FreePBX 17 pjsip registration with Swiss telecom Swisscom

Fafa24 · October 3, 2024, 12:39pm

Hi,

I installed FreePBX 17, and I’m trying to connect a pjsip trunk to Swisscom (Swiss telecom). I’m getting these error messages.

<<<<<

Connected to Asterisk 21.4.3 currently running on FreePBX17 (pid = 1685)
[2024-10-03 13:24:24] WARNING[15401]: res_pjsip_outbound_registration.c:1079 schedule_retry: No response received from ‘sip:swisscom.ch:5060’ on registration attempt to ‘sip:[email protected]:5060’, retrying in ‘60’
[2024-10-03 13:24:27] ERROR[15401]: res_pjsip.c:1419 create_out_of_dialog_request: Unable to apply outbound proxy on request OPTIONS to endpoint Swisscom_sip as outbound proxy URI ‘fs1.ims.swisscom.ch’ is not valid
[2024-10-03 13:24:27] ERROR[15401]: res_pjsip/pjsip_options.c:879 sip_options_qualify_contact: Unable to create request to qualify contact sip:[email protected]:5060 on AOR Swisscom_sip

Here is my config for the trunk

<<<<
<<<<

pjsip.endpoint.conf

Swisscom_sip]
type=endpoint
transport=0.0.0.0-udp
context=from-pstn
disallow=all
allow=ulaw,alaw,g722,g729,mpeg4
aors=Swisscom_sip
send_connected_line=no
rtp_keepalive=0
language=de_DE
outbound_proxy=fs1.ims.swisscom.ch
outbound_auth=Swisscom_sip

pjsip.registration.conf
[Swisscom_sip]
type=registration
transport=0.0.0.0-udp
outbound_auth=Swisscom_sip
retry_interval=60
fatal_retry_interval=30
forbidden_retry_interval=30
max_retries=10000
expiration=3600
auth_rejection_permanent=no
line=yes
endpoint=Swisscom_sip
server_uri=sip:swisscom.ch:5060
client_uri=sip:[email protected]:5060
outbound_proxy=fs1.ims.swisscom.ch

Has anyone had some experience with a sip trunk for Swisscom?

I created another trunk for Peoplefone, another provider in Switzerland. The trunk registered within seconds, so I think everything is in good shape with my FreePBX.

jcolp · October 3, 2024, 12:50pm

This is not a valid SIP URI. You probably want:

sip:fs1.ims.swisscom.ch

Stewart1 · October 3, 2024, 1:42pm

I don’t know whether this applies to Swisscom, but with most IMS systems, you would put in the Outbound Proxy field for the trunk (in the GUI):
sip:fs1.ims.swisscom.ch\;lr\;hide

jcolp · October 3, 2024, 1:55pm

@Stewart1 Ooh yes - I wasn’t awake enough earlier.

Fafa24 · October 4, 2024, 2:32pm

Thank you to all - I have registered the trunk now.

I’m getting a lot of this output warning. Do I need to worry or can I stop it?

WARNING[1584]: res_pjsip_registrar.c:1189 registrar_on_rx_request: Endpoint ‘anonymous’ (10.10.32.1:5265) has no configured AORs

david55 · October 4, 2024, 3:19pm

Something is trying to register to you, you have anonymous endpoints enabled, and they don’t match any of your non-anonymous endpoints.

Fafa24 · October 7, 2024, 3:07pm

Thanks - for general SIP settings,

Allow anonymous inbound SIP calls - set to NO
Allow SIP guest - set to NO - before it was YES

Now I’m seeing a lot of notice

NOTICE[563543]: res_pjsip/pjsip_distributor.c:673 log_failed_request: Request ‘REGISTER’ from ‘“2071” sip:[email protected]’ failed for ‘10.10.32.1:5220’ (callid: 3476985343) - Failed to authenticate

The first IP with 213 is the public IP, and 10.10.32.1 is the gateway/firewall. Do you have any idea what the problem?

david55 · October 7, 2024, 4:08pm

The normal answer for bogus failed to authenticates is that you have inadequate firewaling. However the fact that they are originating from the internal address of your router, and a non-standard port number, makes me think you have a SIP ALG (application level gatway) running on the router. These are normally broken, and should be disabled.

The next question is whether extension 2071 exists and should be trying to access from outside. If not, you probably also have inadequate firewalling. Unless you actually have a need for another arrangement, you should be rejecting all SIP requests from outside, unless they come from the addresses that Swiss Telecom say they use.

Fafa24 · October 7, 2024, 5:17pm

Thanks - Oh I forgot yes 10.10.32.1 is a Fortigate firewall and SIP ALG is still running at least I think so.

Fafa24 · October 8, 2024, 11:22am

I disabled SIP ALG and now I analyzed the registration log. Here is the output

<<<<<<

e[KFreePBX17*CLI>
e[0K<— Transmitting SIP request (453 bytes) to UDP:195.186.128.164:5060 —>
OPTIONS sip:[email protected]:5060 SIP/2.0

Via: SIP/2.0/UDP 213.3.28.232:5060;rport;branch=z9hG4bKPj5565d3ed-8179-411b-a923-94711c9bf2d0

From: sip:[email protected];tag=b01c740d-c0ae-4738-81f2-7c47cc5c51fe

To: sip:[email protected]

Contact: sip:[email protected]:5060

Call-ID: 577d5b8a-9541-4ce5-93ae-4b6797c285fd

CSeq: 56528 OPTIONS

Max-Forwards: 70

User-Agent: FPBX-17.0.19.13(21.4.3)

Content-Length: 0

e[KFreePBX17*CLI>
e[0K<— Received SIP response (397 bytes) from UDP:195.186.128.164:5060 —>
SIP/2.0 403 Forbidden

Via: SIP/2.0/UDP 213.3.28.232:5060;received=100.95.10.115;rport=49156;branch=z9hG4bKPj5565d3ed-8179-411b-a923-94711c9bf2d0

To: sip:[email protected];tag=h7g4Esbg_yi5ybw3qhwyodwjj4jflmspzr7wssryo

From: sip:[email protected];tag=b01c740d-c0ae-4738-81f2-7c47cc5c51fe

Call-ID: 577d5b8a-9541-4ce5-93ae-4b6797c285fd

CSeq: 56528 OPTIONS

Content-Length: 0

<<<<<

Swisscom requires a user name (+41mynumber) and auth name, which I provided in the trunk GUI. However, in the log, I don’t see that the auth name is transmitted.

The Web-GUI in asterisk info returns a “registered” for the trunk.

Thank you!

david55 · October 8, 2024, 12:09pm

The auth name will only be transmitted if they send a 401 response, it’s part of the authentication data requested by the 401. They have rejected the OPTIONS before it reaches that point.

Note that a rejected OPTIONS is a good response for Asterisk. It means that there is something there and responding, which is all that it is looking for.

You appear to have the user name set to Swisscom_sip, not to the value you say it should be.

Fafa24 · October 8, 2024, 12:35pm

Thank you. I appreciate your quick reply.

Swisscom_sip is the trunk’s name. I replaced the name with the username to see if it made a difference. It didn’t.

A question: in the log I provided, is there any secret information I should not share?

david55 · October 8, 2024, 1:21pm

They are probably expecting from user to be set, which can be set specifically, but also through the caller ID.

It’s up to you to decide what is sensitive. You haven’t transmitted anything based on your password, but some people are sensitive about account names, public IP addresses, and PSTN numbers. It is probably too late to remove all trace, but you would have to ask a moderator to assist, if you wanted to try that.

BlazeStudios · October 8, 2024, 2:25pm

You are showing the provider sending OPTIONS to the PBX and that is what is being challenged. By default chan_pjsip will challenge incoming OPTIONS just like incoming INVITES. Unfortunately, FreePBX doesn’t have this setting exposed to disable. You would need to put this in this the pjsip.endpoint_custom_post.conf file.

[Swisscom_sip](+type=endpoint)
allow_unauthenticated_options=yes

david55 · October 8, 2024, 4:17pm

A 403 response to options should not cause the endpoint to go unreachable. If it is able to get 403 back, it has connectivity both ways, so is considered reachable.

There is a risk that far side treats this as an attack and, eventually, blocks traffic from you.

If OPTIONS is failing, INVITE may fail for the same reason, but there is no evidence of this in the OP’s log.

Fafa24 · October 8, 2024, 4:22pm

Thanks the file pjfsip.endpoint_custom_post.conf file didn’t exist, so I created one and added the two lines.

Fafa24 · October 8, 2024, 4:25pm

Yes it is possible that Swisscom is blocking now the credentials.

I looked again at this file and I noticed, what you said that the

outbound_auth=Swisscom_sip

Swisscom_sip is the trunk name. Should that not the be auth name Swisscom provided me? I changed it there, but it got overridden again.

david55 · October 8, 2024, 4:45pm

It can be anything, as long as type=auth context with the name contains the right information. The information will not be used unless you receive a 401, or 407, response.

Fafa24 · October 10, 2024, 5:24pm

Someone from Swisscom support sent me this picture. On the left side, it shows how a proper registration should look, and on the right, you see what my FreePBX 17 sends.

Well, according to Swisscom documentation second picture

For my PJSIP Trunk I use:

under general
Username: 4144XXXXX
Author username: I received by Swisscom starting with [email protected]
I assume that I don’t need to enter @swisscom.ch in the author username field
SIP server: swisscom.ch
Port: 5060

Advance tab:
outbound proxy: sip:fs1.ims.swisscom.ch;lr;hide

Do I enter everything correctly in the GUI?

Stewart1 · October 10, 2024, 8:16pm

Strange. Assuming that in the GUI you have Outbound Proxy set to
sip:fs1.ims.swisscom.ch\;lr\;hide
I would expect the lr and hide parameters to propagate to pjsip.endpoint.conf, which should result in the name fs1.ims.swisscom.ch not appearing in any transmitted SIP packets.

Possibly you do, but if you can register and make calls, what you have must be correct.

That is ambiguous, because the forum may have deleted the backslash characters.
Assuming that you did enter them into the Outbound Proxy field of the GUI, I don’t understand why the lr and hide parameters aren’t being honored.