Incoming Calls - Can't get the PBX to NOT ask for authorization

bradkriss · October 20, 2010, 4:43pm

Background: I’ve never setup SIP trunks before but was able to find answers to all my questions and get everything working …except the following by simply searching around, reading, and educating myself.

Platform: This is a fresh, brand new install of Elastix 2.0.

Provider: Level 3

Problem: When an incoming call comes in the only trace I have of the call is these two lines in my logs, and the call doesn’t register on my CDR reports.

[Oct 20 11:02:45] VERBOSE[3419] netsock.c: == Using SIP RTP TOS bits 184
[Oct 20 11:02:45] VERBOSE[3419] netsock.c: == Using SIP RTP CoS mark 5

I called my provider and they see a 401 unauthorized error and said that the problem is that the box is trying to authenticate the incoming call and level 3 does not authenticate.

On that note I’ve searched everywhere for answers and to my knowledge the PBX shouldn’t be trying to authenticate as I have enabled anonymous incoming sip calls. I’ve been as thorough as possible but I don’t know the in’s and out’s so maybe someone here can enlighten me to what I’m missing. My configs are bellow, my sip.conf file is basically just a bunch of includes so I listed all the includes and there respective file contents below the include in an effort to be as specific as possible regarding how it is setup. Please let me know if I should include anything else.

sip.conf:

[general]
#include sip_general_additional.conf

vmexten=*97
faxdetect=yes
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
limitonpeers=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
disallow=all
allow=ulaw
allow=alaw
allow=gsm

#include sip_general_custom.conf (nothing)
#include sip_nat.conf (nothing)
#include sip_registrations_custom.conf (nothing)
#include sip_registrations.conf (nothing)
#include sip_custom.conf (nothing)
#include sip_additional.conf

[2001]
deny=0.0.0.0/0.0.0.0
secret=1234
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=no
callgroup=
pickupgroup=
dial=SIP/2001
accountcode=
mailbox=2001@default
permit=0.0.0.0/0.0.0.0
callerid=device <2001>
call-limit=50
faxdetect=no

[2002]
deny=0.0.0.0/0.0.0.0
secret=1234
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=no
callgroup=
pickupgroup=
dial=SIP/2002
accountcode=
mailbox=2002@default
permit=0.0.0.0/0.0.0.0
callerid=device <2002>
call-limit=50
faxdetect=no

[2003]
deny=0.0.0.0/0.0.0.0
secret=1234
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=no
callgroup=
pickupgroup=
dial=SIP/2003
accountcode=
mailbox=2003@default
permit=0.0.0.0/0.0.0.0
callerid=device <2003>
call-limit=50
faxdetect=no

[incoming]
type=friend
context=from-trunk
qualify=no
insecure=port,invite
registersip=no

[level3]
host=hostip
port=5070
username=username
secret=password
type=peer
context=from-trunk-sip-level3

#include sip_custom_post.conf (nothing)

Any help would be greatly appreciated, I feel like I’ve tried everything.

plindheimer · November 10, 2010, 7:37pm

and actually, even if you use insecure=very, FreePBX will translate that to insecure=port,invite for later releases of Asterisk

harry_it · November 10, 2010, 7:23pm

OK

Igordiv · November 9, 2010, 7:54pm

Thank you SkykingOH, it works now.
Yes, you are right, I should have checked the documentation first.

SkykingOH · November 9, 2010, 6:53pm

I have posted this so many time I am getting very tired of it.

Do you guys find the concept of peers and the Asterisk sip documentation lacking?

Many things in Asterisk are obscured and hard to find, SIP documentation is not one of them.

For hopefully the last time, the follow peer with authenticate purely on IP:

host=ip.address.of.host.that.is.sending.SIP.invites
type=friend
insecure=port,invite
dissallow=all
allow=ulaw
context=from-trunk

Nothing else!

If using pre 1.4.3 Asterisk user insecure=very

You can add whatever CODEC’s in whatever order you want in the allow line.

Igordiv · November 9, 2010, 6:10pm

I am facing a similar challenge - accepting inbound SIP calls from a provider. The calls are hitting Asterisk, get into from-sip-external, hence it plays Not In Service.
There is no authorization with this provider, but provider’s ip addresses are known (there are 4 IPs). Where do I add these addresses?
I read the thread up and down , but can’t find the place to add the addresses to : (

plindheimer · October 21, 2010, 6:25pm

allow anonymous is a good start to just plane let the call in no matter what, that way you know the call is reaching you.

However - if you must leave it as anonymous then it indicates that you are missing a SIP section where the call should be directed. Only in cases where you can’t define conclusively one or more servers where the SIP signaling will originate from should you be required to leave anonymous on.

(For example, if you allow anonymous SIP calls in general which usually indicates you don’t know where the calls will be coming from, or if you have a provider who can’t conclusively tell you all the IP addresses where SIP calls may be signaled from).

Anyhow - glad you got it working, though as you pointed out, it would be nice to know why it wasn’t. (And from the first traces you had, it was hitting the proper SIP section so the only thing that comes to my mind is you had never applied configuration changes and/or had the reload occur properly on Asterisk, so there was a stale SIP section in there. (note if in doubt, “sip show peer PEERNAME” at the CLI, to see what Asterisk is actually seeing, vs. what you think it is seeing).

bradkriss · October 21, 2010, 5:22pm

Alrighty, so good news and bad news…

Bad news first, I got so frustrated trying every possible thing that I ended up doing a fresh install of elastix 2.0 so I never figured out what the underlying problem was.

Good news, well the obvious, it works! Beyond that my understanding of SIP technology has increased vastly by trial and error and hours of research.

If anyone finds themselves with a similar problem there’s two things I would suggest checking:

Make sure that: Allow Anonymous Inbound SIP Calls? is set to yes. I understand this is not always ideal but once you get it working you can always work backwards. ‘Elastix: without tears’ has a great section about securing your PBX
If after that it still won’t work then try using insecure=very (http://www.voip-info.org/wiki/view/Asterisk+sip+insecure) - thanks for the link Andrew.

Best advice I can give though is if you see something in a forum or site that says ‘try this…’ research what they are telling you, this way even if it doesn’t work it will help you pinpoint the problem.

SkykingOH · October 20, 2010, 8:54pm

Posting a SIP debug from your peer would be very useful.

You need to have two peers if one side needs authentication and the other does not.

Try turning anonymous sip on and set an any/any route and see what happens.

If you have 20 hours in debugging this and time is of the essence you could use the FreePBX support link and receive help from a trained Engineer.

bradkriss · October 20, 2010, 9:08pm

AndrewZ just helped me out to get the SIP Debug info up. I replied to his comment a few comments up the ladder with it.

Anonymous Sid is enabled and I just tried setting up an any/any route and got the same sip debug.

By two peers should I create 2 separate trunks? or just fill out the USER details which is now blank?

Thanks

EDIT: From the look of the SIP debug it looks like the same result as Level 3 got earlier today: SIP/2.0 401 Unauthorized

SkykingOH · October 20, 2010, 8:16pm

You need to remove the username and password lines completely.

You also need to change the peer to =friend

If you have port 5060 open to outside you need to improve the secrets on your extensions.

AndrewZ · October 20, 2010, 8:34pm

Again - go to the console and check your sip debug, forget about Asterisk logs and CDRs.

bradkriss · October 20, 2010, 8:38pm

I’m viewing the asterisk logs with full turned on and also using the CLI,which seams to display the same info as the asterisk logs just realtime. And I’ve the calls are not even getting to my CDR.

Is SIP Debug different from what I’m currently doing, and if so how can I run it?

AndrewZ · October 20, 2010, 8:40pm

http://www.google.com/search?q=asterisk+sip+debug

bradkriss · October 20, 2010, 8:42pm

Well my provider does require auth for outbound calls but does not auth for inbound. Regardless I took out the user/pass and gave it a shoot both with =peer and =friend and still can’t get incoming calls, but also got all circuits busy when trying to go out.

As a side note I also tried =peer and =friend with user and password and my outgoing worked regardless of that value, but again, no incoming.

Thanks for the heads up on the extensions secrets, I do plan on doing this, just haven’t got around to it yet, because I’ve been trying to figure this out for 20+ hours

bradkriss · October 20, 2010, 8:53pm

I had looked up sip debuging before and figured it was the same thing as enabling debugging in the asterisk logs config file…I stand corrected, and thanks for letting me know to re-examine

<--- SIP read from UDP:HOSTIP:5070 --->
INVITE sip:MYSIPNUMBER@PBXIP:5060 SIP/2.0
Via: SIP/2.0/UDP HOSTIP:5070;branch=z9hG4bKj9lihr20b07hagsdq7k0.1
From: <sip:MYCELLPHONE@HOSTIP;user=phone>;tag=SDgkgpd01-1382283929-1287607505759-
To: "MYCOMPANYNAME"<sip:MYSIPNUMBER@PBXIP>
Call-ID: SDgkgpd01-5c177d19d268d30aa0e079682e347584-v3000i1
CSeq: 632400304 INVITE
Contact: <sip:MYCELLPHONE@HOSTIP:5070;transport=udp>
Allow: ACK,BYE,CANCEL,INFO,INVITE,OPTIONS,PRACK,REFER,NOTIFY,UPDATE
Accept: multipart/mixed,application/media_control+xml,application/sdp
Supported:
Max-Forwards: 9
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 279

v=0
o=BroadWorks 29327 1 IN IP4 HOSTIP
s=-
c=IN IP4 HOSTIP
t=0 0
m=audio 49738 RTP/AVP 0 8 18 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=maxptime:20

<------------->
--- (14 headers 14 lines) ---
  == Using SIP RTP TOS bits 184
  == Using SIP RTP CoS mark 5
Sending to HOSTIP : 5070 (no NAT)
Using INVITE request as basis request - SDgkgpd01-5c177d19d268d30aa0e079682e347584-v3000i1
Found peer 'level3' for 'MYCELLPHONE' from HOSTIP:5070

<--- Reliably Transmitting (no NAT) to HOSTIP:5070 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP HOSTIP:5070;branch=z9hG4bKj9lihr20b07hagsdq7k0.1;received=HOSTIP
From: <sip:MYCELLPHONE@HOSTIP;user=phone>;tag=SDgkgpd01-1382283929-1287607505759-
To: "MYCOMPANYNAME"<sip:MYSIPNUMBER@PBXIP>;tag=as73a7cebb
Call-ID: SDgkgpd01-5c177d19d268d30aa0e079682e347584-v3000i1
CSeq: 632400304 INVITE
Server: Asterisk PBX 1.6.2.10
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="6a04eafb"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'SDgkgpd01-5c177d19d268d30aa0e079682e347584-v3000i1' in 32000 ms (Method: INVITE)

<--- SIP read from UDP:HOSTIP:5070 --->
ACK sip:MYSIPNUMBER@PBXIP:5060 SIP/2.0
Via: SIP/2.0/UDP HOSTIP:5070;branch=z9hG4bKj9lihr20b07hagsdq7k0.1
CSeq: 632400304 ACK
From: <sip:MYCELLPHONE@HOSTIP;user=phone>;tag=SDgkgpd01-1382283929-1287607505759-
To: "MYCOMPANYNAME"<sip:MYSIPNUMBER@PBXIP>;tag=as73a7cebb
Call-ID: SDgkgpd01-5c177d19d268d30aa0e079682e347584-v3000i1
Max-Forwards: 9
Content-Length: 0


<------------->
--- (8 headers 0 lines) ---
Really destroying SIP dialog '[email protected]' Method: REGISTER
Really destroying SIP dialog '[email protected]' Method: OPTIONS

I’m sorting through this now, trying to make sense of everything thats going on but figured I would also post it up here. I replaced any private info such as phone numbers and IPs with statements such as ‘MYSIPNUMBER’. Again thanks for all the help

bradkriss · October 20, 2010, 7:19pm

I tried putting everything in the PEER details as follows, but still nothing

host=providerip 
port=5070
username=username
secret=password
type=peer
insecure=invite
registersip=no
context=from-trunk

A concern of mine is that I need to use port 5070 to go out and port 5060 for incoming, will that be an issue if I only setup the peer details section?

AndrewZ · October 20, 2010, 7:43pm

In this case you probably need to add “,port” to insecure.
Check http://www.voip-info.org/wiki/view/Asterisk+sip+insecure

And don’t forget to check your sip debug on incoming call if the problem will stay.

bradkriss · October 20, 2010, 7:55pm

Ok the adding port should fix my concerns about having different incoming and outgoing ports from what I read, thanks for the link as well.

However the root problem still persists. When I check my asterisk logs this is still all I get when I try to call into the trunk:

  == Using SIP RTP TOS bits 184
  == Using SIP RTP CoS mark 5

Same thing as before. Level 3 ran a incoming test and got a 401 unauthorized error. But that makes no sense because from what I can tell, I’m ordering asterisk to accept all incoming calls and not challenge them. I really feel like I missing something here…

(btw thanks for helping me troubleshoot this)

AndrewZ · October 20, 2010, 6:01pm

you need to put this line in your trunk configuration:

insecure=invite