SIP Trunk issue

I’m having intermittent issues where SIP trunk calls arn’t making it through. Upon speaking to the provider they said that they can see a 401 unauthorised request, then eventually responds with 500 no gateway error. But the calls mostly come through but do this intermittently. Is there a way I can confirm if this this happening on the freepbx server or at firewall level?

I suspect the 500 is a red herring, because it is on the upstream side of the provider (you can’t have response codes going in both directions).

If you are sending them 401, it is either because they are not being recognized by your Asterisk, or because you have both way authentication set, when, providers normally expect you to only have outbound authentication set.

Whilst you should be using chan_pjsip, could you please confirm you are not using chan_sip.

You can confirm who is sending 401 from the Asterisk logs, particularly if you enable protocol logging/debugging (details depend on the channel driver: CLI sip set debug on, or CLI: pjsip set logger on).

The 401 is definately being generated by freepbx. I’m not sure about chan_pjsip, my freepbx system is ver very old and probaby a legacy version. I do plan to upgrade to latest version some time in the next few months. How can I prevent freepbx from throwing 401 errors? I have the inbound firewall rules set to only allow the sip trunk provider, so can I not just allow all?

Also don’t understand why it’s intermittently denying it. Mostly works then intermittently getting this issue

If my freepbx server is giving this error to the trunk provider trying to forward to call. Status-Line: SIP/2.0 401 Unauthorized

Could I whitelist the IP address under the intrusion detection section? I can see the IP address the call is coming from, so if I whitelist that IP, should it prevent the 401 issue? or is the intrusion detection whitelist something else?

Where on freepbx can I whitelist IP addresses in ranges so that it doesn’t give this 401 error?

SIP 401 is not about IP address, it means that your carrier is denying that call, in your case, you

401 is not an error. It is a request to authenticate.

If a request comes from an unexpected address, and you don’t allow unknown callers, a dummy challenge will be generated so that the attacker doesn’t know whether or not the endpoint they specified is valid.

This can happen, with chan_sip, if the peer uses a range of addresses. chan_pjsip can specify ranges of addresses.

It could also happen if you specify secret, but not insecure=invite, for chan_sip, or auth, rather than outbound auth, with chan_pjsip.

@david55 I’m pretty sure it’s because the peer uses a range of addresses. My legacy version I don’t believe supports pjsip.

What i’ve temporarily done and so far it seems to be ok but not sure if it’s actuall fixed the issue as the problem was very intermittent. Is that as well as have a firewall rule on the main firewall to only allow the IP addresses from the SIP provider, I also went to the SIP settings on freepbx and left set following:

Allow SIP Guests = NO
Allow Anonymous Inbound SIP Calls = YES

I don’t know what SIP Guests are and I don’t want to risk something being able to call from my system, so I kept that SIP guests off. But in regards to the allow anonymous inbound SIP calls, i turned that to YES becase from what I read it basically should accept all inbound calls sent to it and as long as I have no ANY inbound routes set then technically unless someone know what inbound number to call then the won’t really get through to any of the extensions.

Is my understanding of the anonymous inbound sip calls correct? Technically if this alone is set to yes, it should prevent a 401 response? because then essentially freepbx is allowing everything inbound

Easy fix for chan_sip is to add your domain to

/etc/asterisk/sip_general_custom.conf

domain=your.domain.tld

then only invites from that domain will be accepted, even if anonymous and guest calls are allowed.

If I add domain for chan_sip does that mean I will need to make all my phone’s use the domain name as the hose for registration? Currently all my phone’s sip settings are pointing to the IP address

Can you kindly exlain the domain solution? My sip provider currently sends all calls to my IP address but the provider has lots of different IP addresses that they send traffic from, does that mean I will need to tell them to send it to the fqdn that I map to the IP address? And then firewall restricting their IP won’t be needed? I’m assuming the hostname should be something not easily guesable? because surely the spammers can just connect via hostname too?

Both must be on. Allow Guests is the Asterisk level option. If it is off, “anonymous” callers will be rejected early, typically with a faked authentication failure. Allow Anonymous is a FreePBX level thing that decides whether guests should be sent to a voice announcement or treated as valid PSTN calls.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.