Unable to get incoming calls through SIP trunks. Getting error SIP/2.0 401 Unauthorized

Hi Experts,

I am unable get incoming calls from another phone system which does not register with USername or passwords. The Asterisk system is able to make outgoing calls to the same system. But for an incoming call, it wants the other system to be authenticated. I have got all the settings required for no authentication, but still it seems to be not helping. Anyone who would be able to help me with this ?

Trunk Configuration :-

host=20.1.1.170
type=friend
port=5060
insecure=invite,port
allow=ulaw
disallow=all
context=from-trunk

Even after these settings, I get the following message

<— SIP read from UDP:20.1.1.170:5060 —>
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK3477e7a810237
From: sip:[email protected];tag=704850~4ab333c0-314e-1172-16a8-eca8c1530263-31438422
To: sip:[email protected]
Date: Thu, 03 Sep 2015 19:24:58 GMT
Call-ID: [email protected]
Supported: timer,resource-priority,replaces
Min-SE: 1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence
Supported: X-cisco-srtp-fallback,X-cisco-original-called
Cisco-Guid: 1970103936-0000065536-0000002259-2852192532
Session-Expires: 1800
P-Asserted-Identity: sip:[email protected]
Remote-Party-ID: sip:[email protected];party=calling;screen=yes;privacy=off
Contact: sip:[email protected]:5060;bfcp
Max-Forwards: 69
Content-Type: application/sdp
Content-Length: 198

v=0
o=CiscoSystemsCCM-SIP 704850 1 IN IP4 20.1.1.170
s=SIP Call
c=IN IP4 20.1.1.170
t=0 0
m=audio 25332 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
<------------->
— (22 headers 9 lines) —
Sending to 20.1.1.170:5060 (NAT)
Sending to 20.1.1.170:5060 (NAT)
Using INVITE request as basis request - [email protected]
Found peer ‘2723’ for ‘2723’ from 20.1.1.170:5060

<— Reliably Transmitting (NAT) to 20.1.1.170:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK3477e7a810237;received=20.1.1.170;rport=5060
From: sip:[email protected];tag=704850~4ab333c0-314e-1172-16a8-eca8c1530263-31438422
To: sip:[email protected];tag=as521e3e81
Call-ID: [email protected]
CSeq: 101 INVITE
Server: FPBX-12.0.76(11.19.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="4be878a6"
Content-Length: 0

Any help on this would be great !

Thanks,

should be

disallow=all
allow=ulaw

(last guy wins . . .)

Turn on ‘Allow Sip Guest Connections’ in Asterisk SIP Settings.

It’s off by default, so that all connections require auth.

Hi dicko,

Thanks for pointing that out. Changed it, does not seem to work though. If the issue was because of the media, it would throw “488 Media not acceptable”. But it always throws 401 message. Is there something else i am missing ?

The new peer connection details are below :-

host=20.1.1.170
type=friend
port=5060
insecure=port,invite
nat=no
disallow=all
allow=ulaw,alaw
qualify=yes
canreinvite=yes

Thanks a lot !

401 is “unauthorized” do what @xrobau says also . You need both to go forward.

You should not need qualify=yes, that is unnecessary but harmless

Hi xrobau,

Thank You so much !

I checked that setting, it is set to Yes only. I reloaded and tried the call again, it did not work. Also changed the “Allow Anonymous Inbound SIP Calls” to yes.

<— SIP read from UDP:20.1.1.170:5060 —>
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK34c4443d3f79d
From: sip:[email protected];tag=707959~4ab333c0-314e-1172-16a8-eca8c1530263-31438848
To: sip:[email protected]
Date: Fri, 04 Sep 2015 02:29:48 GMT
Call-ID: [email protected]
Supported: timer,resource-priority,replaces
Min-SE: 1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence
Supported: X-cisco-srtp-fallback,X-cisco-original-called
Cisco-Guid: 3467033472-0000065536-0000002300-2852192532
Session-Expires: 1800
P-Asserted-Identity: sip:[email protected]
Remote-Party-ID: sip:[email protected];party=calling;screen=yes;privacy=off
Contact: sip:[email protected]:5060;bfcp
Max-Forwards: 69
Content-Type: application/sdp
Content-Length: 198

v=0
o=CiscoSystemsCCM-SIP 707959 1 IN IP4 20.1.1.170
s=SIP Call
c=IN IP4 20.1.1.170
t=0 0
m=audio 25376 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
<------------->
— (22 headers 9 lines) —
Sending to 20.1.1.170:5060 (NAT)
Sending to 20.1.1.170:5060 (NAT)
Using INVITE request as basis request - [email protected]
Found peer ‘2723’ for ‘2723’ from 20.1.1.170:5060

<— Reliably Transmitting (NAT) to 20.1.1.170:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK34c4443d3f79d;received=20.1.1.170;rport=5060
From: sip:[email protected];tag=707959~4ab333c0-314e-1172-16a8-eca8c1530263-31438848
To: sip:[email protected];tag=as1af56f08
Call-ID: [email protected]
CSeq: 101 INVITE
Server: FPBX-12.0.76(11.19.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="03bb56ba"
Content-Length: 0

Really confused what i am missing. Is there any other logging i can enable to get more details on this ?

Thank You,

Normally the best thing to do is this:

Then have a look in /var/log/asterisk/full.(a number) for the complete log file. It will have masses of debug, explaining why things didn’t work the way you expected them to.

Thank you xrobau,

Did that and see this, but i am not sure why it is still saying unauthorized.

[2015-09-03 23:36:11] DEBUG[1654] acl.c: For destination ‘20.1.1.170’, our source address is ‘20.1.1.58’.
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Setting SIP_TRANSPORT_UDP with address 20.1.1.58:5060
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: SIP call-id changed from ‘[email protected]:5060’ to ‘[email protected]:5060’
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Initializing initreq for method OPTIONS - callid [email protected]:5060
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Trying to put ‘OPTIONS sip’ onto UDP socket destined for 20.1.1.170:5060
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: = Looking for Call ID: [email protected]:5060 (Checking To) --From tag as1614a3fe --To-tag 312229329
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Stopping retransmission on ‘[email protected]:5060’ of Request 102: Match Found
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Destroying SIP dialog [email protected]:5060
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: = Looking for Call ID: [email protected] (Checking From) --From tag 708957~4ab333c0-314e-1172-16a8-eca8c1530263-31438922 --To-tag
[2015-09-03 23:36:11] DEBUG[1654] acl.c: For destination ‘20.1.1.170’, our source address is ‘20.1.1.58’.
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Setting SIP_TRANSPORT_UDP with address 20.1.1.58:5060
[2015-09-03 23:36:11] DEBUG[1654] netsock2.c: Splitting ‘20.1.1.170:5060’ into…
[2015-09-03 23:36:11] DEBUG[1654] netsock2.c: …host ‘20.1.1.170’ and port ‘5060’.
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: Allocating new SIP dialog for [email protected] - INVITE (No RTP)
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] chan_sip.c: **** Received INVITE (5) - Command in SIP INVITE
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Begin: parsing SIP “Supported: timer,resource-priority,replaces”
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found SIP option: -timer-
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Matched SIP option: timer
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found SIP option: -resource-priority-
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Matched SIP option: resource-priority
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found SIP option: -replaces-
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Matched SIP option: replaces
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Begin: parsing SIP “Supported: X-cisco-srtp-fallback,X-cisco-original-called”
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found SIP option: -X-cisco-srtp-fallback-
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found private SIP option, not supported: X-cisco-srtp-fallback
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found SIP option: -X-cisco-original-called-
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] sip/reqresp_parser.c: Found private SIP option, not supported: X-cisco-original-called
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] netsock2.c: Splitting ‘20.1.1.170:5060’ into…
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] netsock2.c: …host ‘20.1.1.170’ and port ‘5060’.
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] netsock2.c: Splitting ‘20.1.1.170’ into…
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] netsock2.c: …host ‘20.1.1.170’ and port ‘’.
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] chan_sip.c: Trying to put ‘SIP/2.0 401’ onto UDP socket destined for 20.1.1.170:5060
[2015-09-03 23:36:11] DEBUG[1654] chan_sip.c: = Looking for Call ID: [email protected] (Checking From) --From tag 708957~4ab333c0-314e-1172-16a8-eca8c1530263-31438922 --To-tag as70bdad33
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] chan_sip.c: **** Received ACK (6) - Command in SIP ACK
[2015-09-03 23:36:11] DEBUG[1654][C-0000001b] chan_sip.c: Stopping retransmission on ‘[email protected]’ of Response 101: Match Found

=============================================================

i should just take a break and concentrate on something else for a while.

thanks a lot for your helP !

There’s much more to the log than that.

Hi All,

I was able to fix the problem with the help of Asterisk Team. Thanks a ton to them and to you all for your replies and inputs.It seems the calls were not getting completed because of my extensions having secret. But the logs from the Asterisk were mis-leading, since according to it, the other PBX needed authentication to complete the call.

Non-working call :-

CUCM ----(SIP Trunk)---- Asterisk

        ------------> Invite
       <-----------  401 Unauthorised
        ------------> ACK

This is mis-leading, and makes us think that CUCM needs authentication to complete the call. Below are the exact SIP messages from the SIP dialog for the non-working call.

<— SIP read from UDP:20.1.1.170:5060 —>
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK36a362292c0ca
From: sip:[email protected];tag=730648~4ab333c0-314e-1172-16a8-eca8c1530263-31440129
To: sip:[email protected]
Date: Sun, 06 Sep 2015 09:45:57 GMT
Call-ID: [email protected]
Supported: timer,resource-priority,replaces
Min-SE: 1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence
Supported: X-cisco-srtp-fallback,X-cisco-original-called
Cisco-Guid: 0292208128-0000065536-0000002366-2852192532
Session-Expires: 1800
P-Asserted-Identity: sip:[email protected]
Remote-Party-ID: sip:[email protected];party=calling;screen=yes;privacy=off
Contact: sip:[email protected]:5060;bfcp
Max-Forwards: 69
Content-Type: application/sdp
Content-Length: 198

v=0
o=CiscoSystemsCCM-SIP 730648 1 IN IP4 20.1.1.170
s=SIP Call
c=IN IP4 20.1.1.170
t=0 0
m=audio 25502 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
<------------->
— (22 headers 9 lines) —
Sending to 20.1.1.170:5060 (no NAT)
Sending to 20.1.1.170:5060 (no NAT)
Using INVITE request as basis request - [email protected]
Found peer ‘2723’ for ‘2723’ from 20.1.1.170:5060

<— Reliably Transmitting (NAT) to 20.1.1.170:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK36a362292c0ca;received=20.1.1.170;rport=5060
From: sip:[email protected];tag=730648~4ab333c0-314e-1172-16a8-eca8c1530263-31440129
To: sip:[email protected];tag=as37a2e028
Call-ID: [email protected]
CSeq: 101 INVITE
Server: FPBX-12.0.76(11.19.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="716cae18"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘[email protected]’ in 25472 ms (Method: INVITE)

e[Kknaufsappdc*CLI>
e[0K
<— SIP read from UDP:20.1.1.170:5060 —>
ACK sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 20.1.1.170:5060;branch=z9hG4bK36a362292c0ca
From: sip:[email protected];tag=730648~4ab333c0-314e-1172-16a8-eca8c1530263-31440129
To: sip:[email protected];tag=as37a2e028
Date: Sun, 06 Sep 2015 09:45:57 GMT
Call-ID: [email protected]
User-Agent: Cisco-CUCM10.5
Max-Forwards: 70
CSeq: 101 ACK
Allow-Events: presence
Content-Length: 0

<------------->

======================================================================================

But according to Asterisk, the call was not getting completed because of SECRET configuration in the extensions. As soon i removed the SECRET configuration on the Extension (being called) on the Asterisk, the call completed just fine without any issue. I also did not have to configure “insecure=invite,port” attributes on the SIP trunk.

Below is the final configuration, with which the calls worked :-

1. On the SIP trunk :- ((I am also not sure, if all the attributes are needed in the trunk, since those were added on hit and trial basis just make it work for the call, but yes we do not need insecure=invite,port. )

disallow=all
host=20.1.1.170
type=friend
port=5060
nat=no
allow=ulaw,alaw
qualify=yes
canreinvite=yes
context=from-trunk-sip-cucm

2. The extensions were configured with secret field as empty :- (just a snippet of the config)

[2723]
deny=0.0.0.0/0.0.0.0
secret=
dtmfmode=rfc2833

======================================================================================

Thanks a lot to you people.

Happy Day !