:46247 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.31:46247;branch=z9hG4bKXb6IbnzMJnKetF7avEDE7B1;received=192.168.1.31;rport=46247
From: <sip:7003@192.168.1.8>;tag=AfUoI4Qg8JaWXJthXKlunHLfXIAtrU
To: <sip:7003@192.168.1.8>;tag=as5ecf5f73
Call-ID: idBIscltrZYEno0kaRy7hCqHNQGfpb
CSeq: 882319621 REGISTER
Server: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
Expires: 60
Contact: <sip:7003@192.168.1.31:46247>;expires=60
Date: Wed, 22 Jan 2025 22:46:50 GMT
Content-Length: 0


<------------>
2

The normal reason for this would be that the nonce expired before the response was received.

Note that chan_sip is no longer supported. Nor is Asterisk 16, and if you have reasons why you must stick with Asterisk 16, you should be using 16.30.1. Asterisk 16.2.1 is almost 6 years old.

3

I’ve upgraded to Asterisk 20.

How would I verify nonce expiration is the reason of this response? Can’t seem to find the right logs.

4

I’d search the source code for a log message about expired nonces, and then make sure the logging level was sufficient to catch it.