[asterisk-bugs] [JIRA] (ASTERISK-26787) Received incoming SIP connection from unknown peer" from registered sip provider

Andy Woolford (JIRA) noreply at issues.asterisk.org
Sun Feb 12 02:07:10 CST 2017 

Andy Woolford created ASTERISK-26787:
----------------------------------------

             Summary: Received incoming SIP connection from unknown peer" from registered sip provider
                 Key: ASTERISK-26787
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26787
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Channels/chan_sip/General, Channels/chan_sip/Registration
    Affects Versions: 11.24.1
         Environment: FreePBX Distro 10.13.66-17 / (Centos)
            Reporter: Andy Woolford


We started to notice that inbound calls from one sip provider (internetcalls.com) were being rejected as follows:


{code:java}
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX at from-sip-external:1] NoOp("SIP/sip.internetcalls.com-00000bbc", "Received incoming SIP connection from unknown peer to 44XXXXXXXXXX") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX at from-sip-external:2] Set("SIP/sip.internetcalls.com-00000bbc", "DID=44XXXXXXXXXX") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX at from-sip-external:3] Goto("SIP/sip.internetcalls.com-00000bbc", "s,1") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Goto (from-sip-external,s,1)
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:1] GotoIf("SIP/sip.internetcalls.com-00000bbc", "0?checklang:noanonymous") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Goto (from-sip-external,s,5)
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:5] Set("SIP/sip.internetcalls.com-00000bbc", "TIMEOUT(absolute)=15") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] func_timeout.c: -- Channel will hangup at 2017-02-01 09:33:25.707 UTC.
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:6] Log("SIP/sip.internetcalls.com-00000bbc", "WARNING,"Rejecting unknown SIP connection from 77.72.169.134"") in new stack
[2017-02-01 09:33:10] WARNING[23991][C-00000b80] Ext. s: "Rejecting unknown SIP connection from 77.72.169.134"
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:7] Answer("SIP/sip.internetcalls.com-00000bbc", "") in new stack
[2017-02-01 09:33:11] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:8] Wait("SIP/sip.internetcalls.com-00000bbc", "2") in new stack
[2017-02-01 09:33:13] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:9] Playback("SIP/sip.internetcalls.com-00000bbc", "ss-noservice") in new stack
[2017-02-01 09:33:13] VERBOSE[23991][C-00000b80] file.c: -- <SIP/sip.internetcalls.com-00000bbc> Playing 'ss-noservice.alaw' (language 'en')
[2017-02-01 09:33:18] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:10] PlayTones("SIP/sip.internetcalls.com-00000bbc", "congestion") in new stack
[2017-02-01 09:33:18] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s at from-sip-external:11] Congestion("SIP/sip.internetcalls.com-00000bbc", "5") in new stack
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: == Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/sip.internetcalls.com-00000bbc'
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [h at from-sip-external:1] Hangup("SIP/sip.internetcalls.com-00000bbc", "") in new stack
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/sip.internetcalls.com-00000bbc'
{code}

The trunk configuration for this provider looks like this (sip_additional.conf):


{code:java}
[Andy_ICalls_Out]
username=xxx
type=peer
sendrpid=yes
secret=xxx
qualify=yes
nat=no
insecure=port,invite
host=sip.internetcalls.com
fromuser=xxx
fromdomain=internetcalls.com
dtmfmode=rfc2833
canreinvite=yes
authuser=xxx
context=from-trunk-sip-Andy_ICalls_Out
{code}

The registration string also uses sip.internetcalls.com as the host url.

# dig sip.internetcalls.com returns:

{code:java}
;; ANSWER SECTION:
sip.internetcalls.com.  1121    IN      A       77.72.169.134
sip.internetcalls.com.  1121    IN      A       77.72.169.129
{code}

asterisk sip show peers:

{code:java}
Andy_ICalls_Out/[username] 77.72.169.129                               No         No             5060     OK (17 ms)
{code}

I have noticed that incoming calls to the registered IP address 77.72.169.129 are accepted, but incoming calls from the alternative IP address 77.72.169.134 are rejected.

The temporary workaround is to replace the URL in the host=sip.internetcalls.com statement with one IP address and to create a duplicate trunk using the other IP address.  In this case, both IP addresses will register and then both will be accepted.

It seems to me that the purpose of using a URL in the "host=internetcalls.com" statement of the trunk configuration should avoid having to do this.  It is not a huge problem where only 2 IP addresses are expected, but may be a bigger problem for other providers.

There is an asterisk blog as follows which addresses this issue:

https://blogs.asterisk.org/2016/01/27/the-pjsip-outbound-registration-line-option/

This proposes that under chan_sip the following example configuration should be used:

{{[inbound-configuration]
type=peer
context=incoming-itsp
disallow=all
allow=ulaw
insecure=host,port
 
[inbound1](inbound-configuration)
host=94.100.23.82
 
[inbound2](inbound-configuration)
host=94.100.23.83
 
[inbound3](inbound-configuration)
host=94.100.23.84
 
[inbound4](inbound-configuration)
host=94.100.23.85
 
[inbound5](inbound-configuration)
host=94.100.23.86}}

I am not familiar with the use of "insecure=host, port".  I understood that this is normally either "insecure=very"  for asterisk version 1.0.9 or earlier, or for later versions:

insecure=port ; Allow matching of peer by IP address without matching port number;
insecure=invite ; Do not require authentication of incoming INVITEs or
insecure=port,invite ; (both)

Typically used to allow incoming calls (e.g. from FWD) while having a type=friend entry defined with username and password.

Accordingly, can you clarify if the use of a URL in the "host=internetcalls.com" field with type=peer is allowed and, if so, if it is a bug that incoming calls are being rejected from one or other of the IP addresses which are resolved.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list