403 error registering to SIP provider

Hi all,

I installed a new FreePBX server on a Raspberry Pi.
FreePBX and Asterisk 20.7.0.

But this new one can’t register. I get error 403 Forbidden fatal response.

In the logs it says: Bad auth, invalid user/password. But I’m 100% sure my username and password are correct. I checked if there is a hidden space or anything.

I contacted my provider and they say everything is fine on their end.

I have and old FreePBX server on an SD card. This one can still register. But it uses chan_SIP. The new one uses PJSIP. But the old server is breaking because of security issues.

My new FreePBX can call outside btw. Only incoming calls are not working.

<--- Transmitting SIP request (769 bytes) to UDP: --->

REGISTER sip:ha.voys.nl:5060 SIP/2.0

Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;rport;branch=a31a9-b11e-46b3-98f3-439736b

From: <sip:[email protected]>;tag=3bfe9f-aedc-45cb-a780

To: <sip:[email protected]>

Call-ID: 811-4e65-9e828a1474

CSeq: 61221 REGISTER

Contact: <sip:[email protected]:5060;line=ylkzd>

Expires: 3600


Max-Forwards: 70

User-Agent: FPBX-

Authorization: Digest username="XXXXXXXXX", realm="voipgrid.nl", nonce="B/1Qju3J4l99rls7NOcOPhBAxJt4zZlEA", uri="sip:ha.voys.nl:5060", response="9dea2567c7363031ce"

Content-Length: 0

<--- Received SIP response (452 bytes) from UDP: --->

SIP/2.0 403 Forbidden

Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;received=XXX.XXX.XXX.XXX;rport=5060;branch=zbKPjc5da31a9-b11e-46b3-98f736b

To: <sip:[email protected]>;tag=d720-ec1f15cc3bc8c3f2fda64a102fe

From: <sip:[email protected]>;tag=3bf83e9f-aed-f6b32fc3d780

Call-ID: 818f2dd0-b6d75328a1474

CSeq: 61221 REGISTER

X-VG-Reason: BadAuth, invalid user/password

Server: VGPXY--OS

Content-Length: 0

[2024-06-07 12:25:16] **WARNING**[1255]: **res_pjsip_outbound_registration.c**:**1383** **handle_registration_response**: 403 Forbidden fatal response received from 'sip:ha.voys.nl:5060' on registration attempt to 'sip:[email protected]:5060', retrying in '30' seconds

Also I found the following in the logs after I did a fwconsole restart:

42184	[2024-06-07 12:27:35] VERBOSE[14614] asterisk.c: Asterisk Ready.	
42185	[2024-06-07 12:27:42] WARNING[14665] res_pjsip_outbound_registration.c: 403 Forbidden fatal response received from 'sip:ha.voys.nl:5060' on registration attempt to 'sip:[email protected]:5060', retrying in '30' seconds	
42186	[2024-06-07 12:28:04] VERBOSE[14665] res_pjsip/pjsip_configuration.c: Endpoint 401 is now Reachable	
42187	[2024-06-07 12:28:04] VERBOSE[14665] res_pjsip/pjsip_options.c: Contact 401/sip:[email protected]:5060 is now Reachable. RTT: 14.782 msec	
42188	[2024-06-07 12:28:11] VERBOSE[14665] res_pjsip/pjsip_configuration.c: Endpoint SIP_Trunk is now Reachable	
42189	[2024-06-07 12:28:11] VERBOSE[14665] res_pjsip/pjsip_options.c: Contact SIP_Trunk/sip:[email protected]:5060 is now Reachable. RTT: 98.568 msec	
42190	[2024-06-07 12:28:12] WARNING[14665] res_pjsip_outbound_registration.c: 403 Forbidden fatal response received from 'sip:ha.voys.nl:5060' on registration attempt to 'sip:[email protected]:5060', retrying in '30' seconds	
42191	[2024-06-07 12:28:20] VERBOSE[14665] res_pjsip/pjsip_configuration.c: Endpoint 409 is now Reachable	
42192	[2024-06-07 12:28:20] VERBOSE[14665] res_pjsip/pjsip_options.c: Contact 409/sip:[email protected]:63657;rinstance=b087907eb0eb648a is now Reachable. RTT: 5.750 msec

Does this mean it briefly connected to the provider?

Thanks in advance for any help.

Kind regards.

The 403 response includes the header:

X-VG-Reason: BadAuth, invalid user/password

Which would make it seem as though there is bad authentication.

As for the output you provided, the “reachable” means that Asterisk got a response from the server. It doesn’t mean the registration worked, or that you can send or receive calls. Just that the server is reachable.

Ok, I fixed the 403 error with help from the provider.

Apparently in the PJSIP settings Registration was set to Send. This is default. And it should be None.

Incoming calls are not working yet, but art least I am one step further.

And thank you for clarifying Reachable. Later I already thought it would mean that, but now I am sure. :slight_smile:

This means you are using IP auth. If so, your chan_sip setup would have no Registration String. Is that correct?

With IP auth, you configure on the provider’s portal the IP address and port where they should send your calls. Check that this matches your public IP.

I assume that the Pi is behind a NAT, so in your router/firewall you must forward the SIP port (from the log you posted, appears to be UDP port 5060) to the LAN address of the PBX.

What, if anything, appears in the Asterisk log on an attempted inbound call? If nothing, what appears in sngrep? If also nothing and your router/firewall has the capability, capture traffic on its WAN interface and see whether an incoming INVITE appears there.

Yes I was using IP auth. Because the documentation of the provider said it is the preferred way. They told me to try to register. This works!
Is IP auth better? Or does it not really matter?

The best option is IP identification, with separate authentication.

What you can actually use depends on the provider.