SIP TCP transport issue

Asterisk Asterisk SIP
1

Hello.
I have Asterisk 13.22.00 (on the FreePBX) and use sip trunks to our sip peers with IP authorization instead on by “from field” for incoming calls. There is specific host specified and type is “friend” in the trunk sip settings. When using UDP transport, everything works fine, but if TCP is specified, Asterisk tries peer to be authorized by “from field” with “401 Unauthorized” message. It looks like asterisk doesn’t see that trunk. SIP channel driver is chan_sip.

What can the issue be caused?

2

You should use type=peer, as type=friend allows other people to masquerade as your service provider.

ITSPs never authorise. You should use remotesecret rather than secret, although older cook book approaches use insecure=invite, because remotesecret is a, relatively, recent feature.

Other things to note are that TCP normally requires insecure=port, because different ports are used for each connection.

3

Hello, David, thanks for your reply.
Asterisk operates inside VPN, so there is no masquerade problem. Here is my trunk sip settings:

Blockquote
type=friend
transport=tcp
port=5060
nat=no
insecure=invite,port
host=XXX.XXX.XXX.XXX
disallow=all
context=from-trunk
allow=ulaw&opus&g722&ilbc&h264
Blockquote

There are no “secrets” at all. It’s worth noting, everything worked with these settings before some FreePBX modules were updated. However, FreePBX is only Web GUI above Asterisk funtionality.

4

FreePBX also includes a large amount of dialplan and AGI code, it not a general purpose configurator for Asterisk.

insecure=invite is pointless if you do not have secret.

I’d assume the source IP address is wrong, but you might want to check whether you have type=friend on local devices and the caller ID user part matches a local device name. Most system should have type=peer throughout.

What do the logs aay?

5

Here are completed log and sip debug:

<— SIP read from TCP:YYY.YYY.YYY.YYY:36676 —>
INVITE sip:101055@XXX.XXX.XXX.XXX;transport=TCP SIP/2.0
Via: SIP/2.0/TCP YYY.YYY.YYY.YYY:5060;rport;branch=z9hG4bKPjadb40bdc-7d63-43a6-a1da-0e12e02cc5d6;alias
From: sip:111102@**ZZZ.ZZZ.ZZZ.ZZZ**;tag=453d93d0-8c11-40c7-9a1f-5ffab335ce19
To: sip:101055@XXX.XXX.XXX.XXX
Contact: sip:111102@YYY.YYY.YYY.YYY:5060;transport=TCP
Call-ID: ca10ee4b-f8a1-443e-9ead-f84a5d317b43
CSeq: 30601 INVITE
Allow: OPTIONS, INFO, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
X-Grandstream-Transport: trunk
Max-Forwards: 70
User-Agent: Grandstream UCM6510V1.4B 1.0.19.21
Content-Type: application/sdp
Content-Length: 250

v=0
o=- 319817067 319817067 IN IP4 YYY.YYY.YYY.YYY
s=Asterisk
c=IN IP4 YYY.YYY.YYY.YYY
t=0 0
m=audio 14942 RTP/AVP 9 0 97 8
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:97 iLBC/8000
a=rtpmap:8 PCMA/8000
a=ptime:20
a=maxptime:30
a=sendrecv

<------------->
> [2019-03-13 12:47:05] VERBOSE[11027] chan_sip.c: — (16 headers 13 lines) —
> [2019-03-13 12:47:05] VERBOSE[11027] chan_sip.c: Sending to YYY.YYY.YYY.YYY:36676 (no NAT)
> [2019-03-13 12:47:05] VERBOSE[11027][C-00000777] chan_sip.c: Sending to YYY.YYY.YYY.YYY:36676 (no NAT)
> [2019-03-13 12:47:05] VERBOSE[11027][C-00000777] chan_sip.c: Using INVITE request as basis request - ca10ee4b-f8a1-443e-9ead-f84a5d317b43
> [2019-03-13 12:47:05] VERBOSE[11027][C-00000777] chan_sip.c: No matching peer for ‘111102’ from ‘YYY.YYY.YYY.YYY:36676’
> [2019-03-13 12:47:05] VERBOSE[11027][C-00000777] chan_sip.c:
<— Reliably Transmitting (no NAT) to YYY.YYY.YYY.YYY:36676 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TCP YYY.YYY.YYY.YYY:5060;branch=z9hG4bKPjadb40bdc-7d63-43a6-a1da-0e12e02cc5d6;alias;received=YYY.YYY.YYY.YYY;rport=36676
From: sip:111102@ZZZ.ZZZ.ZZZ.ZZZ;tag=453d93d0-8c11-40c7-9a1f-5ffab335ce19
To: sip:101055@XXX.XXX.XXX.XXX;tag=as57f683f6
Call-ID: ca10ee4b-f8a1-443e-9ead-f84a5d317b43
CSeq: 30601 INVITE
Server: FPBX-14.0.5.25(13.22.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce=“5efd2852”
Content-Length: 0

<------------>
[2019-03-13 12:47:05] VERBOSE[11027][C-00000777] chan_sip.c: Scheduling destruction of SIP dialog ‘ca10ee4b-f8a1-443e-9ead-f84a5d317b43’ in 32000 ms (Method: INVITE)
[2019-03-13 12:47:05] VERBOSE[11027] chan_sip.c:
<— SIP read from TCP:YYY.YYY.YYY.YYY:36676 —>
ACK sip:101055@XXX.XXX.XXX.XXX;transport=TCP SIP/2.0
Via: SIP/2.0/TCP YYY.YYY.YYY.YYY:5060;rport;branch=z9hG4bKPjadb40bdc-7d63-43a6-a1da-0e12e02cc5d6;alias
From: sip:111102@ZZZ.ZZZ.ZZZ.ZZZ;tag=453d93d0-8c11-40c7-9a1f-5ffab335ce19
To: sip:101055@XXX.XXX.XXX.XXX;tag=as57f683f6
Call-ID: ca10ee4b-f8a1-443e-9ead-f84a5d317b43
CSeq: 30601 ACK
Max-Forwards: 70
User-Agent: Grandstream UCM6510V1.4B 1.0.19.21
Content-Length: 0

<------------->
[2019-03-13 12:47:05] VERBOSE[11027] chan_sip.c: — (9 headers 0 lines) —
[2019-03-13 12:47:05] VERBOSE[11027] chan_sip.c:
<— SIP read from TCP:YYY.YYY.YYY.YYY:36676 —>

It might seems IP ZZZ.ZZZ.ZZZ.ZZZ “from field” is wrong, but it works fine with UDP.

Changing from “friend” to “peer” doesn’t solve the issue.
Local phones with authorization and “type=friend” work fine with TCP.

6

The request came from YYY.YYY.YYY.YYY but he host address is XXX.XXX.XXX.XXX.

7

There are two interfaces on sip peer: local - ZZZ and VPN - YYY. Peer operates with YYY through VPN. You mean, “field from” needs to be YYY? Yes, peer inserts into “from” a little incorrect address. But it doesn’t matter with UDP transport.

Furthemore, I have another peer with “right from header” incoming invite requests, but the result is the same. And I don’t know, why.

8

I mean that the source IP address needs to match the host address in sip.conf.

The From header domain part is irrelevant.

9

But it does. IP where invite come from is the same as IP in sip.conf. Does debug say different? Where?

10

<— SIP read from TCP:YYY.YYY.YYY.YYY:36676 —>

11

I’m sorry, I made the mistake in that post :frowning: Real host address in sip.conf is YYY.

12

Unfortunately, the issue hasn’t solved so far. But, it seems the cause has been found. The “insecure=port” stopped work for non-udp after that specific update was implemented in 13.21 Asterisk version:
https://issues.asterisk.org/jira/browse/ASTERISK-27457

And there is the explanation of that issue in the later asterisk release change log, that tried to resolve it:

2018-08-13 08:12 +0000 [2a5d408733] Jaco Kroon <jaco@uls.co.za>

Prior to b2c4e8660a9c89d07041271371151779b7ec75f6 (ASTERISK_27457)
insecure=port was the defacto standard. That commit also prevented
insecure=port from being applied for sip/tcp or sip/tls.

Into consideration there are three sets of behaviour:

1.  "previous" - before the above commit.
2.  "current" - post above commit, pre this one.
3.  "new" - post this commit.

The problem that the above commit tried to address was guests over TCP.
It succeeded in doing that ***but broke transport!=udp with host!=dynamic.***

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13-current

My Asterisk version is 13.22, so it’s between the issue came along and it was solved. But it has been solved in different way than before and on the later Asterisk version I still have the problem with tcp port insecure.