PJSIP extension failing to register and keeps getting banned


(RPG) #1

Hello, I am having trouble registering my Digium phone ext. to my phone server. I have been working on this for days and couldn’t figure out why my phone fails to register and why the intrusion keeps banning the phone’s IP address.
Here are the settings I have set:
*I set the extension using the PJSIP port 5160. PJSIP is set as 5160 in FreePBX. I made sure that the extension’s password on my phone matches the secret in Freepbx’s extension.
*I set the to use both Chan_PJSIP and Chan_SIP in Advance Settings.
*PJSIP is set in Asterisk SIP Settings (Allow Transport Reload-No, Show Advanced Settings - No, udp - 0.0.0.0 ALL -Yes, Port to listen is set to 5160, Our external IP address is set and none is set on local network)
*Added PJSIP Trunk with recommended settings from Flowroute
*Added a PJSIP extension with matching secret with the phone’s extensions

I was able to make one phone register without getting it banned until today. It is getting banned again by intrusion detection. Another phone extension I am testing, it won’t register at all and that phone’s IP address shows as (recidive) when it gets banned so I had to test a different phone with a different IP address.
Even if I put the phone’s IP address in the white list, it still won’t register. So I guess I have two issues here. 1 is that the phone won’t register and 2 FreePBX keeps banning the phone’s IP address.

I looked at the log and it says this:
[2020-05-10 19:34:00] WARNING[5169] chan_sip.c: Timeout on 726832754-948451549-2006237033 on non-critical invite transaction.
[2020-05-10 20:00:37] NOTICE[9434] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘<sip:default@50.201.161.43>’ failed for ‘147.135.71.87:63464’ (callid: 320061365-2098964229-320328617) - Failed to authenticate
[2020-05-10 21:38:12] WARNING[5169] chan_sip.c: Timeout on 2006214412-1186255612-256214266 on non-critical invite transaction.
[2020-05-10 21:45:01] WARNING[5169] chan_sip.c: Timeout on 1268750041-1402006499-2002454235 on non-critical invite transaction.
[2020-05-10 22:11:40] WARNING[5169] chan_sip.c: Timeout on 844348194-924075622-2006443949 on non-critical invite transaction.
[2020-05-10 22:13:15] WARNING[5169] chan_sip.c: Timeout on 1953426848-1003795474-441120068 on non-critical invite transaction.
[2020-05-11 00:52:03] NOTICE[5169][C-000098b8] chan_sip.c: Failed to authenticate device <sip:101@50.201.161.43>;tag=1263852006
[2020-05-11 01:14:16] WARNING[5169] chan_sip.c: Timeout on 303473989-1020742602-135420060 on non-critical invite transaction.
[2020-05-11 01:35:57] WARNING[5169] chan_sip.c: Timeout on 2006942498-1044689565-1333810060 on non-critical invite transaction.

We use Chan_SIP and we want to move a few extensions at a time to PJSIP. Any help is very much appreciated.


(Dave Burgess) #2

That’s an odd extension.

The inbound traffic made it from the outside, so the network appears to be OK. At the remote end, is 50.201.x.x a firewall (is the phone behind a NAT) or is the extension actually ‘on’ the Internet?

If the remote end extension is not getting the traffic from the server, I’d guess that the problem is the remote firewall not passing the NAT traffic correctly.

If you can, try an ‘sngrep’ to analyze the flow. I’m suspicious that you have a NAT setting that isn’t correct in the stream, and sngrep should be the easiest way to see the internals. You can do the same thing with wireshark or even tcpdump (depending on your level of ‘old-school’), so there are other tools available.


(RPG) #3

Thanks for the response. The phones are behind a NAT. I am testing phones internally. Eventually, we will have soft phones connect from externally but I need to get internal working first. Right now, I am finding two issues: 1. Most PJSIP extensions won’t register. I said most because I got to get one working once I deleted the extension from the DPMA module since I read DPMA don’t support PJSIP. So I thought I finally found the culprit. But I am wrong. I am still getting “failed to authenticate” from the log:

[2020-05-12 04:00:52] NOTICE[29387] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“TempMickey” <sip:1180@10.10.6.249>’ failed for ‘10.10.6.180:5160’ (callid: jvmuKiqgq9CmCDspQ.MC-SDzIRcCiIjy) - Failed to authenticate
[2020-05-12 04:01:08] NOTICE[5787] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“TempMickey” <sip:1180@10.10.6.249>’ failed for ‘10.10.6.180:5160’ (callid: ytWTKBIg0AjNBbBsO6Ia0xRHt58SzaFz) - Failed to authenticate
[2020-05-12 04:01:36] NOTICE[29387] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“TempMickey” <sip:1180@10.10.6.249>’ failed for ‘10.10.6.180:5160’ (callid: -TKe9YJeGjPo1-6wdknjHuYoeKSr1Af1) - Failed to authenticate
[2020-05-12 04:01:56] NOTICE[5787] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“TempMickey” <sip:1180@10.10.6.249>’ failed for ‘10.10.6.180:5160’ (callid: pJ9uvRMQNCwAO.hKwWV5Wc3.yhQAiLIK) - Failed to authenticate

  1. The phone’s IP address keeps getting banned. I would think it is because of the authentication failures. So I put the phone’s IP Address in the whitelist for now so I can fix the first issue.

These issues are something I cannot duplicate in our test environment. The phone registers fine and the IP isn’t getting banned. I compared the two but couldn’t find the difference.


(Dave Burgess) #4

Is the local LAN identified as a local network in the Integrated Firewall?

Are you using TLS or SRTP for any of this?


(RPG) #5

I only set to use UDP. TLS is set to No in Asterisk SIP Settings PJSIP. In my General tab, they are greyed out.

Where do I check this in FreePBX?


(RPG) #6

I ran ‘pjsip show endpoints’ command in the CLI. The extension 1156 is the one that is working right now. And I see that it has a line “Contact: 1156/sip:1156@10.10.6.156:5160;ob” while the other extensions that don’t work don’t have that. Would that be the reason why it isn’t registering? If so, where would I even set that? I have compared the extensions to the working ext 1156 and could not find the difference.

Endpoint: 1156/1156 Not in use 0 of inf
InAuth: 1156-auth/1156
Aor: 1156 2
Contact: 1156/sip:1156@10.10.6.156:5160;ob 1c23962606 Avail 2.357
Identify: 1156-identify/1156
Match: 0.0.0.0/0

Endpoint: 1180/1180 Unavailable 0 of inf
InAuth: 1180-auth/1180
Aor: 1180 2
Identify: 1180-identify/1180
Match: 0.0.0.0/0

Endpoint: 2156/2156 Unavailable 0 of inf
InAuth: 2156-auth/2156
Aor: 2156 2
Identify: 2156-identify/2156
Match: 0.0.0.0/0

Endpoint: 2180/2180 Unavailable 0 of inf
InAuth: 2180-auth/2180
Aor: 2180 2
Identify: 2180-identify/2180
Match: 0.0.0.0/0


(Dave Burgess) #7

It gets the contact information from the registration, so if it isn’t getting registered, it won’t show that.


(RPG) #8

We switched our phone server and DPMA module wasn’t installed on this one. I tested one PJSIP extension before I put this server live and all was good. That same PJSIP phone I tested on our test environment is also now live and is working fine. But when I added a new PJSIP extension, still getting the same issue and it won’t register.

I’m at loss. I made sure that this new extension settings matches the extension that is working. I made sure the phone settings matches the user and password of the PJSIP extension on FreePBX.

[2020-05-13 14:58:59] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: nidl39dnW0h6D4D8I88crwsC2K-ouET9) - Failed to authenticate
[2020-05-13 14:59:20] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: .GWQpEM8xM1vmEYGggXZA6LX.yodgjpn) - Failed to authenticate
[2020-05-13 14:59:30] VERBOSE[31326][C-0000522d] res_agi.c: queue_devstate.agi,getall,1070: Agent 1170 is static
[2020-05-13 14:59:30] VERBOSE[31326][C-0000522d] res_agi.c: queue_devstate.agi,getall,1070: Agent 1170 is assigned to queue 652
[2020-05-13 14:59:38] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: uuj.DLu1RtY33ugJgClA6TTbVWvs1TUo) - Failed to authenticate
[2020-05-13 14:59:50] VERBOSE[31391][C-00005236] res_agi.c: queue_devstate.agi,getall,3019: Agent 1170 is static
[2020-05-13 14:59:50] VERBOSE[31391][C-00005236] res_agi.c: queue_devstate.agi,getall,3019: Agent 1170 is assigned to queue 652
[2020-05-13 14:59:54] NOTICE[2143] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: .7susbzbYxfHVa6p9-uoUQ74pf4IWkM9) - Failed to authenticate
[2020-05-13 15:00:24] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: qW-HMV82dUlH-RQxrCc3cmGfvdas7XoP) - Failed to authenticate
[2020-05-13 15:00:35] VERBOSE[31927][C-00005247] res_agi.c: queue_devstate.agi,getall,1131: Agent 1170 is static
[2020-05-13 15:00:35] VERBOSE[31927][C-00005247] res_agi.c: queue_devstate.agi,getall,1131: Agent 1170 is assigned to queue 652
[2020-05-13 15:00:52] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: LpHZ0towOYbkd2DCcXFGl.WPdiom2abE) - Failed to authenticate
[2020-05-13 15:00:59] VERBOSE[31999][C-00005250] res_agi.c: queue_devstate.agi,getall,3005: Agent 1170 is static
[2020-05-13 15:00:59] VERBOSE[31999][C-00005250] res_agi.c: queue_devstate.agi,getall,3005: Agent 1170 is assigned to queue 652
[2020-05-13 15:01:07] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: ADQ3J.XL8YCpOPm5gwx.tCDl70c6FLUm) - Failed to authenticate
[2020-05-13 15:01:23] VERBOSE[32188][C-0000525b] res_agi.c: queue_devstate.agi,getall,1068: Agent 1170 is static
[2020-05-13 15:01:23] VERBOSE[32188][C-0000525b] res_agi.c: queue_devstate.agi,getall,1068: Agent 1170 is assigned to queue 652
[2020-05-13 15:01:34] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: 8g59BM2zf-zVCiJc-aHuQzGlHzkgslxB) - Failed to authenticate
[2020-05-13 15:01:56] VERBOSE[32508][C-0000526a] res_agi.c: queue_devstate.agi,getall,3018: Agent 1170 is static
[2020-05-13 15:01:56] VERBOSE[32508][C-0000526a] res_agi.c: queue_devstate.agi,getall,3018: Agent 1170 is assigned to queue 652
[2020-05-13 15:01:56] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: H0JctDoZFj2hi79pb0X.-Q8t6O25zlNN) - Failed to authenticate
[2020-05-13 15:02:30] NOTICE[2143] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: gfmJfKDwS-Cx2xZqop.6vR.Cv3jtHaV3) - Failed to authenticate
[2020-05-13 15:02:55] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: Xh6yvkQUPNTh5ewBl.e-LYbygVLlNcwb) - Failed to authenticate
[2020-05-13 15:03:18] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: rLYWhS8PV9EtH.a5qzFIzMGFLut8aoZ8) - Failed to authenticate
[2020-05-13 15:03:43] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: 8A7juG6624TEIRe.f5hZ4iom0Mj4Q7rJ) - Failed to authenticate
[2020-05-13 15:04:14] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: Cgp1fAB26hJIRkpROAx6Vl75td08bGEr) - Failed to authenticate
[2020-05-13 15:04:30] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: PVRAB6e0M2a5OCERjpHENy5YXpnjkJfH) - Failed to authenticate
[2020-05-13 15:04:40] VERBOSE[1212][C-000052a8] res_agi.c: queue_devstate.agi,getall,3086: Agent 1170 is static
[2020-05-13 15:04:40] VERBOSE[1212][C-000052a8] res_agi.c: queue_devstate.agi,getall,3086: Agent 1170 is assigned to queue 652
[2020-05-13 15:04:56] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: wYsjx6r4GTJlZsSyJpAp3dwYIXfo3NOc) - Failed to authenticate
[2020-05-13 15:05:24] NOTICE[2143] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: ftbqX2aSAoqbnFKiAnh41IJPUJIB2HOM) - Failed to authenticate
[2020-05-13 15:05:55] NOTICE[2143] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: H8T.nupKss4ur8zGm7N8tHm1eWoOJcPi) - Failed to authenticate
[2020-05-13 15:06:29] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: W43yXGIUjTASpNijakUi7Z6CxGUrwtr.) - Failed to authenticate
[2020-05-13 15:06:53] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: Z6gJQdgnLAOD29n7ppMtxDS3S89i1u8P) - Failed to authenticate
[2020-05-13 15:07:19] NOTICE[5481] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: Zi7.i4LfEQVwblAGSzMCIX61jfA8LLan) - Failed to authenticate
[2020-05-13 15:07:51] NOTICE[8686] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“Minnie” <sip:1170@10.10.6.249>’ failed for ‘10.10.6.170:5160’ (callid: i00Ht1DHJv-gvhLm.nIuOr4JnT3FnRUe) - Failed to authenticate

I tried to disallow all codecs and allow ulaw only for this extension. I read another forum that this had fixed his issue. Not for mine.


#9

In the extension settings on FreePBX, the SIP password is called “Secret”. Make sure that it matches what you put in the phone. If no luck, try a value that contains only letters and digits, fewer than 16 characters.


(RPG) #10

Thanks for the feedback. Yes the secret matches the phone’s ext. I copied and paste it. I made sure there aren’t extra spaces either. What’s weird is that when I tried to add a third PJSIP extension, the extension that were working stopped working. When I deleted the newly added PJSIP extension, then it made the 2nd PJSIP extension worked (the ext. 1170). The first PJSIP ext. IP address was banned, so I reset he intrusion detection. That started working again but ext. 1170 is back to where it’s at and isn’t working again. Any more suggestions?


#11

Is there any form of router/nat/vpn between these extensions and the server?


(RPG) #12

The phone server and phones that I’m testing are connected to the same router. Chan sip phones works fine. It’s just the pjsip that I started introducing that won’t work. NAT is enabled for chan SIP but I don’t see a NAT setting for PJSIP in the Advance SIP setting.