Failed To Register

Hi All… We are running FreePBX 16 new Install and have a mix of phones we need to add. We have mostly Polycom IP Sound Point 650s which are up to date with firmware etc.

We do have phones which registered and are working just fine but we have a number of Polycoms which I cannot get registered.

2 particular units did register and were shown as Endpoints and functined fine initially… but then just disappeared from PJSIP Show Contacts / Show Endpoints !!

I can access their GUIs both from a Browser and from the phones GUI and try to re-register them but they will not register and I get “Failed to Authenticate” errors on them.

SNGREP just verifies 403 error with no further details.

They are on the same network as the VoIP too.

Their SIP details show the correct User/Auth Password/Display Name /and Line extension … but they just will not register.

I also have their IPs WHITE LISTED and I see that they are not Banned.

I do not know where I can turn to - or what other diagnostic I can run to see why these phones refuse to register whether it is the Phone itself or the VoIP ??

Can someone please help ?? Point me to solution ?/

Thank you

You can’t register a PJSIP device without creating a PJSIP endpoint. That must exist, and is generated when the extension is created in the GUI.

Hello Igaetz and thank you for the reply…

I did create these 2 extensions in the GUI and Endpoint: This is output I get from PJSIP SHOW ENDPOINTS … for one of them - the one I really need to register for our HR person
124/124 Unavailable 0 of inf
InAuth: 124-auth/124
Aor: 124

I call dial the extension but I get “The person at ext 124 is unavail” etc and the phone does not ring nor can he call out on it.

I even reset and upgraded the Polycomn 650     as show here   
   UC Software Version	4.0.15.1047

BootROM Software Version 5.0.15.0741

When I reboot it to try to register it, it just will not register on my FreePBX VoIP ( new install )

I checked the settings a bunch of times and the Auth Password I used matches what the server is expecting !!

I am not using the FreePBX Firewall but do use its Faile2Ban feature and whitelisted the IP for this unit.

What is odd to me is that on some other phones I am working with I see their IPs in BOTH the Banned list AND the Whitelist !!

Our Firewall for this office is PFSense and UDP and TCP ports 5060 and 5061 are open !!

I just do not know how to determine exactly what is preventing these phones from registering.

If there are any logs I need to look at or attach here I would do so gladly.

Thank you

At the botton of the pile here is iptables, you can but see which rule is allowing or dropping the network/host in question with

iptables -L -n

Hello dicko - and thank you for replying…

Running that command - I do not see the IP of the phone I need to register i.e. 10.1.15.221
I DO see one phone at 192.168.26.106 which I also whitelisted over and over but it keeps appearing and Fails to authenticate…

Am I missing something ?? This phone actually registered when I first powered it on and then disappeared 10 minutes later. It seems like the VoIP is rejecting it but I cannot find any evidence of that anywhere - This is when I turned to you folks - I hope you can help with this.

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
fail2ban-zulu tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-openvpn udp – 0.0.0.0/0 0.0.0.0/0 multiport dports 1194
fail2ban-api tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (1 references)
target prot opt source destination
REJECT all – 192.168.26.106 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 51.195.65.109 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-api (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-openvpn (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-recidive (1 references)
target prot opt source destination
REJECT all – 20.117.0.61 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 141.98.11.91 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-zulu (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Until you fix

Chain fail2ban-SIP (1 references)
target prot opt source destination
REJECT all – 192.168.26.106 0.0.0.0/0 reject-with icmp-port-unreachable
.
.

or turn off your firewall you can’t use that extension, you apparently have a bad “auth” for that entity

Ok .thank you… I see that now and I will address it asap…

I don’t see why the 10.1 15.221 ip phone is not registering though…
This is a Polycom 650 phone that worked when it first booted up but then just disappeared from the show contacts. I tried to re-register it after I did a full reset and upgrade per my initial post… but it just refuses to register.

This phone’s IP 10.1.15.221 is also whitelisted and does not show in Banned IP list. It does not show in the iptables list either… It does not appear in pjsip show contacts or endpoints… It is like it never reaches the voip server but it did at first. This one is evading me and I don’t see why.

If there is a log that would tell me or a command I can run to diagnose this…would be great.

Both 10.x,x,x and 192.168.x.x are ‘unroutable’ and used for ‘private’ networks. That you have both is pause for concern, can you explain further ?

Hi dicko…

We have 5 offices in the USA - one VoIP in our MAIN office. We have had a FreePBX Voip for many years which worked very well until I Upgraded to FreePBX 16 ( which does work with our other mix of phones of PolyComs and SNOMs - the SNOMS were no trouble )

Each Office has a PFSense router/firewall and VPNs ( we use OpenVPN ) connect all the offices and the VoIP can ping ALL the phones etc.

We have had this set up for many years and been using FreePBX and Asterisk NOW for a long while.

The VoIP’s firewall is NOT enabled but it does run Intrusion Detection AND all the IPs are whitelisted

Some phones registered OK and some don’t - mostly the Polycoms. - I have been struugling to find out why but keep hitting a wall - All I get is Auth Failed … and the one with IP 192.168.x.x keeps showing up in Banned EVEN when I have it Whitelisted.

I came to this forum hoping to find either a solution or get some insight to get these phones registered.

I don’t know where they are being blocked if at all ! is it the VoIP - or the Phone ( our FW is OK with all the other phones and Network )

That’s where I am at/

I hope you can help

If you have a whitelist and if your fail2ban version supports it , in jail.conf set the 'chain = ’ to the name of a chain you can add AFTER your whitelist which would be where the bans would be placed.

As to 192.168.n.n, check it is using the correct protocol-by-port, password and identity.

As to your 10. network, If your OpenVPN is on your firewall, do you have forwarding rule added or automatically arranged by the FW ?

I am not sure why the firewall and fail2ban are being focused on. The endpoint is getting a 403 Forbidden response. That would mean a REGISTER was sent, 401 Unauthorized reply, new REGISTER sent with auth, 403 reply. None of that says “firewall/IDS is blocking”.

What we need to see here is actual endpoint configs and a sip trace of the register request.

Because of

and the one with IP 192.168.x.x keeps showing up in Banned EVEN when I have it Whitelisted.

Fail2ban will see and ‘ban’ detected failed registrations under all circumstances unless the entity is in it’s ignoreip list , if its chains are added before the OP Whitelist rules, then fail2ban wins

The auth checking also covered

As to 192.168.n.n, check it is using the correct protocol-by-port, password and identity.

So if there is a well built extension on the port the 192.n.n.n is using (chan_sip’s or chan_pjsip’s) , and the name and auth are agreeable . .

I ran a debug log and it is too large to paste and has info I would rather hide but I can send a file to you but I don’t see where I can attach it - I have a Text file ( log) and a screen shot of the phone’s GUI setup.

Please let me know how to get it you and dicko.

Thank you.

https://wiki.freepbx.org/display/SUP/Providing+Great+Debug#ProvidingGreatDebug-AsteriskLogs-PartII

do the pastebin thing

https://pastebin.freepbx.org/view/77e6deb2

Ext111560×508 9.44 KB

This is the ext I am working to get registered - The Debug log is in Pastebin

Expand the Outbound Proxy section on your phone and set all the entries to blank.

Tell us about your relationship with ‘onsip’

Hi Stewart1

I did that and still no joy !

After the change, does anything appear in the Asterisk when the device attempts to register? If so, at the Asterisk command prompt type
pjsip set logger on
and paste the log for a failed registration attempt.

If not, what if anything appears in sngrep?

If nothing there, either, paste a new log from the phone.