Revised: 401 Unauthorized Message

I previously posted a question regarding 401 Unauthorized message I was receiving when making calls.

I have posted this new question because I have included the trace.

We are soon to upgrade our old Elastix PBX system to FreePBX v14.0.1.20 with Asterisk v 13.18.2. We switched to the other morning before working hours and we noticed we could make a call from externally to internally (mobile device to the office phone). We are getting a 401 Unauthorized message in the trace. The following is a trace from our older PBX.

<— Transmitting (NAT) to IPADDRESS:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP IPADDRESS;branch=z9hG4bK6e429f396;received=IPADDRESS;rport=5060
From: 7156 sip:7156@IPADDRESS:5060;tag=b9107268fd2f878
To: 7156 sip:7156@IPADDRESS:5060;tag=as3b512a32
Call-ID: ee6da8be44c0e0c8572afeaa6cb99d9a@IPADDRESS
CSeq: 914755488 REGISTER
Server: FPBX-2.8.1(1.8.20.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce=“64e4254f”
Content-Length: 0

SIP SETTINGS:
[Main-Timico-Trunk]
type=peer
directmedia=no
t38pt_udptl=no
transport=udp
host=IP_ADDRESS
port=5060
defaultuser=TimicoSIP
sendrpid=pai
disallowed_methods=UPDATE
nat=force_rport,comedia
secret=
insecure=invite
allow=alaw
allow=ulaw
allow=gsm
fromdomain=IP_ADDRESS
context=from-trunk-sip-Main-Timico-Trunk
Contents from sip_general_additional.conf:
accept_outofcall_message=yes
auth_message_requests=no
outofcall_message_context=dpma_message_context
faxdetect=no
vmexten=*97
useragent=FPBX-14.0.1.20(13.18.2)
disallow=all
allow=ulaw
allow=gsm
allow=alaw
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
limitonpeers=yes
context=from-sip-external
callerid=Unknown
tcpenable=no
callevents=yes
bindport=5160
jbenable=no
checkmwi=10
maxexpiry=3600
minexpiry=60
srvlookup=no
allowguest=yes
notifyhold=yes
rtptimeout=30
canreinvite=no
rtpkeepalive=0
videosupport=no
defaultexpiry=120
notifyringing=yes
maxcallbitrate=384
rtpholdtimeout=300
g726nonstandard=no
registertimeout=20
registerattempts=0
nat=force_rport,comedia
ALLOW_SIP_ANON=no
tlsbindaddr=[::]:5161
externip=IP_ADDRESS
localnet=IP_ADDRESS/IP_ADDRESS
localnet=IP_ADDRESS/IP_ADDRESS
language=en

I have tried everything
that was mentioned in the previous I question I posted, nothing works. I have
searched Google, forums, Asterisk, PBX. I can’t find anything to resolve this
problem?

You do know that the first 401 is the start of the authentication process, right? It’s supposed to be there.

Hi Dave,

No, I did not know that thank you. Could I ask please why? Also, we are still unable to make external -> internal calls, and Timico, our provider, believe its because of this?

Timico has mentioned this 401 message to me, they have told me they are “sending traffic to the new IP, however, the PBX is responding with a 401 - unauthorised message. Is there a way in which you can check and turn any registrations off?”. I have no idea what they are talking about with regards to “registrations” I have contacted them and of course, they haven’t responded. Thus the reason I’m asking the community.

Could you shed you any light on this, please?

401 unauthorized is part of a normal call flow. When a server receives a SIP invite, it sends back a 401 to challenge for a revised invite containing authentication.
Watch this video on SIP call flow to understand:

As to why your server is sending a 401, I don’t know, the setting “insecure=invite” in your trunk peer details means that it should not send a 401.

@avayax - thank you for the video. I now understand. I would just like to know, however, when I make a call externally into the office, I do not receive the 401 message? Also, I’ve been reading online that my problem is to do with the “insecure=invite” I’ve tried many different configurations, and I haven’t had any success.

Same if you try insecure=port,invite?
And type=friend (instead of peer)?

@avayax - thank you for the suggestion. I’m afraid I cant try out your recommended configuration. I can only perform the test before office hours, so I’ll have to do it before 8 am. It’s very difficult for me to test all these different configurations, as we don’t have an additional line. So all the tests I run, I have to switch over to the newer upgraded PBX system, and be performed before people arrive in the office.

peer is the correct type for this kind of trunk.

In /var/log/asterisk/full, do you see which peer is being matched for the incoming call? It could be that Asterisk is matching the call against a different peer or user in your configuration. Your SIP trace shows the call coming from “7156” to “7156” - is 7156 one of your extensions? If so, Asterisk will match that first and assume it’s an internal user trying to make a call, and challenge for password.

@billsimon - 7156 is one of my extensions. Could you please elaborate whether “Asterisk is matching the call against a different peer or user in your configuration”?

Nevermind. You misled us by showing us a 401 response to a register request, not a call. Please show some relevant logs from an incoming call.

The point I was getting at is described here: http://www.astblog.com/2011/10/21/how-does-asterisk-match-sip-userspeers-in-sipconf/

If calls come to you with a From address that looks like one of your users (extensions), then Asterisk will think it is one of your phones and challenge for a password as usual.