Unauthorized 401

I am requesting help for a new issue that I am facing with the same freepbx installation of my previous post Incoming calls always busy - #6 by david55

  • I am using Freepbx 16 with Asterix 18.
  • I am trying to set up a basic configuration to receive calls directed to a DID number.
  • I have created an extension and an inbound route that forwards any call to that extension.
  • I registered a SIP phone to that extension.
  • I configured my DID number, so that the calls are forwarded to the SIP URI associated to the extension.

The receiver softphone doesn’t ring. The caller phone is stuck with the call tone.
The asterisk log show an error 401 unauthorized. See complete log here:

https://pastebin.freepbx.org/view/f5aca67a

I have whitelisted the caller IP in the match / permit field of the extension. What else should I do to get rid of this failure?

401 is NOT an error; it is a request to authenticate.

What do you mean by caller tone? Do you mean ring back tone?

What is the difference between your last and third from last bullet points?

Is the SBC configured as a trunk, and how is it configured, in particular the authentication. 401 is asking it to authenticate, but it is refusing to do so.

Without verbose logging, it isn’t even possible to tell which channel driver you are using (seems to be chan_pjsip,from the previous topic),let alone why authentication is being requested. It’s either because the call isn’t matching any endpoint, and 401 is being sent to avoid giving away that the endpoint isn’t valid, or because you have configured it as an extension, or as a trunk with inbound or bothway authentication.

Hello,
Thank you for your time and for your prompt answer.
Sorry that my post was not clear.

Yes, the caller hears the ring back tone forever, while the called softphone actually doesn’t ring.

I have configured a trunk with Authentication = outbound and registration = receive in the PJSIP settings. If you wish to know some other specific settings of the trunk, please let me know.

I have enabled the Asterisk logging with command
pjsip set logger on
I believed that this would enable the verbose level but apparently it is not enough. Could you please help me and indicate the command to to increase the verbose level?
I confirm that the channel is chan_pjsip.

Now I will evaluate carefully your comments and suggestions and I find interesting updates I will post them here.

This is a strange combination, but wouldn’t result in an authentication request from Asterisk.

Does the user part of the From header in the INVITE correctly match the FreePBX trunk name? Does the verbose log of the dialplan show the correct endpoint name in the channel names? Your providing the verbose full log via pastebin.freepbx.org is likely to be quicker than having to ask a series of questions about what can be seen in it.

Here is the invite request. I don’t see the name of the trunk. In which field should I see it?

I have posted here the relevant section of the /var/log/asterisk/full
https://pastebin.freepbx.org/view/2b3c2cbe#L186

I hope it contains al the needed information. If not, is there a way to increase the verbosity of the log, in order to find in it the needed information?

This is the From user field. It’s the SIP URI user field in the From header.

chan_pjsip can match other headers, and of course match IP address. For an SBC, I would have thought you could have used IP, rather than registration. I believe the GUI only supports From user, and IP.

If using From user, you will need to configure the SBC to send caller ID by other means, e.g. Remote-Party-ID or P-Asserted-Identity,

So far all the proposed solutions have not helped me to solve the problem.

To get to the bottom and resolve this issue I would like to do a thorough inspection of all GUI menus that may be related to the problem.

If I’ve forgotten any other important menus, tell me and I’ll check them out.

  1. Inbound route - general settings. (For example, is the “DID number” field important?)

  2. Asterisk SIP settings - chan_pjsip settings - TCP / UDP / TLS / settings: in the radio button, should I use 0.0.0.0 or the real IP address? (e.g. “udp - 0.0.0.0 - All” or “udp - 5.45.100.95 - eth0”?)
    transport

  3. Asterisk SIP settings - general SIP settings. What is the best standard choice for “allow anonymous” / “allow sip guest”?
    security_settings

  4. Trunk - PJSIP settings. What should I write in the “Authentication” / “Registration” / “SIP server” / “SIP server port” / “Context” / “Transport” fields?

One point that I wish to understand, is which settings of the freepbx GUI (if any) must be customized for my specific DID provider (DIDWW). For example, I have set the match/permit field in the trunk advanced settings, but maybe there are other ones. Anyway, at this regard, I must say that forwarding the DID number of DIDWW to other public PBX which don’t have and direct relation with DIDWW (for example iptel.org), the inbound calls work fine. So I tend to think that freepbx GUI settings shouldn’t contain any customized field for DIDWW. Anyhow, here are a couple of links wit useful information:
Asterisk — DIDWW documentation
Asterisk — DIDWW documentation
General SIP information — DIDWW documentation
RTP Addresses - Technical Information | DIDWW Knowledgebase

Finally I would like to share some updated, compete and verbose logging.

  1. full verbose log when receiving a call. It is a never-ending loop (neverending, until the caller phone is calling) of INVITE request and 401 unauthorized response. This typical failure is always the same, for all the solutions that I have attempted.
    401 unauthorized 30-7-2022 - FreePBX Pastebin

  2. full verbose log when the SIP phone registers to the extension with the SIP credentials.
    Sip registration log - FreePBX Pastebin

  3. Status of the endpoints, when no SIP phone is registered to the extension
    endpoints no devices - FreePBX Pastebin

  4. Status of the endpoints, when the SIP phone is registered to the extension
    endpoints sip phone registered - FreePBX Pastebin

Finally, I don’t know if it is important to mention; anyway in the dahsboard the following error is displayed:

“Unknown Port Conflict
An unknown port conflict has been detected in PJSIP. Please check and validate your PJSIP Ports to ensure they’re not overlapping”

By the way this is an odd error, because only the chan_pjsip is used in the SIP channel driver of the advanced SIP settings, so there cannot be a port overlap between chan_sip and chan_pjsip.
EDIT: this was an old error notified days ago, cached in the dashboard. It is not present now. So there aren’t any errors shown in the dashboard.

I am available to give privately the admin credential to inspect my freepbx directly. It is in experimental phase and there isn’t any confidential information inside, so I don’t have any security concern.
Thanks in advance to anyone will help find the definitive solution.

It is critical. It is a candidate key. It should be the number that the provider sends to you to identify which number the upstream caller used.

Yes, although most people will use 0.0.0.0, unless they specifically want to restrict the interface. That’s generally what is done with IP networking applications, normally they bind to 0.0.0.0, often without any other option being obvious,

Providing you are using chan_pjsip, the most secure is with both off. For chan_sip there are cases where the only realistic option is to have them on.

Depends on both your provider and the exact sort of account you have with them. For consumer grade providers, you typically want transport UDP, registration outbound, and authentication outbound. For more upmarket ones you may have transport TLS, registration none, authentication none.

If the provider sends the DID value in the request URI, and in the form you want, context should be from-pstn (or is that from_pstn) or from-trunk, which I believe are handled the same. There are standard contexts for the case where the ID is in the To: header, and there is one that canonicalises North American numbers. For more complex cases, you may need to provide your own context and dialplan.

All providers will require the server IP, and will also require the server port if that isn’t the default.

See above. You will also need to provide user name and password, if authenticating. You are likely to need to provide caller IDs in acceptable formats for outbound routes and you may need settings for how caller IDs are handled. I have no knowledge of DIDWW, and, as I pointed out above, provides may have more than one account type. I’m also approaching this from the point of having used Asterisk in anger, and not FreePBX, so I may have got some names wrong or missed some options.