Grandstream WP810 phones get "Unauthorized" when connecting over a VPN

FreePBX Networking
,
1

I am having a strange problem. I have a single PBX serving phones in two different offices connected via a VPN. Almos everything is working as expected but there are 3 phones in the remote office that cannot make calls. The register with Asterisk and can receive calls but cannot dial out anywhere. All three phones are Grandstream WP810 wifi phones. That same remote office has many Yealink phones that work fine, onthe the WP810 get the error while dialing out. After getting pjsip to log the phones I can see an “Unauthorized” sip message after the initial invite. Since the phone is registered and can receive calls I do not know why it would get that message. If I take that same phone to the main office it works without problems, only on the remote office do we get that problem. Here is the SIP message:

INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.11.103:57259;branch=z9hG4bK249734886;rport
From: “Compras Nacionales” sip:[email protected];tag=420359844
To: sip:[email protected]
Call-ID: [email protected]
CSeq: 10 INVITE
Contact: “Compras Nacionales” sip:[email protected]:57259
Max-Forwards: 70
User-Agent: Grandstream WP810 1.0.7.83
Privacy: none
P-Preferred-Identity: “Compras Nacionales” sip:[email protected]
P-Access-Network-Info: IEEE-EUI-48;eui-48-addr=76-AC-B9-4B-20-2A
P-Emergency-Info: IEEE-EUI-48;eui-48-addr=C0-74-AD-67-6C-B0
Supported: replaces, path
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Type: application/sdp
Accept: application/sdp, application/dtmf-relay
Content-Length: 413

v=0
o=301 8000 8000 IN IP4 192.168.11.103
s=SIP Call
c=IN IP4 192.168.11.103
t=0 0
m=audio 39156 RTP/AVP 0 8 18 9 97 2 123 101
a=sendrecv
a=rtpmap:0 PCMU/8000
a=ptime:20
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=rtpmap:2 G726-32/8000
a=rtpmap:123 opus/48000/2
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

[2022-02-03 13:50:24] VERBOSE[8497] res_pjsip_logger.c: <— Transmitting SIP response (505 bytes) to UDP:192.168.11.103:57259 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.11.103:57259;rport=57259;received=192.168.11.103;branch=z9hG4bK249734886
Call-ID: [email protected]
From: “Compras Nacionales” sip:[email protected];tag=420359844
To: sip:[email protected];tag=z9hG4bK249734886
CSeq: 10 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1643917824/ef3829eaf76f09617abaffc1f8b2077a”,opaque=“68baa4cf7344b776”,algorithm=md5,qop=“auth”
Server: FPBX-16.0.10.49(18.6.0)
Content-Length: 0

Any ideas where to look for a problem?

2

Unfortunately, the log ended before the interesting stuff. Paste the complete Asterisk log for a failed call (including pjsip logger info) at pastebin.freepbx.org and post the link here.

Normal operation:

  1. Phone sends INVITE.
  2. Asterisk responds with 401 Unauthorized, including a WWW-Authenticate header.
  3. After sending ACK, phone resends INVITE with an Authorization header.
  4. If correct authentication, Asterisk continues processing the call.

On of 3 things is happening:

  1. Because of a networking problem, the phone doesn’t ‘hear’ the 401 and retransmits the original INVITE (without an Authorization header).
  2. The phone does send the Authorization header, but authentication fails for some reason and Asterisk responds with a 401 or 403.
  3. Authentication is fine but the call is failing for some other reason.
3

This link should have a complete call: SIP Trace - FreePBX Pastebin

I was finally able to go to the remote office and try to dial out from one of those phones and the result is very strange. You dial any number (internal or external) and the phone starts ringing as if the call is going thru but Asterisk does not show any activity on the CLI.

I have checked both firewalls and there is no SIP ALG active on either side that could be modifying SIP packets. Like I mentioned before, if I take the phone to the main office it works fine with no changes.

4

The WP did ACK the 401, so it must have heard it, but we don’t see the resend with the Authorization header at all. Just a guess, with Authorization the request packet exceeds the MTU of the VPN and gets fragmented and ultimately lost. You have 7 audio codecs enabled. In the phone, set the Preferred Vocoder list to allow only PCMU (G.711u) and G.722. Retest. If you still have the same trouble, try using syslog on the phone to see whether the INVITE with Authorization is being sent.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.