[asterisk-bugs] [JIRA] (ASTERISK-24845) pjsip send notify not working with Cisco phone

Mark Michelson (JIRA) noreply at issues.asterisk.org
Wed Apr 22 18:36:33 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225963#comment-225963 ] 

Mark Michelson commented on ASTERISK-24845:
-------------------------------------------

The calculated response digest is actually correct. In the checking program you ran, you entered the incorrect URI. You entered {{sip:U_9172 at 10.188.4.30:5061}} but it should be {{sip:U_9172 at 10.188.6.25:5061}} . I ran a check with the correct URI and got the following:

{noformat}
santigold pjproject # openssl dgst -md5
U_9172:206.167.100.39:P_qpOJ(cnY9qDoPi7TqUdk!Xp6Gj4p(stdin)= b798acff6833dddc9b7be8c169bfe193
santigold pjproject # openssl dgst -md5
NOTIFY:sip:U_9172 at 10.188.6.25:5061(stdin)= 7f9d8eabf6c27bf2c1eb1354f64a321a
santigold pjproject # openssl dgst -md5
b798acff6833dddc9b7be8c169bfe193:41933333:00000001:2bef322e-3570-4127-84dc-944ee367bb45:auth:7f9d8eabf6c27bf2c1eb1354f64a321a(stdin)= 8d6a7d1be65ccd7828f25210a4fd31be
{noformat}

I suspect that the problem is elsewhere, but it's not immediately obvious just be looking at the pcaps. Here are some things that are possibilities:
1)  The From headers that Asterisk uses differ between versions. In chan_sip, the header looks like {{"asterisk" <sip:asterisk at 206.167.100.39>;tag=as6d5921f0}}, and in chan_pjsip, the header is {{<sip:U_9172 at 206.167.100.39>;tag=2aaa3335-0505-41dd-9bc2-0fc0e0a9cfa2}}. If the Cisco phone distinguishes who it's talking to based on usernames in From headers, then this may factor into the problem. I find it unlikely that this would be the case since most phones are configured to operate with exactly one server, and the phones will always assume that incoming requests are from that server. In other words, I don't suspect that authentication is failing because the phone is authenticating against the wrong user.
2) There are fewer headers in the NOTIFY request that Asterisk sends in chan_pjsip. Specifically, in the example pcap, there is no Max-Forwards, User-Agent, Supported, Date, and Allow headers in the PJSIP version.
3) Because chan_pjsip uses UUIDs for randomly-generated values, the cnonce is much longer in the PJSIP version than in chan_sip. The extra long header value may get truncated by the Cisco phone, resulting in an inability to authenticate. I am *highly* doubtful that this is the case, but I have to mention it just because it's a noticeable difference between the two implementations.
4) chan_sip sets {{algorithm=MD5}} in its Authorization header and chan_pjsip sets {{algorithm=md5}} in its authorization header.

None of these things should have any effect on whether a SIP request can be authenticated, but it's worth investigating some. With the first two, you can actually experiment some and see if it makes a difference.
1) For the endpoint that you are sending the NOTIFY to, set the {{from_user}} option to be "asterisk".
2) I'm not sure whether you were using {{pjsip_notify.conf}} or sending the AMI command, but in either case, you can experiment by adding the missing headers in the NOTIFY you send. If I were guessing, I'd say the Max-Forwards, Supported, or Allow are most likely to cause a difference, if any of them are going to at all. If it does turn out that one of these makes the difference, then I'll create a patch to add the required header(s) by default to outbound NOTIFYs from Asterisk.

For (3), that would be a Cisco issue if it's an issue at all. However, I'd think we can eliminate that as a possibility if Asterisk is able to authenticate properly with the phone on normal calls. If that is the case, then there's no reason that a NOTIFY should behave any differently.

For (4), that's a behavior that occurs within the PJSIP library, so altering it would require code changes to it instead of Asterisk. However, this again can be eliminated as a possibility if other types of requests from Asterisk can authenticate properly.

I suggest you try the diagnostics I described above and see if any of them have a positive result.

> pjsip send notify not working with Cisco phone
> ----------------------------------------------
>
>                 Key: ASTERISK-24845
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24845
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_pjsip
>    Affects Versions: 13.2.0
>         Environment: CentOS release 6.6 (Final)
> Asterisk 13.2 realtime PJsip driver
> Phones: Cisco SPA514G firmware 7.5.6a
>            Reporter: Carl Fortin
>            Assignee: Mark Michelson
>         Attachments: 1-Sip notify.jpg, 2-Sip notify.jpg, 3-Sip notify.jpg, 4-Sip notify.jpg, Chan_PJSIP_CISCO_Notify.pcapng, Chan_SIP_NOtify_Working.pcapng, myDebugLog(CHAN_SIP_NOTIFY_WORKING), myDebugLog(PJSIP_NOTIFY_NOT_WORKING), phone_settings.txt, PJSIP_wrong_response.png
>
>
> pjsip send notify will not work on cisco phone. I have tested the chan_sip driver and it is working great. I even tested with a yealink phone with the PJsip driver and it is working.
> Here is my post in the forum:
> http://forums.asterisk.org/viewtopic.php?f=1&t=92633&sid=6525c642fac6604b2e52af33edafb676
> Here is phone's settings:
> [edit by Rusty - removed config data from description field and attaching as phone_settings.txt]
> I can provide more info if needed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list