PJSIP Authentication Issues

I have an existing FreePBX 16 system (with Asterisk 18.17.1) and need to add a new trunk that requires authentication (our current trunk is going away, and does not have authentication). I have the credentials from the trunk - Line registration domain, SIP Auth username, secret, domain, and outbound proxy server address. I can get a standlaone softphone to connect directly to the trunk using the information, but the FreePBX won’t authenticate. The status shows “rejected” in Asterisk Info → Registries.

Port is standard UDP on 5060 - edge router is a SonicWall with the required ports open to Any for testing (will narrow to just the trunk servers once I get it working). I have tried almost every conceivable option in PJSIP Settings & Advanced and never seem to get a valid registration.

Here is a snippet from the PJSIP log (IP and username anonymized). Does anything stand out to anyone?

Thanks!
Gibson

<— Transmitting SIP request (576 bytes) to UDP:63.209.193.59:5060 —>
REGISTER sip:pbx.east.mymtm.us SIP/2.0
Via: SIP/2.0/UDP 9.9.9.9:5060;rport;branch=z9hG4bKPj19bec9bb-1ce8-455d-9489-0a3cc824b859
From: sip:[email protected];tag=2f1c996b-8021-48da-a83d-0b4ecf0486ab
To: sip:[email protected]
Call-ID: 584615a2-067d-44c6-b13e-2229145a021f
CSeq: 39668 REGISTER
Contact: sip:[email protected]:5060
Expires: 3600
Allow: OPTIONS, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, MESSAGE, REFER
Route: sip:mymtm.us:5060
Max-Forwards: 70
User-Agent: FPBX-16.0.40.8(18.17.1)
Content-Length: 0

Try setting Outbound Proxy to
sip:pbx.east.mymtm.us\;lr\;hide
(note backslash semicolon in two places)

If no luck, post the working settings for your softphone, using the same redaction as in your REGISTER trace.

Thanks. No luck on the proxy server address with slashes and semicolons - same issue of REJECTED.
Here is the 3CX softphone screen that works direct to the trunk:

Any ideas where to go next?

Please post the REGISTER request from the 3CX softphone, as well as that from the PBX (with new Outbound Proxy value).

Here is a Wireshark capture from the 3CX softphone that registers the trunk:

Message Header
Via: SIP/2.0/UDP 192.168.1.98:61878;branch=z9hG4bK-d8754z-e134a9485a586065-1—d8754z-;rport
Max-Forwards: 70
Contact: sip:[email protected]:61878;rinstance=fdf3bee8e76bb8f4
To: "629666xxxx"sip:[email protected]:5060
From: "629666xxxx"sip:[email protected]:5060;tag=79200c42
Call-ID: YjZmZjEzZjdkOTIyMTBiNTRjN2E5NzJmN2MyMGYzMWI.
[Generated Call-ID: YjZmZjEzZjdkOTIyMTBiNTRjN2E5NzJmN2MyMGYzMWI.]
CSeq: 2 REGISTER
Expires: 120
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
Supported: replaces
User-Agent: 3CXPhone 6.0.26523.0
[truncated]Authorization: Digest username=“UUUUUUUUUU”,realm=“BroadWorks”,nonce=“BroadWorksXlxtqx1n5T36w84BW”,uri=“sip:mymtm.us:5060”,response=“6219e659ca8000d92800b0af9e6fd1c4”,cnonce=“03c2de671c2fc94516c34316096a96a2”,nc=00000001,qop=au
Content-Length: 0
Message Header
Via: SIP/2.0/UDP 192.168.1.98:61878;received=99.54.142.111;branch=z9hG4bK-d8754z-e134a9485a586065-1—d8754z-;rport=6639
To: "629666xxxx"sip:[email protected]:5060;tag=1918517579-1719279994126
From: "629666xxxx"sip:[email protected]:5060;tag=79200c42
Call-ID: YjZmZjEzZjdkOTIyMTBiNTRjN2E5NzJmN2MyMGYzMWI.
[Generated Call-ID: YjZmZjEzZjdkOTIyMTBiNTRjN2E5NzJmN2MyMGYzMWI.]
CSeq: 2 REGISTER
Contact: sip:[email protected]:61878;rinstance=fdf3bee8e76bb8f4;expires=45;q=0.5
Allow-Events: call-info,line-seize,dialog,message-summary,as-feature-event,x-broadworks-hoteling,x-broadworks-call-center-status,conference
Content-Length: 0

Things I notice are that the local port is not 5060, but a randomized port above 5060, although the server port at mymtm.us is 5060. The proxy address doesn’t show up in the 3CX softphone traces that I see, but it is in the client and without it, the softphone won’t register.

I’ve tried placing “sip:pbx.east.mymtm.us;lr;hide” in the outbound proxy, but no change there.
Does anything stand out?

Very strange.

Sorry to be pedantic here, but you want Outbound Proxy set to
sip:pbx.east.mymtm.us\;lr\;hide
(you should be able to copy/paste that).
I had tried to make it clear by saying (note backslash semicolon in two places) but in your reply you mentioned ‘slashes’ (I assumed you were just abbreviating). To be clear, the backslash key is the rightmost above Enter on a US keyboard layout.

Also, confirm that after entering Outbound Proxy in the GUI for the correct trunk, you clicked Submit and Apply Config.

If you are sure that the above is all correct, please paste the Asterisk log for an attempted registration at pastebin.com and post the link here.

Pedantic is welcomed. I am using the exact form you suggest for the proxy, with back slashes. My formatting in this forum may not reflect it, but I am using the exact Outbound Proxy you suggest.

Here is the pastebin - FreePBX Trunk Registration - Pastebin.com

Notably, the Contact: field seems to be truncating for unknown reason. It only has an ‘s’ before the @ symbol after sip: when I have “sip:[email protected]” in the Contact User line in PJSIP Settings ->Advanced for the trunk. I have noticed through this exercise of trying to activate and register this trunk that many settings in PJSIP-> Advanced don’t seem to take affect after a Submit & Apply Config, but require an fwconsole restart to be reflected. Notably, adding or changing items in the Advanced section seems to take an fwconsole restart to take affect. Is this normal?

Not much useful info there. The request itself looks ok (other than the ‘s’ contact user), but what happens after that? If there were no response (firewall issue, or provider locked you out because of too many previous failures), I’d expect to see retansmissions. Otherwise, I’d expect to see the failure response(s). And another request after 12 minutes? AFAIK, that’s not a default retry interval for any error type.

Contact User is as it says: It should be set to UUUUUUUUUU

Definitely not normal. Do you see an error displayed when you Apply Config? After Apply Config, does the Asterisk log show the hundreds of lines related to the reload?

After literally three and a half weeks working on this, I finally found that my ISP (AT&T) was blocking inbound traffic on 5060, for what reasons, I am not certain. They claimed “security,” but they also sell SIP trunks, so maybe they block 5060 to try to keep their customers on their own trunks (which come in via another ethernet port on their edge router).
Once I signed a document agreeing to have 5060 unblocked did it start working as expected.

What a hassle.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.