Inbound Calls Randomly Don't Connect - SIP 401 Unauthorized Received By Trunk (Flowroute)

trunk
Tags: #<Tag:0x00007f7024aa9a38>

(Jake Hassings) #1

Flowroute is randomly getting SIP 401 Unauthorized errors when trying to connect inbound calls to FreePBX. It’s only a handful of calls per day, and it is not consistent when a call will fail to be connected.

I believe I have the flowroute trunk setup correctly, including permit IP ranges, etc. I also have all the “edge strategy” routing configured on the Flowroute side. But for some reason, Flowroute gets an unauthorized error every so often.

How can I troubleshoot / fix this? It’s a bit hard to reproduce and test. I’m left just trying to call the DID a bunch to try and trigger the error. Anything I could be missing here, any settings I can tweak so the Flowroute inbound connection never receives the SIP 401?


#2

If something is logged at Flowroute for a failed call, look at the Asterisk log for that time. There will probably be a ‘failed to authenticate’ or similar error. With luck, it will show the source IP or give some other clue.

If not, you could set pjsip logging (and chan_sip, too if you suspect the call somehow ends up there).

Another possibility is running tcpdump continuously. I use a command like:
tcpdump -s 0 -C 100 -W 100 -w rbuf -Z root &
which writes to a ring buffer of 100 files (rbuf00, rbuf01, …, rbuf99), 100 MB each (you need 10 GB of free disk space).
When a failure is reported, locate the file with the failed call, download it to your PC and open it in Wireshark for analysis.


(Jake Hassings) #3

This is great, thanks a lot for the troubleshooting ideas. I’ll try what you suggested.

Additionally, after connecting with FW support, it looks like we’re also getting “no response” for some calls from some of their IPs, so there may also be a firewall issue (or it could be related).

What’s strange is (we’re using firewalld on this install) there’s no allowed sources for the Flowroute IPs and it doesn’t even look like port 5061 (chan_pjsip) is allowed on the public network interface at all?? So I’m not sure how any calls from FW would be working since they all come over 5061… Does FreePBX modify the same iptables database that firewalld does? Could it be setting/opening access for the FreePBX source and port?

According to the logs, inbound connection from 147.75.60.160:5061 did not work, but 147.75.60.161:5051 did… and our Match (permit) line for the trunk in FPBX is:

Match (permit): 147.75.60.160/28,34.210.91.112/28,34.226.36.32/28,147.75.65.192/28

Is it possible the first IP of each of the ranges is not correctly allowed in iptables via FPBX?


#4

FreePBX Firewall assumes that it has complete control over iptables; if you have firewalld also running, all bets are off.

It’s possible there is a bug associated with a /28 block, though IMO unlikely. You can issue
iptables -vL
to see whether it is set up as you expect. Also, since tcpdump captures incoming packets ahead of iptables and pjsip sees them after, seeing an INVITE (sent to the correct port) with tcpdump but not with pjsip logger would be good evidence of an iptables bug.


(Jake Hassings) #5

Fantastic, thanks again!