Clean install, SIP connections 403 Forbidden

I had been having trouble getting my SIP connections to persist for more than a few seconds following a restart. I was pursuing this in another call ([freePBX trunk to inbound route works - for about 20 seconds only]
I thought I’d attempt a real basic “Hello World” type install / config in order to isolate the problem.

All starts ok.
Chan_Sip_Info shows:
1 SIP registrations.

which seems ok.

All I want to do is see Asterisk / PBX pickup a call and do something with it. I don’t care what. I thought the simplest of “Hello World” tests would be to do a Text to Speech announcement or maybe forward to a misc destination.

I can’t get Asterisk to pick up anything.
sngrep shows:│Via: SIP/2.0/UDP;branch=z9hG4bK742fbcb1;received=;rport=5060
──────────┬───────── ──────────┬─────────│From: “07951408???” sip:07951408???@;tag=VF5e4104d5faa3ffeb1cdb7c929e8f
│ INVITE (SDP) │ │To: sip:30210???@79.69.61.???:5160;tag=as31f9e7cc
22:53:21.978033 │ ──────────────────────────> │ │Call-ID: [email protected]
+0.026518 │ 403 Forbidden │ │CSeq: 102 INVITE
22:53:22.004551 │ <────────────────────────── │ │Server: FPBX-
22:53:22.025364 │ ──────────────────────────> │ │Supported: replaces, timer
+0.003228 │ CANCEL │ │Content-Length: 0
22:53:22.028592 │ ──────────────────────────> │ │
+0.000486 │ 481 Call leg/transaction d │ │
22:53:22.029078 │ <────────────────────────── │ │

So the connection is being “forbidden”. I thought I’d hide some IP/account/password info with “???” just in case! Is this paranoia!

I’m hoping as this is a real basic install that I’ve done nothing to mess with, we can solve this one quickly so I might proceed (cautiously) building on what’s gone before. Unfortunately I’m falling at the first hurdle!

I really thought I could just specify a trunk, specify the SIP settings and then handle the Inbound route accordingly.

External calls to the DID receive an immediate not here -> voicemail message.

I’ve configured everything through the GUI. No editing of conf files.

and against the INCOMING PEER I just have the REGISTER STRING as

REGISTER and NOTIFY calls seem to be made ok - it’s the INVITE which is “forbidden”.

Please help! Between the other call and this I’ve spent over a week on this and not really got anywhere.

VOIP services are from voipfone ( and I’ve tried to use the settings in SIP that they document for freePBX

sngrep shows

It seems to register ok as Chan_Sip Registry says
1 SIP regsitration

On previous installs I’ve messed around in the conf files to the point I really haven’t had a clue what I’d changed and what I hadn’t. In this case, this is a clean install where I’m happy to change anything to get FreePBX talking to my SIP provider correctly.

My network is windows host with a Linux guest, running Asterisk. Guest virtual machine has 2 virtual network cards. One bridged to the host (for external DNS / IP) and one as Host Only so the host can provide a local IP address and communicate. Seems to be fine in that everything can talk to everything… but not from freepbx to Voipfone it seems!

I would LOVE some help. I’ve been on this pretty much full time for a week and have got nowhere but in a complete jumble.


What, if anything, appears in the Asterisk log (/var/log/asterisk/full) on a failing incoming call?

Where was your packet capture done (on the FreePBX VM, on the Windows host, somewhere else)?

Do outgoing calls work? If not, what goes wrong?

Thanks Stewart,

I did an fwconsole restart. Nothing too weird in the full log (I reckon anyways). Here’s all the WARNINGS and ERRORS.

[2019-04-01 18:45:56] WARNING[25564] res_hep_rtcp.c: res_hep is not loaded or running; declining module load
[2019-04-01 18:45:56] NOTICE[25564] pbx_ael.c: File /etc/asterisk/extensions.ael not found; AEL declining load
[2019-04-01 18:45:56] ERROR[25564] pbx_dundi.c: Unable to load config dundi.conf
[2019-04-01 18:45:56] WARNING[25564] app_voicemail.c: maxsilence should be less than minsecs or you may get empty messages
[2019-04-01 18:45:56] WARNING[25564] app_flite.c: Flite: Unable to read config file flite.conf. Using default settings
[2019-04-01 18:45:56] NOTICE[25564] func_odbc.c: Unable to load config for func_odbc: func_odbc.conf

Placing an incoming call (goes straight to voicemail in error) results in
[2019-04-01 18:49:26] ERROR[25619][C-00000000] rtp_engine.c: No RTP engine was found. Do you have one loaded?
[2019-04-01 18:49:26] NOTICE[25619][C-00000000] chan_sip.c: Failed to authenticate device “07951408???” <sip:07951408???@46.31.231.???>;tag=VF25f1c4cf891284fdd3b77cee263e

Because of the “RTP engine not found” error I checked that pbx was activated and all updates applied. They were.

The sngrep packet capture was done on the FreePBX VM yes.

Outgoing calls are fine… well… I’m not sure I’m testing properly… If I run a softphone on the host machine… I can dial out. My test number is 111 which is NHS DIRECT and that gets me straight through. Can’t see how I could do a better test i.e. direct from Asterisk?

Hoping for your continued support.


Wow - I looked into that error (ironically that has not been the error I’ve been seeing most of the time) and another support note advised setting the sip_channel_driver to BOTH. I think that is the default but for some reason I’d changed it to chan_sip only.

Had to reboot the pbx server but then… as if by magic … no nasty logs, call gets diverted…

Very very happy.

Will do a few more checks but hopefully this is the last you will hear from me.

Thank you!!!

Well… that IS confusing!!!

Like I said… the destination for these calls is not important… I simply wanted to get PBX to redirect them to somewhere.

I had two possible test routes. One was to the “MISCELLANEOUS DESTINATION” “NHS” which is simply the number 111. This seemed the simplest of tests.
The other destination I set up was to “Hello It’s Lenny” sound files. This was a custom destination [Lenny} which as I couldn’t get the NHS 111 to work… well… .seemed a while off.

What I am seeing now is that the call IS re-routed but it’s routed to Lenny. Lenny answers… even though the inbound route is clearly set to direct to NHS 111

where NHS is very simply an external dial to 111

I have no clue where the Lenny custom destination is being called from. I’m wondering if this fundamental gap in my knowledge has been the root of all my problems. How is the inbound call being routed to Lenny?

Hope you enjoy the weirdness of this one?

Possibly, the route isn’t matching and you’re hitting a default route.
More likely, maybe the misc destination isn’t working right, because the internal code for Lenny conflicts with 111. Try pointing the route to Feature Code Admin, Echo Test and see if that works correctly. If that also fails, post a log of the call.

That Echo Test is just the sort of thing I’ve been looking for thanks.

The destination switches reliably between Echo Test and Lenny. Not sure what’s wrong with my NHS 111 test number but I don’t care - I never want to dial out to a misc destination like that anyway.

Phew - the learning continues but thank you so much for helping me over what was a ridiculously time consuming hurdle.


I was tempted to open a new topic but…

I’ve found that the trunk / inbound destination routes reliably for a few hours and then… nothing… calls start going to the internal number, ringing out and then voicemail.

Weirdly the full log only shows
[2019-04-03 04:02:01] Asterisk 13.22.0 built by mockbuild @ jenkins7 on a x86_64 running Linux on 2018-07-25 22:30:39 UTC
[2019-04-03 04:02:01] VERBOSE[21561] logger.c: Asterisk Queue Logger restarted
[2019-04-03 04:02:01] VERBOSE[21561] asterisk.c: Remote UNIX connection disconnected

which implies things stopped working at 4:02am this morning - which matches my experience i.e. worked last night, didn’t work this morning.

I haven’t managed to see a pattern yet… but I’d say it’s happened every day for 3 days, each time following several hours of functioning correctly.

I’ll open a new thread if advised to do so but it may well be connected with previous problems and I would appreciate you carrying on the journey with me!


… to be clear… the full log only contains those 3 lines. Nothing else. That points I guess to something having been restarted which has re-initialised the full log.

I’ve done an fwconsole restart. All is fine again - but I expect only for a few hours. Will monitor.

They aren’t behind NAT or shouldn’t be. If they are they suck. Also insecure=very is not a valid setting in current versions. Have you tried insecure=invite,port

Thanks for giving me something to try.

I’ve set those. Nothing broken. Will monitor to see if it will fix the “dropping after a few hours” problem.

I’ve also realised the full log is cleared out daily - doh! That explains why it only had 3 lines in this morning. I can see previous days logs backed up in /var/log/spool/full-[date]


I’d be concerned about this part.

There’s nothing in the system (except for logrotate) that would cause the full log to clear. One thing that will do this is “nefarious” activity (someone logging into your system and wiping out your logs). My next step (which you can dismiss as “overly cautious”) would be to check your CDR and CEL databases to see what kind of activity you see in there, and to check with your provider to make sure nothing “himky” is going on.

Well… it took about 3 hours and it’s happened. Inbound calls no longer going to the custom destination. They were half an hour ago. Calls now go straight to the phone number dialled, they are not intercepted by the inbound route I defined.

Full log has not had any entries for a couple of hours (since before it stopped working). The nearest I can see to any problems being reported is
[2019-04-03 13:49:48] NOTICE[2441] chan_sip.c: Peer ‘Voipfone_SIP_OUT’ is now UNREACHABLE! Last qualify: 63
[2019-04-03 13:49:59] NOTICE[2441] chan_sip.c: Peer ‘Voipfone_SIP_OUT’ is now Reachable. (24ms / 2000ms)

but like I said… that was a while before things stopped working anyway.

With no logs it’s hard to know where to start. Any ideas?


That would be a NAT and/or networking issue at the location where the calls should be being. They aren’t responding to the PBX keep alives.

Yeah and I’ve had symptoms of networking problems before. I’m trying not to mess too much with the network settings as this is the closest I’ve had it to working …well… ever…

Here’s my setup.

Router gateway
Host (Windows)
and virtual ethernet via VirtualBox

Guest (Linux) IP (via Bridged adaptor)


Asterisk seems to survive for anything from a few minutes to a few hours but eventually disconnects and no longer routes internal calls - leaving them to go to the default extension and ultimately voicemail.

I have the asterisk firewall enabled, including responsive firewall. I’ve moved the interfaces from “Trusted” to to “INTERNET (default firewall)” zones to see if that helps asterisk survive for longer.

Watch this space!

Any other ideas gratefully received :wink:

That is not correct and shouldn’t even be in there. Remove it.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.