"Rejecting unknown SIP connection from PROVIDER_IP" Problem

Hi,

I’ve a problem with only incoming call with a french trunk provider. I’m on Freepbx 13 Distro with Asterisk 13.

First define some variables that i will use :

PROVIDER_IP = Registrar IP
PROVIDER_DOMAIN = Registar Domain

With “Allow SIP Guests” on “YES”, I’ve this message in the console for incoming calls :

Executing [s@from-sip-external:6] Log(“SIP/37.97.64.6-0000000b”, “WARNING,“Rejecting unknown SIP connection from PROVIDER_IP””) in new stack
Ext. s: “Rejecting unknown SIP connection from PROVIDER_IP

If I turn “Allow Anonymous Inbound SIP Calls” on “YES”, the incoming calls are GOOD.
But for some security reason, I don’t want to turn this to “YES”.

Here is my trunk definition for incoming section :

username=trunk_test@PROVIDER_DOMAIN
type=user
secret=XXXX
outboundproxy=PROVIDER_IP
fromuser=trunk_test
fromdomain=PROVIDER_DOMAIN
context=from-trunk
host=PROVIDER_DOMAIN&PROVIDER_IP

I’ve also a registrer string wich is OK. The trunk is well registered, and outgoing calls are GOOD.

Did you ever solve your problem. I am having a similar issue.
Thanks!

I put iptables and fail2ban to stop attackers.

But I’ve no other solution.

Please post some details:
Trunking provider?
Using registration or IP authentication?
Using pjsip or chan_sip?
Do all incoming calls fail, or only some?
On a failing call, does the reported IP address belong to the provider?

host=PROVIDER_DOMAIN&PROVIDER_IP ?

1 Like

Mistake :
host=PROVIDER_DOMAIN

A domain is unlikely to resolve to a single ip

@Stewart1

Trunking provider? Can’t reaveale it
Using registration or IP authentication? registration
Using pjsip or chan_sip? chan_sip
Do all incoming calls fail, or only some? all failed
On a failing call, does the reported IP address belong to the provider? yep

@dicko I did not understand you answer ?
You mean a domain can resolve several IP ?

If you receive calls from multiple hosts in that domain, you will need a trunk for each one , then turn off anonymous.

As @dicko said, you can set up multiple trunks, one for each IP address from which the provider can send calls.

Or, you can use a single trunk and add two lines to sip_additional_custom.conf for each address; see example for provider Callcentric https://www.callcentric.com/support/device/asterisk/14 .

Or, with a single trunk, you can add some custom dial plan to distinguish your provider’s calls based on the From domain; see https://www.callcentric.com/support/device/did_trixbox .

Or, you can use pjsip. If the provider lists all his hosts in his DNS, it’s automatic. Otherwise, you can put a list of addresses or networks in the Match parameter.

@Stewart1 I never tested the PJSIP driver for trunk. It supposed to work like a chan_sip trunk ? Or my provider has to be also in PJSIP ?

There is no problem with pjsip at one end and chan_sip on the other. Unless your provider is quite small, he likely isn’t even using Asterisk.

If you are still in the evaluation / testing stages, I recommend that you give pjsip a try. If it works right away or with reasonable effort, stick with it. For handling calls coming from addresses other than the one to which you registered, IMO pjsip does a much better job.