Author |
Message |
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Sun Oct 25, 2015 12:28 pm Post subject: Proxy authentication required even if UA is registered |
|
|
1. Brekeke Product Name and Version: 3.5.2.8
2. Java version: 8, build 65
3. OS type and the version: Win7 Pro
4. UA (phone), gateway or other hardware/software involved: Fritzbox Fon
5. Your problem: 2 UAs are well registered, but when calling themselves or a PSTN gateway I get a 407 Proxy authentication required error, followed by a 481 Call leg/transaction doesn't exist
Dial Plan:
MP
$request=^INVITE
From=sip:1135266733@
To=sip:([0-9]{8,9})@
DP
To=sip%1@PSTN_gateway_IP_address
INVITE sip:984521110@10.33.60.12 SIP/2.0
Via: SIP/2.0/UDP 10.33.31.2:5060;rport;branch=z9hG4bK0097DD20EF0922C7
Route: <sip:10.33.60.12;lr>
From: "35266733" <sip:1135266733@10.33.60.12>;tag=F6E10CB914D67205
To: <sip:984521110@10.33.60.12>
Call-ID: 8A8AF37DBC741134@10.33.31.2
CSeq: 13 INVITE
Contact: <sip:1135266733@10.33.31.2;uniq=4ECD8B1AC41BEB50326B42E983485>
Max-Forwards: 70
Expires: 120
User-Agent: AVM FRITZ!Box Fon WLAN 7390 84.06.30 (Aug 20 2015)
Supported: 100rel,replaces
Allow-Events: telephone-event,refer
Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,UPDATE,PRACK,INFO,SUBSCRIBE,NOTIFY,REFER,MESSAGE,PUBLISH
Content-Type: application/sdp
Accept: application/sdp, multipart/mixed
Accept-Encoding: identity
Content-Length: 449
v=0
o=user 9571234 9571234 IN IP4 10.33.31.2
s=call
c=IN IP4 10.33.31.2
t=0 0
m=audio 7078 RTP/AVP 9 8 0 2 102 100 99 97 18 120 121 101
a=sendrecv
a=rtpmap:2 G726-32/8000
a=rtpmap:102 G726-32/8000
a=rtpmap:100 G726-40/8000
a=rtpmap:99 G726-24/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=fmtp:18 annexb=no
a=rtpmap:120 PCMA/16000
a=rtpmap:121 PCMU/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtcp:7079
a=ptime:20
==============================================
============================================
PreCheck [BloqueioUserAgent]
Pattern: $str.lowercase(User-Agent) = friendly-scanner|sundayddr|sipcli/v1.8|linphone/3.7.0 (belle-sip/1.3.0)
Input: $str.lowercase(User-Agent) = avm fritz!box fon wlan 7390 84.06.30 (aug 20 2015)
Result: false
============================================
============================================
Rule [00]
Pattern: $request = ^INVITE
Input: $request = INVITE sip:984521110@10.33.60.12 SIP/2.0
Result: true
Pattern: To = sip:(00.+)@
Input: To = <sip:984521110@10.33.60.12>
Result: false
============================================
============================================
Rule [Outbound GVT 67xx]
Pattern: $request = ^INVITE
Input: $request = INVITE sip:984521110@10.33.60.12 SIP/2.0
Result: true
Pattern: From = sip:675(.)@
Input: From = "35266733" <sip:1135266733@10.33.60.12>;tag=F6E10CB914D67205
Result: false
============================================
============================================
Rule [Discagem0]
Pattern: $request = ^INVITE
Input: $request = INVITE sip:984521110@10.33.60.12 SIP/2.0
Result: true
Pattern: From = sip:11352667(..)@
Input: From = "35266733" <sip:1135266733@10.33.60.12>;tag=F6E10CB914D67205
%1 <= 33
Result: true
Pattern: To = sip:([0-9]{8,9})@
Input: To = <sip:984521110@10.33.60.12>
%2 <= 984521110
Result: true
============================================
Dispatcher: failed: send response=407: No Auth header
svlistener: send response=407: authorization failed
at 10/25/15 16:43:02.899
Please note:
In my Dial Plan I have a rule to remove the routing statement at registration:
MP
$request=^REGISTER
Route=.+
DP
Route=
$action=register |
|
Back to top |
|
RickBRP Brekeke Newbie
Joined: 22 Sep 2015 Posts: 2
|
Posted: Mon Oct 26, 2015 10:41 am Post subject: |
|
|
Who returned an error response such as 481 and 407?
Did you find them in the Session Logs page ? Or Error logs page?
If you find them in the Session Logs, the callee returned the error response.
If you find them in the Error Logs page, the Brekeke SIP Server returned the error response. |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Tue Oct 27, 2015 5:56 am Post subject: |
|
|
Always BSS sending the answer.
But based on your answer on the other question, I will first double-check the network. |
|
Back to top |
|
taitan Brekeke Master Guru
Joined: 15 Mar 2008 Posts: 237
|
Posted: Mon Nov 02, 2015 6:30 pm Post subject: |
|
|
You don't have to worry about 407 because it happens every time if the SIP Server authenticates SIP requests.
For 481, can you find it in the Error logs page?
Which SIP request method was it? INVITE? |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Sun Dec 20, 2015 4:23 pm Post subject: |
|
|
Sorry for the late answer.
The weird thing is, that sometimes it works, but I don't know why.
If I turn authentication off in the dial plan, all works ok.
However, if authentication request is on, I keep getting these errors (from the error logs):
2015-12-20 21:05:37.306 10.33.31.33:3072 INVITE 407 Authorization failed sip:994395973@10.33.60.12 sip:603@10.33.60.12 sip:994395973@10.33.60.12 Gateway
2015-12-20 21:05:54.958 10.33.31.33:3072 CANCEL 481 Call Leg does not exist sip:994395973@10.33.60.12 sip:603@10.33.60.12 sip:994395973@10.33.60.12
10.33.31.33 is the User agent
10.33.60.12 is the BSS.
Both are in separate networks but the networks are interconnected with a VPN which may drop eventually ever 2 days, but recovers within seconds. |
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Tue Dec 22, 2015 10:11 am Post subject: |
|
|
Does the same issue happen even if you use another SIP client instead of Fritzbox Fon ? |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Tue Mar 08, 2016 11:43 am Post subject: |
|
|
Yes, it actually happened first with a Grandstream gateway and a Snom IP phone
Udo |
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Wed Mar 09, 2016 4:51 pm Post subject: |
|
|
Brekeke SIP Server sends "407" to any SIP clients. It is normal so you don't have to consider about it.
If you find "481" sent to other than Fritzbox Fon in the error log, it is unusual...
Do you still get "481" error? |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Wed Jul 11, 2018 8:34 am Post subject: |
|
|
I keep getting these 481 errors.
Typically happens in calls between extensions in the VPN network, when the extension is outside of the LAN of BSS. But the VPNs are integrated into the network gateways and when the extensions get registered only their real IP shows up, not the VPN gateway's IP address.
Now to call between extensions I have to make outbound/inbound calls... |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Wed Jul 11, 2018 9:06 am Post subject: |
|
|
Looking at the Wireshark traces I see that when the INVITE comes from the extension with problems, BSS effectively DOESN'T send the INVITE to the target IP phone.
However, when the call happens the other way around, Wireshark shows the SIP packets flowing between both extensions without problems.
For some reason, when the call comes from this UA (a SNOM IP phone in this case now), the BSS doesn't relay the calls to the destination IP phone.
Very weird. |
|
Back to top |
|
taitan Brekeke Master Guru
Joined: 15 Mar 2008 Posts: 237
|
Posted: Wed Jul 11, 2018 11:24 am Post subject: |
|
|
Are you still using Brekeke SIP Server version 3.5.2.8?
If so, let you upgrade it to the latest version because there are new logging function which may help your analysis.
http://www.brekeke.com/downloads/sip-server.php |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Wed Jul 11, 2018 5:23 pm Post subject: |
|
|
Ok, found it.
I had BSS challenging the UA with a 407 when making calls between extensions.
$auth=false solved the issue.
I have UAs (of different brands) that for some reason stop the SIP communication when receiving a 407 Proxy authorization required.
Other UAs answer the 407 with a new INVITE, now with user/password, and then BSS makes the call.
Does anybody know which setting controls this behavior in an UA?
My current BSS is 3.8.5.2
BR
Udo |
|
Back to top |
|
janP Brekeke Master Guru
Joined: 25 Nov 2007 Posts: 336
|
Posted: Wed Jul 11, 2018 7:18 pm Post subject: |
|
|
Have you set correct username and password in an UA? |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Wed Jul 11, 2018 7:49 pm Post subject: |
|
|
Sure!
UA is well registered on BSS, and needs correct user/password for this purpose.
Also, if this was to be the issue, the UA would have answered to the 407 with another INVITE, but with wrong user/password.
This is not the case, it simply accepts the 407 and stays quiet instead of answering the challenge with another INVITE.
BSS is acting correctly. The UA may (or may not!) just be acting according to configuration.
I just have no idea what is called this behavior in the settings of a UA. I went through pages of configuration, there is nothing obvious. The only option that had "challenge" has nothing to do with the current situation.
BR
udo |
|
Back to top |
|
janP Brekeke Master Guru
Joined: 25 Nov 2007 Posts: 336
|
Posted: Wed Jul 11, 2018 8:28 pm Post subject: |
|
|
DialPlan example Ex 38 in the tutorial may work..
http://www.brekeke.com/doc/sip/sip_tutorial_dialplan.pdf
Here is my DialPlan rule which disables auth if a caller is already registered in Brekeke SIP Server (It means this user has valid password.)
Matching Patterns | $request = ^INVITE $registered( From ) = true
| Deploy Patterns | $auth = false $continue = true
|
So.. UA will not receive 407 if it keeps sending REGISTER periodically. |
|
Back to top |
|
uhupfeld Brekeke Talented
Joined: 08 Nov 2008 Posts: 77
Location: Brazil
|
Posted: Fri Jul 13, 2018 2:34 pm Post subject: |
|
|
I like your dial plan for registered user, will use it as well.
Thanks! |
|
Back to top |
|
|