PJSIP trunks with correct IP exist, yet rejected

I am testing a new Twilio trunk on FreePBX 13.0.188 (Asterisk 13). These are non-registering trunks (IP-security, no username/secret required).

I’ve setup each of Twilio’s four servers as PJSIP trunks. (54.172.60.0 to 54.172.60.3).

If I enable Anonymous SIP, I can receive calls from these trunks. If I disable Anonymous SIP, the calls will be rejected, which suggests I don’t have the IP’s added. However, the same IP’s being rejected are the same IP’s I have setup in PJSIP trunk hosts.

Here’s an example log entry:

[2016-09-22 05:23:06] VERBOSE[3444][C-00000001] pbx.c: Executing [s@from-sip-external:6] Log(“SIP/bryan.pstn.twilio.com-00000001”, "WARNING,“Rejecting unknown SIP connection from 54.172.60.2"”) in new stack
[2016-09-22 05:23:06] WARNING[3444][C-00000001] Ext. s: “Rejecting unknown SIP connection from 54.172.60.2”

I’ve searched the forums but every person that’s had this issue in the past has been an obvious case of not properly adding the IP’s. I can’t find anyone with this issue.

Thank you in advance for any ideas!

PS - I don’t know what I’m doing wrong lately, but every image I attempt to upload is not being served back. It works for about 5 seconds after I post, then it’s gone. I’ve tried PNG/JPG and different sizes … is there something I’m doing wrong?

When did PJ-SIP start supporting IP-based security? I thought someone would have made an announcement about that, since it is the number 1 problem I have with PJ-SIP being the default. Heck, if it does, I’ll start using it.

I may have explained poorly. PS-SIP is not providing any sort of security in this case.

The SIP Trunk Provider (Twilio) is using IP-based security to provide the SIP-trunk, and my SIP-trunks don’t require a registration (which is an option under PJ-SIP and fixed some time ago).

The question is why Asterisk is rejecting inbound SIP calls from IP’s that are setup in my IP’s trunk list.

Thank you in advance!

No. I understood exactly what you said.

PJ-SIP (unless something has changed in the past few weeks) DOES NOT SUPPORT IP BASED AUTHENTICATION for inbound connections. Some time ago would have to have been in the past five or six months. When I was trying to do this with VoIP Innovations last spring, it did not work. They advised me to use Chan-SIP.

Now, of course, something could have changed, but as far as I know, you have to use Chan-SIP for IP-Based authentication in Asterisk.

@cynjut - Thank you for clarifying.

Yes, based on my understanding, about two weeks ago @tm1000 stated that v13 now allows no-authentication in this post (final mention towards bottom):

I may be misunderstanding that post, though – because based on your suggestion, switching to SIP from PJ-SIP did solve my problem.

Does anyone have any official word on whether PJ-SIP will allow no-authentication (empty user/secret) and if not, whether it’s something we’ll see in v14?

Thanks again for the insight!

Remember that PJ-SIP is an underlying Asterisk function, so the FreePBX team has almost no control and only a little more visibility into it than we do.

For others that stumble on this thread when running into the same issue…

If I’m interpreting you correctly:

When @tm1000 wrote that the empty authentication is now supported, he was only referring to the UI side of things (FreePBX). Yet it remains unsupported in Asterisk.

1 Like

Was there any solution found to this? I’m using FreePBX with an AT&T CUCM pjsip connection and I’m having the same issue, the IP address is correct in the trunk yet it keeps rejecting it as an unknown IP. The only way to make it work is to enable Anonymous SIP connections.

That should work.
Do you have an identify section for your trunk endpoint in pjsip.identify.conf and an IP address value for the match= parameter there?

That’s the IP address that you expect calls to come from for that trunk.

Or are you using inbound registration?