Incoming calls rejected as 401 Unauthorized

I’m having a problem with incoming calls randomly failing, when the call fails the pbx rejects the call with 401 Unauthorized. We can make calls and we can receive most calls, the problem appears to be completely random. Our provider is Twilio and the problem doesn’t appear to be on their end as the PBX is just rejecting some calls.

here is the output from tshark for one on the failed calls
114.236554 54.172.60.2 -> 196.53.97.18 SIP/SDP 1337 Request: INVITE sip:[email protected] | , with session description
114.239804 196.53.97.18 -> 54.172.60.2 SIP 876 Status: 401 Unauthorized |

Here is another trace of an unauthorized call
<— SIP read from UDP:54.244.51.2:5060 —>
INVITE sip:[email protected] SIP/2.0
Record-Route: sip:54.244.51.2:5060;lr;ftag=22969250_6772d868_6d80b922-6bc1-434c-9bb1-a70b761ef32f
From: “JOHN GALE” sip:[email protected];pstn-params=9084818088;cpc=ordinary;tag=22969250_6772d868_6d80b922-6bc1-434c-9bb1-a70b761ef32f
To: sip:[email protected];user=phone
CSeq: 31019 INVITE
Max-Forwards: 63
Diversion: sip:[email protected];reason=unconditional
Call-ID: [email protected]
Via: SIP/2.0/UDP 54.244.51.2:5060;branch=z9hG4bK4d74.16e5af77.0
Via: SIP/2.0/UDP 172.18.77.155:5060;rport=5060;received=172.18.77.155;branch=z9hG4bK6d80b922-6bc1-434c-9bb1-a70b761ef32f_6772d868_253-16114653313875962239
Contact: “JOHN GALE” sip:[email protected]:5060;transport=udp
Allow: INVITE,ACK,CANCEL,BYE,OPTIONS
User-Agent: Twilio Gateway
X-Twilio-AccountSid: ACce34594d02eb8f561702455f938f32e2
Content-Type: application/sdp
X-Twilio-CallSid: CA496cf8343008966675b6d1c548873aa5
Content-Length: 236

v=0
o=root 1668107832 1668107832 IN IP4 54.244.51.28
s=Twilio Media Gateway
c=IN IP4 54.244.51.28
t=0 0
m=audio 18070 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
<------------->
— (17 headers 11 lines) —
Sending to 54.244.51.2:5060 (NAT)
Sending to 54.244.51.2:5060 (NAT)
Using INVITE request as basis request - [email protected]
Found peer ‘PBX To Twilio 1’ for ‘+18016744066’ from 54.244.51.2:5060

<— Reliably Transmitting (NAT) to 54.244.51.2:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 54.244.51.2:5060;branch=z9hG4bK4d74.16e5af77.0;received=54.244.51.2;rport=5060
Via: SIP/2.0/UDP 172.18.77.155:5060;rport=5060;received=172.18.77.155;branch=z9hG4bK6d80b922-6bc1-434c-9bb1-a70b761ef32f_6772d868_253-16114653313875962239
From: “JOHN GALE” sip:[email protected];pstn-params=9084818088;cpc=ordinary;tag=22969250_6772d868_6d80b922-6bc1-434c-9bb1-a70b761ef32f
To: sip:[email protected];user=phone;tag=as37e5e15b
Call-ID: [email protected]
CSeq: 31019 INVITE
Server: FPBX-13.0.194.10(13.17.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce=“64b87eba”
Content-Length: 0

Here are my incoming trunks
Incoming
[Twilio To PBX 0]
host=54.244.51.0
insecure=port,invite
type=peer
context=from-trunk

[Twilio To PBX 1]
host=54.244.51.1
insecure=port,invite
type=peer
context=from-trunk

[Twilio To PBX 2]
host=54.244.51.2
insecure=port,invite
type=peer
context=from-trunk

[Twilio To PBX 3]
host=54.172.60.0
insecure=port,invite
type=peer
context=from-trunk

[Twilio To PBX 4]
host=54.172.60.1
insecure=port,invite
type=peer
context=from-trunk

[Twilio To PBX 5]
host=54.172.60.2
insecure=port,invite
type=peer
context=from-trunk

[Twilio To PBX 6]
host=54.172.60.3
insecure=port,invite
type=peer
context=from-trunk

Here are mu outgoing trunks if that matters
Outgoing
[PBX To Twilio 7]
host=xxxxxxxxxxxx.pstn.us2.twilio.com
username=xxxxxxxxxxxxxxx
secret=xxxxxxxxxxxx
type=peer

[PBX To Twilio 8]
host=xxxxxxxxxxxx.pstn.us1.twilio.com
username=xxxxxxxxxxxxxxx
secret=xxxxxxxxxxxx
type=peer

Here are all of the Twilio US IP addresses
54.172.60.0
54.172.60.1
54.172.60.2
54.172.60.3
54.244.51.0
54.244.51.1
54.244.51.2

I have all of there addresses while listed in the intrusion detection and I have them listed as trusted in the firewall. The PBX does let calls come through most of the time, but it rejects calls at random too. I have a pcap where it rejects an invite from 54.244.51.1 as unauthorized and a second later it accepts a call from that same IP. We are having this problem 5 or 6 times a day where it will reject a call and the caller calls back and it will go right through. Please help, I have been working on this for 3 days now and have tried everything I can think of. I’m starting to think that this is an asterisk bug. How do I go about debugging a call from the asterisk side? Also please let me know if I am missing something.

Do you have a trunk named ‘PBX To Twilio 1’? If so, it may be conflicting (and lacking the insecure=port, invite setting). If no longer needed, see whether deleting it helps (after applying the config, restart Asterisk).

If not, did you once have a trunk with that name? Does that name appear in any of /etc/asterisk config files?

The “PBX To Twilio 1” trunk is an outgoing trunk It shouldn’t be trying to use that trunk for incoming calls. But I see what you are looking at. Could this be the same issue that is described here “Twilio Inbound Suddenly stops working

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.