SIP client don't register - SIP/2.0 401 Unauthorized

Hi. I have a problem with Asterisk Server behind a firewall with NAT, I can’t register on server when I use a passord (secret). If the secret is blank, It’s works fine!!! But, I’d like to put a secret in extensions.

Scenario

Softphone client IIP: 187.99.99.230 (point to 1.2.3.4)
Server public IP: 1.2.3.4 (NAT by router to 172.20.98.116)
Server private IP (real): 172.20.98.116

This is a SIP debug…

<--- SIP read from UDP://187.99.99.230:60486 --->
REGISTER sip:172.20.98.116;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 187.99.99.230:60486;branch=z9hG4bK-524287-1---f1a1a826bcc36628;rport
Max-Forwards: 70
Contact: <sip:1711@187.99.99.230:60486;rinstance=37adb9e185656c7e;transport=UDP>
To: <sip:1711@172.20.98.116;transport=UDP>
From: <sip:1711@172.20.98.116;transport=UDP>;tag=47fb0837
Call-ID: _hwcWJj4wzLLz-3QtOm4ZQ..
CSeq: 1 REGISTER
Expires: 60
User-Agent: Zoiper rv2.8.15
Allow-Events: presence, kpml, talk
Content-Length: 0


<------------->
--- (12 headers 0 lines) ---
Sending to 187.99.99.230 : 60486 (no NAT)

<--- Transmitting (NAT) to 187.99.99.230:60486 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 187.99.99.230:60486;branch=z9hG4bK-524287-1---f1a1a826bcc36628;received=187.99.99.230;rport=60486
From: <sip:1711@172.20.98.116;transport=UDP>;tag=47fb0837
To: <sip:1711@172.20.98.116;transport=UDP>;tag=as39e8fbec
Call-ID: _hwcWJj4wzLLz-3QtOm4ZQ..
CSeq: 1 REGISTER
User-Agent: Asterisk PBX 1.6.0.26-FONCORE-r78
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="4447f018"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog '_hwcWJj4wzLLz-3QtOm4ZQ..' in 32000 ms (Method: REGISTER)
VOIPLAB*CLI>
<--- SIP read from UDP://187.99.99.230:60486 --->
REGISTER sip:172.20.98.116;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 187.99.99.230:60486;branch=z9hG4bK-524287-1---c09a088df6edf0b2;rport
Max-Forwards: 70
Contact: <sip:1711@187.99.99.230:60486;rinstance=37adb9e185656c7e;transport=UDP>
To: <sip:1711@172.20.98.116;transport=UDP>
From: <sip:1711@172.20.98.116;transport=UDP>;tag=47fb0837
Call-ID: _hwcWJj4wzLLz-3QtOm4ZQ..
CSeq: 2 REGISTER
Expires: 60
User-Agent: Zoiper rv2.8.15
Authorization: Digest 

username="1711",realm="asterisk",nonce="4447f018",uri="sip:172.20.98.116;transport=UDP",response="62c2b222ea3a3991adb9f6033a42db89",algorithm=MD5
Allow-Events: presence, kpml, talk
Content-Length: 0


<------------->
--- (13 headers 0 lines) ---
Sending to 187.99.99.230 : 60486 (NAT)

<--- Transmitting (NAT) to 187.99.99.230:60486 --->
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 187.99.99.230:60486;branch=z9hG4bK-524287-1---c09a088df6edf0b2;received=187.99.99.230;rport=60486
From: <sip:1711@172.20.98.116;transport=UDP>;tag=47fb0837
To: <sip:1711@172.20.98.116;transport=UDP>;tag=as39e8fbec
Call-ID: _hwcWJj4wzLLz-3QtOm4ZQ..
CSeq: 2 REGISTER
User-Agent: Asterisk PBX 1.6.0.26-FONCORE-r78
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog '_hwcWJj4wzLLz-3QtOm4ZQ..' in 32000 ms (Method: REGISTER)
VOIPLAB*CLI>
VOIPLAB*CLI>
<--- SIP read from UDP://187.99.99.230:60486 --->
REGISTER sip:172.20.98.116;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 187.99.99.230:60486;branch=z9hG4bK-524287-1---979d841d2a4f0c6a;rport
Max-Forwards: 70
Contact: <sip:1711@187.99.99.230:60486;rinstance=74f9b4ef366ab894;transport=UDP>
To: <sip:1711@172.20.98.116;transport=UDP>
From: <sip:1711@172.20.98.116;transport=UDP>;tag=de2ad62b
Call-ID: ZhlAfWmGzeaqqtS6oZP3wQ..
CSeq: 1 REGISTER
Expires: 60
User-Agent: Zoiper rv2.8.15
Allow-Events: presence, kpml, talk
Content-Length: 0

And de file sip_nat.conf

nat=yes
externip=1.2.3.4
localnet=172.20.98.0/255.255.255.0

I hope someone can help me.

Thanks.

401 is normal.

The error is 403 Forbidden (Bad auth)

It means that your password doesn’t match the other information.

Do you have allowguest=yes. If so, you may not even be matching a sip.conf entry.

You don’t have the debug logging (did you screen scrape, rather than use the log files) that would tell one whether it matched a sip.conf entry.

I didn’t find the log files…

When I put a public IP address (ex: 1.2.3.4) directly on interface of server, It’s works. So I think It’s not a password problem…

it seems that is something with NAT…

Where are the files that you refer to? I looked for in /var/log/astersk/… not found.

Thanks

They are normally in /var/log/asterisk (not as you spelled it). If not, you will need to look at your specific configuration, and check you have the right permissions to allow them to be written.

I wrote wrong…

[asterisk]# ls -la /var/log/asterisk/
total 98064
drwxrwxr-x 4 asterisk asterisk 4096 Nov 7 04:02 .
drwxr-xr-x 14 root root 4096 Nov 7 04:02 …
drwxrwxr-x 2 asterisk asterisk 4096 Nov 1 04:02 cdr-csv
drwxrwxr-x 2 asterisk asterisk 4096 Jun 8 2010 cdr-custom
-rw-r----- 1 asterisk asterisk 0 Nov 6 04:02 event_log
-rw-rw---- 1 asterisk asterisk 0 Oct 30 04:02 event_log.1
-rw-rw---- 1 asterisk asterisk 0 Oct 23 04:02 event_log.2
-rw-r----- 1 asterisk asterisk 0 Nov 6 04:02 freepbx-bounce_op.log
-rw-rw---- 1 asterisk asterisk 0 Nov 2 18:15 freepbx-bounce_op.log.1
-rw-rw---- 1 asterisk asterisk 0 Oct 23 04:02 freepbx-bounce_op.log.2
-rw-rw---- 1 asterisk asterisk 0 Oct 16 04:02 freepbx-bounce_op.log.3
-rw-rw---- 1 asterisk asterisk 0 Oct 14 08:11 freepbx-bounce_op.log.4
-rw-rw---- 1 asterisk asterisk 0 Oct 2 04:02 freepbx-bounce_op.log.5
-rw-r----- 1 asterisk asterisk 568768 Nov 7 11:53 full
-rw-r----- 1 asterisk asterisk 19266377 Nov 7 04:01 full.1
-rw-r----- 1 asterisk asterisk 1485533 Nov 6 04:02 full.2
-rw-r----- 1 asterisk asterisk 0 Nov 6 04:02 h323_log
-rw-rw---- 1 asterisk asterisk 1374 Nov 2 16:11 h323_log.1
-rw-rw-r-- 1 asterisk asterisk 8561 Dec 18 2012 messages
-rw-r----- 1 asterisk asterisk 120 Nov 7 04:02 queue_log
-rw-rw---- 1 asterisk asterisk 908 Nov 6 04:02 queue_log.1
-rw-rw---- 1 asterisk asterisk 554 Oct 30 04:02 queue_log.2

In none of these files something happens when I try to register…

This is the scenario:

If you have the right logging level and still see nothing, the register isn’t reaching the Asterisk machine.

You should use “sip set debug on” to see all SIP packets that reach the right port on the machine.

In full.log…

[Nov 7 12:02:58] NOTICE[3778] chan_sip.c: Registration from ‘sip:1701@172.20.98.116;transport=UDP’ failed for ‘191.129.140.176’ - Wrong password

But the password is correct…

Something interesting: when I put a blank password (secret) to a extension in server, the phone register independent of the password placed on it…

Registration is about finding the address, not about authentication, so password checking is not a fundamental requirement for it.

If you get wrong password, the password is either wrong, or it is matching the wrong sip.conf entry.

Or something has modified the packet in between such that the process of calculating the hashed value is thrown off and it is rejected.