Trunk to Trunk Extension SIP 401 Unauthorized

Dear Sirs,

PBX A - extensions with 1XX
10.7.208.245 freepbx 6 with Asterisk 11.20.0
|
|OpenVPN tunnel 10.7.218.3 gw
|
PBX B - extensions with 2XX
10.7.218.245 Freepbx 10.13.66-11 Asterisk 13.7.1

the pbx are configured as trunk:

[toPBX_B]
host=10.7.218.245
type=peer
insecure=port,invite
context=from-internal

[toPBX_A]
disallow=all
host=10.7.208.245
type=peer
allow=ulaw,alaw
nat=no
insecure=port,invite
context=from-internal

I can call from extension 250 of PBX_B to extension 150 of PBX_A, but not from A to B.
I’ve enabled sip debug and I get a SIP message of 401 Unauthorized.

    PBX_SL*CLI> sip set debug on

SIP Debugging enabled

<— SIP read from UDP:10.7.218.3:5060 —>
jaK
<------------->

<— SIP read from UDP:10.7.218.3:1032 —>
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.7.208.245:5060;branch=z9hG4bK67dbeed4
Max-Forwards: 70
From: “Chiara” sip:[email protected];tag=as133484b1
To: sip:[email protected]
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 INVITE
User-Agent: FPBX-12.0.76.2(11.20.0)
Date: Fri, 18 Nov 2016 14:18:08 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 405

v=0
o=root 2054851614 2054851614 IN IP4 10.7.208.245
s=Asterisk PBX 11.20.0
c=IN IP4 10.7.208.245
t=0 0
m=audio 15042 RTP/AVP 18 0 8 111 3 4 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:3 GSM/8000
a=rtpmap:4 G723/8000
a=fmtp:4 annexa=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
<------------->
— (14 headers 18 lines) —
Sending to 10.7.218.3:1032 (NAT)
Sending to 10.7.218.3:1032 (NAT)
Using INVITE request as basis request - [email protected]:5060
No matching peer for ‘105’ from ‘10.7.218.3:1032’

<— Reliably Transmitting (NAT) to 10.7.218.3:1032 —>
SIP/2.0 401 Unauthorized – Remote UNIX connection disconnected
PBX_SL*CLI> sip set debug on
SIP Debugging enabled

<— SIP read from UDP:10.7.218.3:5060 —>
jaK
<------------->

<— SIP read from UDP:10.7.218.3:1032 —>
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.7.208.245:5060;branch=z9hG4bK67dbeed4
Max-Forwards: 70
From: “Chiara” sip:[email protected];tag=as133484b1
To: sip:[email protected]
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 INVITE
User-Agent: FPBX-12.0.76.2(11.20.0)
Date: Fri, 18 Nov 2016 14:18:08 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 405

v=0
o=root 2054851614 2054851614 IN IP4 10.7.208.245
s=Asterisk PBX 11.20.0
c=IN IP4 10.7.208.245
t=0 0
m=audio 15042 RTP/AVP 18 0 8 111 3 4 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:3 GSM/8000
a=rtpmap:4 G723/8000
a=fmtp:4 annexa=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
<------------->
— (14 headers 18 lines) —
Sending to 10.7.218.3:1032 (NAT)
Sending to 10.7.218.3:1032 (NAT)
Using INVITE request as basis request - [email protected]:5060
No matching peer for ‘105’ from ‘10.7.218.3:1032’

<— Reliably Transmitting (NAT) to 10.7.218.3:1032 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.7.208.245:5060;branch=z9hG4bK67dbeed4;received=10.7.218.3;rport=1032
From: “Chiara” sip:[email protected];tag=as133484b1
To: sip:[email protected];tag=as62357378
Call-ID: [email protected]:5060
CSeq: 102 INVITE
Server: FPBX-13.0.190.2(13.7.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="614cf9be"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘[email protected]:5060’ in 32000 ms (Method: INVITE)

<— SIP read from UDP:10.7.218.3:1032 —>
ACK sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.7.208.245:5060;branch=z9hG4bK67dbeed4
Max-Forwards: 70
From: “Chiara” sip:[email protected];tag=as133484b1
To: sip:[email protected];tag=as62357378
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 ACK
User-Agent: FPBX-12.0.76.2(11.20.0)
Content-Length: 0

<------------->
— (10 headers 0 lines) —

<— SIP read from UDP:10.7.218.3:5060 —>
jaK

Via: SIP/2.0/UDP 10.7.208.245:5060;branch=z9hG4bK67dbeed4;received=10.7.218.3;rport=1032
From: “Chiara” sip:[email protected];tag=as133484b1
To: sip:[email protected];tag=as62357378
Call-ID: [email protected]:5060
CSeq: 102 INVITE
Server: FPBX-13.0.190.2(13.7.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="614cf9be"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘[email protected]:5060’ in 32000 ms (Method: INVITE)

<— SIP read from UDP:10.7.218.3:1032 —>
ACK sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.7.208.245:5060;branch=z9hG4bK67dbeed4
Max-Forwards: 70
From: “Chiara” sip:[email protected];tag=as133484b1
To: sip:[email protected];tag=as62357378
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 ACK
User-Agent: FPBX-12.0.76.2(11.20.0)
Content-Length: 0

<------------->
— (10 headers 0 lines) —

<— SIP read from UDP:10.7.218.3:5060 —>
jaK

How can I allow the PBX B to call his extensions from PBX_A extensions?

Should we assume your inbound and outbound routes are all set up correctly?

I’m going to guess there’s a disconnect in the “from-internal” context from the old to the new Asterisk.

You might also consider using “type=friend” to facilitate bi-directional connections on your trunks.

Yes outbound and inbound routes are fine, it was all up and running until now, that we had changed the VPN router, passing from pfsense to mikrotik, the Unauthorized messagge is new.

I believed that type=peer don’t bother about authentication, however I will make a try also with friend.

If the one thing that was changed was the router, one would think that you might want to look at that first…

If it was working before and doesn’t work now, I doubt that it’s a problem in the PBX. I did notice that you have NAT turned on at both ends, even though there shouldn’t be any NAT between the servers; at least, I don’t think there should be. The VPN routing should handle the traffic, so NAT shouldn’t be needed there. Note that turning NAT on when don’t need it, especially in a case where there actually isn’t any network translation shouldn’t make the connection not work - it would mean the NAT address and the server address should be the same.

The unauthorized command response means that something about the connections is unhappy. Rather than a SIP debug, take a look at the /var/log/asterisk/full log and see if there’s anything that points to the strange in there.

disabling NAT on the gateway solved the issue!
Thanks, BR