Extension can't register at FPBX SIP/2.0 401 Unauthorized

Hi!

I really become silly now. I have set up FPBX on my server (public IP, directly connected to backbone without firewall).

I tried to log into the extension account from outside (DSL line without firewall on briding NAT).

Every time I try to login into FPBX I get the following error:

SIP/2.0 401 Unauthorized

So I decided to try with Zoiper and other softphones instead of hardware phone first. No success - always SIP/2.0 401 Unauthorized.

Then I tried to use IAX instead of SIP - but same result …

it is impossible to connect from outside.

Then I tried to register from an other server in the same subnet - works.

So why it is impossible to connect from outside WAN?

I can’ t find any setting which blocks this registration.

Surly SIP extension is set to qualify and nat = yes.

Hope someone can help.

— (11 headers 0 lines) —
Using latest REGISTER request as basis request
Sending to 103.78.169.121 : 59709 (NAT)

<— Transmitting (NAT) to 103.78.169.121:59709 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.1.54:5060;branch=z9hG4bKk74Wk3Q4lTjn5nPu;received=103.78.169.121
From: “1234” < sip:[email protected] >;tag=rb8Dr9sNjmx84Q0D
To: “1234” < sip:[email protected] >
Call-ID: [email protected]
CSeq: 22954 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Contact: < sip:[email protected] ><---- can anybody explain this? server IP is 111.222.333.444
Content-Length: 0 <---- 111.222.333.42 is second network card on same server.

<------------>

<— Transmitting (NAT) to 103.78.169.121:59709 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.54:5060;branch=z9hG4bKk74Wk3Q4lTjn5nPu;received=103.78.169.121
From: “1234” < sip:[email protected] >;tag=rb8Dr9sNjmx84Q0D
To: “1234” < sip:[email protected] >;tag=as562fbcaf
Call-ID: [email protected]
CSeq: 22954 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="6114a0a2"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘[email protected]’ in 32000 ms (Method: REGISTER)
stupidbox*CL I>
<— SIP read from 213.66.202.129:10468 —>

<------------->
— (0 headers 0 lines) Nat keepalive —
stupidbox*CLI >
<— SIP read from 213.66.202.129:10469 —>

<------------->
— (0 headers 0 lines) Nat keepalive —
stupidbox*CLI >
<— SIP read from 103.78.169.121:59709 —>
REGISTER sip:111.222.333.444 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.54:5060;branch=z9hG4bKk74Wk3Q4lTjn5nPu
Max-Forwards: 7
User-Agent: eHOP8T
From: “1234” < sip:[email protected] >;tag=rb8Dr9sNjmx84Q0D
To: “1234” < sip:[email protected] >
Call-ID: [email protected]
CSeq: 22954 REGISTER
Contact: < sip:[email protected]:5060 >
Expires: 3610
Content-Length: 0

<------------->
— (11 headers 0 lines) —
Using latest REGISTER request as basis request
Sending to 103.78.169.121 : 59709 (NAT)

<— Transmitting (NAT) to 103.78.169.121:59709 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.1.54:5060;branch=z9hG4bKk74Wk3Q4lTjn5nPu;received=103.78.169.121
From: “1234” < sip:[email protected] >;tag=rb8Dr9sNjmx84Q0D
To: “1234” < sip:[email protected] >
Call-ID: [email protected]
CSeq: 22954 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Contact: < sip:[email protected] >
Content-Length: 0

<------------>

<— Transmitting (NAT) to 83.78.169.121:59709 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.54:5060;branch=z9hG4bKk74Wk3Q4lTjn5nPu;received=103.78.169.121
From: “1234” < sip:[email protected] >;tag=rb8Dr9sNjmx84Q0D
To: “1234” < sip:[email protected] >;tag=as562fbcaf
Call-ID: [email protected]
CSeq: 22954 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="6114a0a2"
Content-Length: 0

After searching for solution for 3 days now I decided to post my help request here :slight_smile:

Thanks.

Now used second IP on server 111.222.333.42 and it works.

Did not understand, because in settings I have bind to 0.0.0.0

Any way to accept registration on both IP addresses?

(I think you are responding to my question below: SIP Registration with dual NICs)

Yes, the phone is behind NAT. The asterisk server is not.

I don’t understand what the Contact line means and why it gets set to an interface IP address (the one that corresponds to the interface that has the default gateway). I would think that the Via and To lines would handle the addresses.

The NAT seems to be handled fine as long as the phone (eyebeam) connects to the interface that has the default gateway. If I change the default gateway to the other interface, the phone will connect to that one (and the Contact IP changes correspondingly).

Thanks!

I have many servers with dual NIC’s in fact in’t a standard configuration for us.

The key is you must have both localnet settings and a externip or externhost definition that corresponds to the NAT’d interface.

Make sure that the bindaddress in the sip settings module is set to 0.0.0.0

I fixed this setting qualify to no at first instance but now seems to be broken again, having the same issue.

Anyone found out an exit?

Do you have NAT involved on any of the connections?

I have a server with two NICs, but my phone will only register via one of the NICs. I would expect that I could register with either one. However, one of the registrations always fails with “SIP/2.0 401 Unauthorized”.

I compared the SIP protocol for the two registrations and the only difference I can see (besides the IP address being appropriately different) is that the registration that doesn’t work contains the IP address of the other interface:

Contact: <sip:444@(ip of other interface)>

If I disable the other interface and “amportal restart”, it still doesn’t work and this line is now:

Contact: <sip:[email protected]>

I’m really at a loss. Does anyone have dual NICs and can register a SIP phone on either one?

Thanks!