Asterisk16 – PJSIP – Error 401 On Outbound Registration

Home » Asterisk Users » Asterisk16 – PJSIP – Error 401 On Outbound Registration
Asterisk Users 9 Comments

Hi all,

we face a strange behavior while connecting an Asterisk16 instance with PJSIP to 2 providers: we receive error 401 Unauthorized, both of them having Kamailio as front-end. With other providers -we don’t know if they run kamailio- registration is just fine.

One of the provider took a pcap and told us that expiration was set to 0
that’s why they don’t accept the registration. We took a pcap on our side when SIP packet goes out of our server and we see that the expiration parameter is setted to 3600 !

Asterisk version is Asterisk 16.2.1~dfsg-1+deb10u1 on Debian 10 up to date. We also installed 16.7 from scratch, same problem. I have to mention that our test asterisk is also a Debian 10 with Asterisk stock
16.7 and _does_ register normally against the same provider 🙁

If someone had a clue on this, welcome.


Daniel

9 thoughts on - Asterisk16 – PJSIP – Error 401 On Outbound Registration

  • 8<'s Howdy, Maybe the clipping of your SIP packet is occurring on another provider's (faulty) node somewhere in between your dualing pcaps at the endpoints ? As for what you can control, first, you might try reducing the expiration from 3600 to 999, or maybe something in the 30-60 range is better for you. If that works, then raise it from there, but I think an hour is more than enough. Or, change network paths; by adding new outbound SIP connection to the provider from alternate port and/or IP on the PBX/firewall, use VPN, etc. Regards, --

  • Le 15/01/2020 à 19:50, C.Maj a écrit :

    No.tcpdump -nqt -s 0 -i enp0s31f6 -A “dst xxx.yyy.78.36 and dst port
    5060” where xxx.yyy.78.36 is the provider Kamailio IP

    Capture being:

    IP zzz.xyz.174.138.58738 > xxx.yyy.78.36.5060: UDP, length 570
    E..V.T@.?…X….2N$.r…B..REGISTER sip:sip.myprovider.net SIP/2.0
    Via: SIP/2.0/UDP
    zzz.xyz.174.138:5060;rport;branch=z9hG4bKPj673a37a2-da52-4f8f-b460-17a93005bc98
    From:
    ;tag

  • Le 15/01/2020 à 19:24, Administrator a écrit :

    We went a step further: when Asterisk is receiving the 401 Unauthorized it doesn’t send the Authorization back, insteed it send the Register back with the *same* CSeq which it shoudn’t. Pjsip is

    pabx16*CLI> pjsip show version PJPROJECT version currently running against: 2.8


    Daniel

  • Le 17/01/2020 à 11:54, Administrator a écrit :

    We removed the debian asterisk deb package and compiled from 16.7.0
    source. Problem stays, still ni CSeq increment. Pjsip is

    pabx16*CLI> pjsip show version PJPROJECT version currently running against: 2.9

    Anyone on this ?


    Daniel

  • Is the response actually getting to Asterisk? Does it show up in “pjsip set logger on”? Is the REGISTER a retransmission and thus expected to be the same?

  • Le 19/01/2020 à 00:31, Joshua C. Colp a écrit :

    It become stranger and stranger: on one of the register peer we receive in asterisk:

    *CLI> [2020-01-19 15:23:18] WARNING[17469]:
    res_pjsip_outbound_registration.c:1021 handle_registration_response:
    Fatal response ‘401’ received from ‘sip:‘ on registration attempt to ‘sip:@‘, stopping outbound registration

    On the other one:

    [2020-01-19 15:23:46] WARNING[17469]:
    res_pjsip_outbound_registration.c:801 schedule_retry: No response received from ‘sip:‘ on registration attempt to
    ‘sip:    ‘, retrying in ’60’

    *BUT*

    IP .5060 10.1.58.14.64777: UDP, length 497
    E…e…6….2N$
    .:….  ..RQSIP/2.0 401 Unauthorized Via: SIP/2.0/UDP :5060;rportd777;branch=z9hG4bKPjdfb1d5d6-efbd-4e43-a932-252cfa0e7a9b From: ;tagt3c09d7-bdf9-4579-b7be-b087b0f19a46
    To: ;tag

  • What is the actual full configuration for this?

    Every time I’ve seen this occur it’s been the result of a firewall rule gone awry.

  • That “User-Agent” might be getting filtered by the provider as a basic security measure.

    Can you try the default string for your version of Asterisk ?

    Probably not. Those dots are hiding some details about the packet. The output is ASCII due to “-A” flag to tcpdump. Try changing to “-X” for hexadecimal and ASCII. Or, write the packets to a file, and then open the file in Wireshark (there are many helpful SIP analysis tools built in to Wireshark.)

    How about giving it a try from a hosted/cloud virtual machine running somewhere else on the internet ie. not from behind your firewall ?

    Regards,

  • Le 20/01/2020 à 12:11, Joshua C. Colp a écrit :
    Guess what: provider change registration port number from usual 5060 🙁

    You got it. Provider IP was blacklisted.

    […]

    Finally we got it up and working, thanks to you and C.Maj