SIP: (407 Proxy Authentication Required) on incoming calls

Asterisk Asterisk Support
1

I can dial out through two SIP-proxys (fwd and digisip). I can place PSTN-calls through digisip, but i can not receive any calls from PSTN.

My asterisk and all phones are behind the same NAT. Port forwarding to asterisk is setup 5060 + 10000-20000.

When i dial my PSTN-number the following messages (sip debug) appear in asterisk:

Sip read:
INVITE sip:1001@82.182.239.39 SIP/2.0
Record-Route: sip:0906991236@82.209.165.194;ftag=4AF505AC-20B;lr=on
Via: SIP/2.0/UDP 82.209.165.194;branch=z9hG4bKbcb8.71cc50d6.0
Via: SIP/2.0/UDP 83.233.28.2:5060;branch=z9hG4bK18FDB2014
From: sip:90125167@83.233.28.2;tag=4AF505AC-20B
To: sip:0906991236@82.209.165.194
Date: Tue, 12 Apr 2005 21:31:59 GMT
Call-ID: 233771BC-AAD111D9-9223D8D5-CC749B48@83.233.28.2
Supported: 100rel,timer
Min-SE: 1800
Cisco-Guid: 590796028-2865828313-2230059022-944155880
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, COMET, REFER,
SUBSCRIBE, NOTIFY, INFO, UPDATE, REGISTER
CSeq: 101 INVITE
Max-Forwards: 69
Remote-Party-ID: sip:90125167@83.233.28.2;party=calling;screen=yes;privacy=off
Timestamp: 1113341519
Contact: sip:90125167@83.233.28.2:5060
Expires: 180
Allow-Events: telephone-event
Content-Type: application/sdp
Content-Length: 323
P-hint: USRLOC

v=0
o=CiscoSystemsSIP-GW-UserAgent 5033 7810 IN IP4 83.233.28.2
s=SIP Call
c=IN IP4 83.233.28.2
t=0 0
m=audio 17264 RTP/AVP 0 4 18 101
c=IN IP4 83.233.28.2
a=rtpmap:0 PCMU/8000
a=rtpmap:4 G723/8000
a=fmtp:4 annexa=no
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16

23 headers, 14 lines
Using latest request as basis request
Sending to 82.209.165.194 : 5060 (NAT)
Found peer 'digisip’
Reliably Transmitting (no NAT):
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 82.209.165.194;branch=z9hG4bKbcb8.71cc50d6.0
Via: SIP/2.0/UDP 83.233.28.2:5060;branch=z9hG4bK18FDB2014
From: sip:90125167@83.233.28.2;tag=4AF505AC-20B
To: sip:0906991236@82.209.165.194;tag=as3ff7cdb8
Call-ID: 233771BC-AAD111D9-9223D8D5-CC749B48@83.233.28.2
CSeq: 101 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: sip:1001@82.182.239.39
Proxy-Authenticate: Digest realm=“asterisk”, nonce="6a428e2f"
Content-Length: 0

to 82.209.165.194:5060
Scheduling destruction of call
’233771BC-AAD111D9-9223D8D5-CC749B48@83.233.28.2’ in 15000 ms
bamse*CLI> reload

Sip read:
ACK sip:1001@82.182.239.39 SIP/2.0
Via: SIP/2.0/UDP 82.209.165.194;branch=z9hG4bKbcb8.71cc50d6.0
From: sip:90125167@83.233.28.2;tag=4AF505AC-20B
Call-ID: 233771BC-AAD111D9-9223D8D5-CC749B48@83.233.28.2
To: sip:0906991236@82.209.165.194;tag=as3ff7cdb8
CSeq: 101 ACK
User-Agent: Sip EXpress router(0.8.12 (i386/linux))
Content-Length: 0

extensions.conf:
[general]

static=yes
writeprotect=yes

[globals]

FWDUSERID=******
FWDUSERNAME=Jan Eriksson

PHONE1=SIP/2000
PHONE1VM=2100

FWDEXTEN=1000
DIGISIPEXTEN=1001

[genral] Just saw this typo, does it matter?
include => from-sip
include => intern

[intern]

exten => _7.,1,SetCIDNum(${FWDUSERID})
exten => _7.,2,SetCIDName(${FWDUSERNAME})
exten => _7.,3,Dial(SIP/${EXTEN:1}@fwd)
exten => _7.,4,Playback(invalid)
exten => _7.,5,Hangup

exten => _0.,1,SetCallerID(**********)
exten => _0.,2,SetCIDName(Jan Eriksson)
exten => _0.,3,Dial(SIP/${EXTEN}@digisip,120,W)
exten => _0.,4,Congestion
exten => _0.,5,Hangup
exten => _0.,102,Busy
exten => t,105,Hangup

[from-sip]

exten => ${FWDEXTEN},1,Dial(${PHONE1},30)
exten => ${FWDEXTEN},2,Voicemail(u${PHONE1VM})
exten => ${FWDEXTEN},3,Hangup
;exten => ${FWDEXTEN},102,Voicemail(b${PHONE1VM})
;exten => ${FWDEXTEN},103,Hangup

exten => ${DIGISIPEXTEN},1,Dial(${PHONE1},30,tr)
exten => ${DIGISIPEXTEN},2,Voicemail(u${PHONE1VM})
exten => ${DIGISIPEXTEN},3,Hangup
exten => ${DIGISIPEXTEN},102,Voicemail(b${PHONE1VM})
exten => ${DIGISIPEXTEN},103,Hangup

parts of sip.conf----

disallow=all ; First disallow all codecs
allow=ulaw ; Allow codecs in order of preference
allow=alaw
;allow=G726
;allow=gsm
;allow=ilbc ; Note: codec order is respected only in [general]
;musicclass=default ; Sets the default music on hold class for all SIP calls
; This may also be set for individual users/peers
language=se ; Default language setting for all users/peers
; This may also be set for individual users/peers
;relaxdtmf=yes ; Relax dtmf handling
;rtptimeout=60 ; Terminate call if 60 seconds of no RTP activity
; when we’re not on hold
;rtpholdtimeout=300 ; Terminate call if 300 seconds of no RTP activity
; when we’re on hold (must be > rtptimeout)
;trustrpid = no ; If Remote-Party-ID should be trusted
;progressinband=no ; If we should generate in-band ringing always
useragent=Asterisk PBX ; Allows you to change the user agent string
nat=yes ; NAT settings
; yes = Always ignore info and assume NAT
; no = Use NAT mode only according to RFC3581
; never = Never attempt NAT mode or RFC3581 support
; route = Assume NAT, don’t send rport (work around more UNIDEN bugs)
canreinvite=no
insecure=very
;promiscredir = no

register => :secret@fwd.pulver.com/1000
register => 090:secret:12**@proxy.digisip.net/1001

search => e164.org
search => e164.arpa

externip = 82.182.***.*** ; Address that we’re going to put in outbound SIP messages
localnet=192.168.0.0/255.255.255.0; All RFC 1918 addresses are local networks

context=from-sip
nat=yes
insecure=very
canreinvite=no
dtmfmode=rfc2833
;language=se

[fwd]
type=friend
secret=*****
username=******
host=fwd.pulver.com

[digisip]
type=friend
secret=*******
username=*****
fromuser=090******
fromdomain=proxy.digisip.net
host=proxy.digisip.net

[2000]
type=friend
username=janne
secret=*****
host=dynamic
context=intern
dtmfmode=rfc2833 ; Choices are inband, rfc2833, or info
defaultip=192.168.0.11
mailbox=2100 ; Mailbox for message waiting indicator

Any help would be appreciated!

/janne

2

Try adding the lines below to your sip.conf for digisip

insecure=very
permit=82.209.165.192/29

3

The “permit=82.209.165.192/29” did the trick! Many thanks :smile:

4

Hello !

I have the same problem, can’t accept inbound call. I have a cisco ATA188, and a sip subscription at a sip-provider. When I configure the ATA188 the inbound call works well, but when I configure the Asterisk I just hear a busy tone and I see 407 Proxy Authentication Required message. There is no NAT at all. The Asterisk runs on an OpenWRT.

This is the Asterisk config:

----------sip.conf----------

[general]
context=incoming
port=5060
bindaddr=0.0.0.0
srvlookup=yes
defaultexpirey=3600
disallow=all
allow=alaw

register => 736xxxx:password123@sip-proxy.xx.xxx

[ata188]
type=friend
username=ata188
secret=123
qualify=yes
host=dynamic
canreinvite=no
context=incoming
disallow=all
allow=alaw

[sip-provider]
type=friend
host=sip-proxy.xx.xxx
username=736xxxx
fromuser=736xxxx
secret=password123
context=incoming
canreinvite=no
disallow=all
allow=alaw

----------extensions.conf----------

[general]

static=yes
writeprotect=no

[globals]

[incoming]
exten => s,1,Answer()
exten => s,2,Dial(SIP/ata188,r)
exten => s,3,Hangup()
exten => 101,1,Dial(SIP/ata188,r)

----------rtp.conf----------

[general]
rtpstart=10000
rtpend=20000

----------firewall----------

iptables -A input_rule -i $WAN -p udp --dport 5060 -j ACCEPT
iptables -A input_rule -i $WAN -p udp --dport 10000:20000 -j ACCEPT

This is the debug message:

Sip read:
INVITE sip:736xxxx@212.133.188.xxx SIP/2.0
From: sip:570xxxxx@84.122.x.140;tag=1173452113-5495991174001712-11
To: sip:736xxxx@212.133.188.xxx;user=phone
Via: SIP/2.0/UDP 84.122.x.140:5060;branch=z9hG4bKSNCLLC1174001752
CSeq: 3706686 INVITE
Contact: sip:570xxxxx@84.122.x.140:5060
Call-ID: 3112543711-5919458031004711-11-7578168912
Max-Forwards: 70
Supported: timer
Session-Expires: 1800;refresher=uac
Min-SE: 1800
Allow: REGISTER, INVITE, ACK, BYE, CANCEL, NOTIFY, REFER
Accept-Language: en; q=0.0
Content-Type: application/sdp
Content-Length: 122

v=0
o=- 0 0 IN IP4 84.122.x.4
s=-
c=IN IP4 84.122.x.4
t=0 0
a=silenceSupp:OFF
a=ecan:ON
m=audio 54128 RTP/AVP 8

15 headers, 8 lines
Using latest request as basis request
Sending to 84.122.x.140 : 5060 (non-NAT)
Found peer 'sip-provider’
Reliably Transmitting (no NAT):
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 84.122.x.140:5060;branch=z9hG4bKSNCLLC1174001752
From: sip:570xxxxx@84.122.x.140;tag=1173452113-5495991174001712-11
To: sip:736xxxx@212.133.188.xxx;user=phone;tag=as13d92dac
Call-ID: 3112543711-5919458031004711-11-7578168912
CSeq: 3706686 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: sip:736xxxx@212.133.188.xxx
Proxy-Authenticate: Digest realm=“asterisk”, nonce="3a219cbc"
Content-Length: 0

to 80.99.253.140:5060
Scheduling destruction of call ‘3112543711-5919458031004711-11-7578168912’ in 15000 ms

Sip read:
ACK sip:736xxxx@212.133.188.xxx:5060 SIP/2.0
From: sip:570xxxxx@84.122.x.140;tag=1173452113-5495991174001712-11
To: sip:736xxxx@212.133.188.xxx;user=phone;tag=as13d92dac
Via: SIP/2.0/UDP 84.122.x.140:5060;branch=z9hG4bKSNCLLC1174001752
Max-Forwards: 70
CSeq: 3706686 ACK
Call-ID: 3112543711-5919458031004711-11-7578168912
Contact: sip:570xxxxx@84.122.x.140:5060
Content-Length: 0

9 headers, 0 lines

If I add the insecure=very to the [sip-provider] section as you suggested I get this message instead the SIP/2.0 407 Proxy Authentication Required:

Looking for 36411359 in incoming
Reliably Transmitting (no NAT):
SIP/2.0 404 Not Found

Thank you!!

5

[quote=“zmanea”]Try adding the lines below to your sip.conf for digisip

insecure=very
permit=82.209.165.192/29[/quote]

Life saver :exclamation: