[asterisk-bugs] [JIRA] (ASTERISK-27881) PBX calls via chan_sip TCP trunk now get authentification error

Ian Gilmour (JIRA) noreply at issues.asterisk.org
Thu May 31 11:18:55 CDT 2018 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=243627#comment-243627 ] 

Ian Gilmour commented on ASTERISK-27881:
----------------------------------------

users.conf contains:

{noformat}
;-------------------------------------------------------------------
; PBX Trunk
;-------------------------------------------------------------------
[def-pbx-codecs](!)
; audio codecs supported
allow=!all,opus,ulaw,alaw,gsm,speex
; video codecs supported
videosupport=yes
allow=h264
;-------------------------------------------------------------------

;-------------------------------------------------------------------
[def-pbx-novideo-codecs](!)
; audio codecs supported
allow=!all,opus,ulaw,alaw,gsm,speex
;-------------------------------------------------------------------

;-------------------------------------------------------------------
; SIP trunk to PBX
; uses one of the codec sets defined above
[PBX](def-pbx-codecs)
;-------------------------------------------------------------------
; SIP trunk to PBX
; uses one of the codec sets defined above
[PBX]
type=peer
defaultuser=PBX
callerid="Gateway" <>
context=localOutgoingPBX
host=192.168.1.52
port=5060
secret=
remotesecret=
encryption=no
transport=tcp,udp
insecure=port,invite
{noformat}

Sample call to to Asterisk (2) from SIP client (101) connected to a PBX.
The PBX (192.168.1.52) is configured to forward the call on to Asterisk (192.168.1.43), using a TCP trunk.
Enabling sip debug gives the following Asterisk debug:

{noformat}
<--- SIP read from TCP:192.168.1.52:46340 --->
INVITE sip:2 at 192.168.1.43:5060 SIP/2.0
Via: SIP/2.0/TCP 192.168.1.52:5060;rport;branch=z9hG4bKPj41f9e5f6-e38a-478a-b86f-3f25918e7ef5;alias
From: "Ian" <sip:101 at 192.168.1.52>;tag=11a5a243-3cbf-4c9e-85ae-378893ea8672
To: <sip:2 at 192.168.1.43>
Contact: <sip:asterisk at 192.168.1.52:5060;transport=TCP>
Call-ID: ddbb432f-46cb-4570-94e4-ac7a075a1692
CSeq: 24123 INVITE
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: FPBX-14.0.3.2(13.18.4)
Content-Type: application/sdp
Content-Length: 337

v=0
o=- 503644369 503644369 IN IP4 192.168.1.52
s=Asterisk
c=IN IP4 192.168.1.52
t=0 0
m=audio 12086 RTP/AVP 0 8 3 111 9 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv
<------------->
--- (15 headers 16 lines) ---
Sending to 192.168.1.52:46340 (no NAT)
Sending to 192.168.1.52:46340 (no NAT)
Using INVITE request as basis request - ddbb432f-46cb-4570-94e4-ac7a075a1692
No matching peer for '101' from '192.168.1.52:46340'

<--- Reliably Transmitting (no NAT) to 192.168.1.52:46340 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TCP 192.168.1.52:5060;branch=z9hG4bKPj41f9e5f6-e38a-478a-b86f-3f25918e7ef5;alias;received=192.168.1.52;rport=46340
From: "Ian" <sip:101 at 192.168.1.52>;tag=11a5a243-3cbf-4c9e-85ae-378893ea8672
To: <sip:2 at 192.168.1.43>;tag=as2410abf6
Call-ID: ddbb432f-46cb-4570-94e4-ac7a075a1692
CSeq: 24123 INVITE
Server: Asterisk PBX 13.21.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="7162128f"
Content-Length: 0
{noformat}

Switching PBX to send via a UDP trunk (rather than TCP) with the same Asterisk config results in a successful call.

Looking at the ASTERISK-27457 modification I suspect using TLS will also fail for the same reason.

The failed TCP and TLS calls would have worked using Asterisk 13.20.0 (even without the *insecure=port,invite* in the config).

> PBX calls via chan_sip TCP trunk now get authentification error
> ---------------------------------------------------------------
>
>                 Key: ASTERISK-27881
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27881
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 13.21.0
>         Environment: Ubuntu 16.04
>            Reporter: Ian Gilmour
>            Assignee: Ian Gilmour
>
> I have a PBX (type=peer) with a few extensions that forwards calls on to an Asterisk and from there the calls get routed to an external server. All worked fine with 13.20.0 but after upgrading to 13.21.0 I now see the call being rejected by Asterisk with authentification failures.
> The PBX doesn't register with Asterisk - calls are accepted because they come from the defined PBX host IP address. The port the call originates from does not match the defined PBX port (it didn't when using 13.20.0 either and that worked fine).
> I tried adding "insecure=port,invite" to the PBX trunk config with no effect.
> The change in behaviour between 13.20 and 13.21 looks to be related to mods made for ASTERISK-27457.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list