[asterisk-users] Unable to REGISTER to the Asterisk v1.8.3.3 server via SIP/TLS

Paul Hayes paul at provu.co.uk
Mon May 9 13:14:48 CDT 2011


Hi,

It looks to me that the 401 unauth packets aren't getting back to the phones. Which suggests a network/router/nat issue rather than anything wrong with the asterisk or phone configuration.

Cheers,
Paul.



On 8 May 2011, at 01:59, GNUbie <gnubie at gmail.com> wrote:

> Hello all,
> 
> I have installed the .deb packages of the Asterisk v1.8.3.3 from the
> upstream project on my Debian GNU/Linux Squeeze server and bought the
> Comodo's PossitiveSSL SSL certificate to be used for my SIP/TLS
> exercise. After setting up everything and trying to fix this problem,
> I am still getting a 401 Unauthorized SIP message. So as of this
> writing, I still cannot successfully REGISTER to my Asterisk box.
> 
> Below are the snippets of my Asterisk and SNOM 300 configurations
> including the logs for your reference.
> 
> I hope anyone from this community can help me solve this problem. A
> HOWTO of a similar scenario will help a lot.
> 
> Thank you in advance.
> 
> Regards,
> 
> GNUbie
> 
> - - - ASTERISK v1.8.3.3 - - -
> 
> [ /etc/asterisk/sip.conf ]
> 
> [general]
> ...
> ...
> tlsenable=yes
> tlsbindaddr=0.0.0.0
> tlscertfile=/etc/asterisk/keys/pbx.domain.com.pem
> tlscipher=ALL
> tlsclientmethod=tlsv1
> tlsbindport=5061
> externtlsport=5061
> externtcpport=5061
> tcpbindaddr=0.0.0.0
> tcpbindport=5061
> tcpenable=yes
> srvlookup=yes
> 
> [361]
> username=361
> secret=*******
> callerid="361-tls"<361>
> mailbox=361 at family
> context=family
> transport=tls
> port=5061
> type=friend
> host=dynamic
> dtmfmode=rfc2833
> canreinvite=no
> nat=yes
> qualify=yes
> autoframing=yes
> encryption=yes
> 
> *CLI> core show version
> Asterisk 1.8.3.3-1digium1~squeeze built by pbuilder @ nighthawk on a
> x86_64 running Linux on 2011-04-22 17:50:44 UTC
> 
> *CLI> sip show settings
> 
> Global Settings:
> ----------------
> UDP Bindaddress: 0.0.0.0:5060
> TCP SIP Bindaddress: 0.0.0.0:5060
> TLS SIP Bindaddress: 0.0.0.0:5061
> Videosupport: No
> Textsupport: No
> Ignore SDP sess. ver.: No
> AutoCreate Peer: No
> Match Auth Username: No
> Allow unknown access: No
> Allow subscriptions: Yes
> Allow overlap dialing: Yes
> Allow promsic. redir: No
> Enable call counters: No
> SIP domain support: Yes
> Realm. auth: No
> Our auth realm pbx.domain.com
> Use domains as realms: No
> Call to non-local dom.: Yes
> URI user is phone no: No
> Always auth rejects: Yes
> Direct RTP setup: No
> User Agent: "Asterisk rocks!"
> SDP Session Name: Asterisk PBX 1.8.3.3-1digium1~squeeze
> SDP Owner Name: root
> Reg. context: (not set)
> Regexten on Qualify: No
> Caller ID: asterisk
> From: Domain:
> Record SIP history: Off
> Call Events: Off
> Auth. Failure Events: Off
> T.38 support: No
> T.38 EC mode: Unknown
> T.38 MaxDtgrm: -1
> SIP realtime: Disabled
> Qualify Freq : 60000 ms
> Q.850 Reason header: No
> 
> Network QoS Settings:
> ---------------------------
> IP ToS SIP: CS0
> IP ToS RTP audio: CS0
> IP ToS RTP video: CS0
> IP ToS RTP text: CS0
> 802.1p CoS SIP: 4
> 802.1p CoS RTP audio: 5
> 802.1p CoS RTP video: 6
> 802.1p CoS RTP text: 5
> Jitterbuffer enabled: Yes
> Jitterbuffer forced: No
> Jitterbuffer max size: 200
> Jitterbuffer resync: 1200
> Jitterbuffer impl: fixed
> Jitterbuffer log: No
> 
> Network Settings:
> ---------------------------
> SIP address remapping: Enabled using externhost
> Externhost: pbx.domain.com
> externaddr: 11.22.33.44:0
> Externrefresh: 10
> Localnet: 192.168.101.0/255.255.255.0
> 
> Global Signalling Settings:
> ---------------------------
> Codecs: 0x60e (gsm|ulaw|alaw|speex|ilbc)
> Codec Order: ulaw:20,alaw:20,gsm:20,speex:20,ilbc:30
> Relax DTMF: No
> RFC2833 Compensation: No
> Symmetric RTP: No
> Compact SIP headers: No
> RTP Keepalive: 0 (Disabled)
> RTP Timeout: 15
> RTP Hold Timeout: 0 (Disabled)
> MWI NOTIFY mime type: application/simple-message-summary
> DNS SRV lookup: Yes
> Pedantic SIP support: Yes
> Reg. min duration 1800 secs
> Reg. max duration: 3600 secs
> Reg. default duration: 120 secs
> Outbound reg. timeout: 20 secs
> Outbound reg. attempts: 0
> Notify ringing state: Yes
> Include CID: No
> Notify hold state: No
> SIP Transfer mode: open
> Max Call Bitrate: 384 kbps
> Auto-Framing: No
> Outb. proxy: <not set>
> Session Timers: Refuse
> Session Refresher: uas
> Session Expires: 1800 secs
> Session Min-SE: 90 secs
> Timer T1: 3000
> Timer T1 minimum: 100
> Timer B: 192000
> No premature media: Yes
> Max forwards: 70
> 
> Default Settings:
> -----------------
> Allowed transports: UDP
> Outbound transport:     UDP
> Context: default
> Force rport: No
> DTMF: rfc2833
> Qualify: 0
> Use ClientCode: No
> Progress inband: Never
> Language:
> MOH Interpret: default
> MOH Suggest:
> Voice Mail Extension: asterisk
> 
> *CLI> sip show peer 361
> 
> * Name : 361
> Secret : <Set>
> MD5Secret : <Not set>
> Remote Secret: <Not set>
> Context : family
> Subscr.Cont. : <Not set>
> Language :
> AMA flags : Unknown
> Transfer mode: open
> CallingPres : Presentation Allowed, Not Screened
> Callgroup :
> Pickupgroup :
> MOH Suggest :
> Mailbox : 361 at family
> VM Extension : asterisk
> LastMsgsSent : 32767/65535
> Call limit : 0
> Max forwards : 0
> Dynamic : Yes
> Callerid : "361-tls" <361>
> MaxCallBR : 384 kbps
> Expire : -1
> Insecure : no
> Force rport : Yes
> ACL : No
> DirectMedACL : No
> T.38 support : No
> T.38 EC mode : Unknown
> T.38 MaxDtgrm: -1
> DirectMedia : No
> PromiscRedir : No
> User=Phone : No
> Video Support: No
> Text Support : No
> Ign SDP ver : No
> Trust RPID : No
> Send RPID : No
> Subscriptions: Yes
> Overlap dial : Yes
> DTMFmode : rfc2833
> Timer T1 : 3000
> Timer B : 192000
> ToHost :
> Addr->IP : (null)
> Defaddr->IP : (null)
> Prim.Transp. : TLS
> Allowed.Trsp : TLS
> Def. Username: 361
> SIP Options : (none)
> Codecs : 0x60e (gsm|ulaw|alaw|speex|ilbc)
> Codec Order : (ulaw:20,alaw:20,gsm:20,speex:20,ilbc:30)
> Auto-Framing : Yes
> 100 on REG : No
> Status : UNKNOWN
> Useragent :
> Reg. Contact :
> Qualify Freq : 60000 ms
> Sess-Timers : Refuse
> Sess-Refresh : uas
> Sess-Expires : 1800 secs
> Min-Sess : 90 secs
> RTP Engine : asterisk
> Parkinglot :
> Use Reason : No
> Encryption : Yes
> 
> 
> <--- SIP read from TLS:192.168.101.102:2061 --->
> REGISTER sip:pbx.domain.com SIP/2.0
> Via: SIP/2.0/TLS 192.168.101.102:2061;branch=z9hG4bK-b6veg4r2tybi;rport
> From: "361" <sip:361 at pbx.domain.com>;tag=6ulxay5gxm
> To: "361" <sip:361 at pbx.domain.com>
> Call-ID: 3c26701f2ede-afeuhg58c60m
> CSeq: 7 REGISTER
> Max-Forwards: 70
> Contact: <sip:361 at 192.168.101.102:2061;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
> User-Agent: snom300/8.4.31
> Allow-Events: dialog
> X-Real-IP: 192.168.101.102
> Supported: path, gruu
> Expires: 3600
> Content-Length: 0
> 
> <------------->
> --- (14 headers 0 lines) ---
> Sending to 192.168.101.102:2061 (no NAT)
> 
> <--- Transmitting (NAT) to 192.168.101.102:2061 --->
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/TLS
> 192.168.101.102:2061;branch=z9hG4bK-b6veg4r2tybi;received=192.168.101.102;rport=2061
> From: "361" <sip:361 at pbx.domain.com>;tag=6ulxay5gxm
> To: "361" <sip:361 at pbx.domain.com>;tag=as16189b66
> Call-ID: 3c26701f2ede-afeuhg58c60m
> CSeq: 7 REGISTER
> Server: "Asterisk rocks!"
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
> INFO, PUBLISH
> Supported: replaces
> WWW-Authenticate: Digest algorithm=MD5, realm="pbx.domain.com", nonce="6408e8c3"
> Content-Length: 0
> 
> 
> <------------>
> Scheduling destruction of SIP dialog '3c26701f2ede-afeuhg58c60m' in
> 192000 ms (Method: REGISTER)
> 
> <--- SIP read from TLS:192.168.101.102:2061 --->
> REGISTER sip:pbx.domain.com SIP/2.0
> Via: SIP/2.0/TLS 192.168.101.102:2061;branch=z9hG4bK-9cuvn4fglawu;rport
> From: "361" <sip:361 at pbx.domain.com>;tag=hr7nz4nopk
> To: "361" <sip:361 at pbx.domain.com>
> Call-ID: 3c26701f2ede-afeuhg58c60m
> CSeq: 8 REGISTER
> Max-Forwards: 70
> Contact: <sip:361 at 192.168.101.102:2061;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
> User-Agent: snom300/8.4.31
> Allow-Events: dialog
> X-Real-IP: 192.168.101.102
> Supported: path, gruu
> Expires: 3600
> Content-Length: 0
> 
> <------------->
> --- (14 headers 0 lines) ---
> Sending to 192.168.101.102:2061 (no NAT)
> 
> <--- Transmitting (NAT) to 192.168.101.102:2061 --->
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/TLS
> 192.168.101.102:2061;branch=z9hG4bK-9cuvn4fglawu;received=192.168.101.102;rport=2061
> From: "361" <sip:361 at pbx.domain.com>;tag=hr7nz4nopk
> To: "361" <sip:361 at pbx.domain.com>;tag=as6231d59a
> Call-ID: 3c26701f2ede-afeuhg58c60m
> CSeq: 8 REGISTER
> Server: "Asterisk rocks!"
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
> INFO, PUBLISH
> Supported: replaces
> WWW-Authenticate: Digest algorithm=MD5, realm="pbx.domain.com", nonce="6ea5895a"
> Content-Length: 0
> 
> 
> <------------>
> Scheduling destruction of SIP dialog '3c26701f2ede-afeuhg58c60m' in
> 192000 ms (Method: REGISTER)
> 
> - - - SNOM 300 - - -
> 
> [ Setup > Identity 1 > Login ]
> 
> Displayname: 361
> Account: 361
> Password: ********
> Registrar: pbx.domain.com
> Outbound Proxy: sips:pbx.domain.com:5061
> Authentication Username: 361
> 
> - - -
> 
> [ Setup > Certificates > Server Certificates ]
> 
> Country: ; State: ; Locality ; Organization: ; Common Name:
> pbx.domain.com; eMail:
> Version:    2
> Serial Number:    00b6b63eb67ed2111345253c228264d093
> Signature Algorithm:    1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
> Signature:    28ce574c9715e1e59dfc90829287ab31fdbf0e0212dc488b106e71ffaaa339610492dc091d440772...
> Issuer:    Country: GB; State: Greater Manchester; Locality Salford;
> Organization: Comodo CA Limited; Common Name: PositiveSSL CA; eMail:
> Validity:    27/04/11 - 26/04/12
> SHA1-Fingerprint:    38d13c709ab1cc9b434c2f05e927239fe4ae6f19
> MD5-Fingerprint:    a9b62e186465055f34a04153ad7898de
> PK Algorithm:    1.2.840.113549.1.1.1 (rsaEncryption)
> RSA modulus:    00b90412744fd50459d807a04d007a9fd7d667189f1394f11ecd46e8556bd861526eb9be582a2631...
> RSA exponent:    010001
> Filename on FS:    f6700ff3f3059f4c629df2bff8678aeacb291ddb.DER
> 
> - - -
> 
> [ Status > System Information ]
> 
> System Information:
> Phone Type:    snom300-SIP
> MAC-Address:    0004132F08DC
> IP-Address:    192.168.101.102
> Firmware-Version:    snom300-SIP 8.4.31
> Firmware-URL:    http://provisioning.....4.31-SIP-f.bin
> Production Information:    Mac:0004132F08DC;Version:Standard;Hardware:snom300
> (H: R2A);Date:15/05/08;Copyright© snom technology AG
> Uptime:    0 days, 1 hours, 27 minutes
> LCS:    0 days, 0 hours, 53 minutes (0)
> Memfree:    772 K
> CPU:    0.04 0.02 0.03 1/10 96
> Bootloader-Version:    1.1.3-u
> 
> SIP Identity Status:
> Identity 1 Status:    361 at pbx.domain.com: Network Failure
> 
> - - -
> 
> [ Status > SIP Trace ]
> 
> Sent to tls:11.22.33.44:5061 at 24/12/2001 08:00:32:192 (729 bytes):
> REGISTER sip:pbx.domain.com SIP/2.0
> Via: SIP/2.0/TLS 192.168.101.102:2055;branch=z9hG4bK-9i3rt6llzqd1;rport
> From: "361" <sip:361 at pbx.domain.com>;tag=hpleutmwxu
> To: "361" <sip:361 at pbx.domain.com>
> Call-ID: 3c26701f3456-58is2wtgld05
> CSeq: 1 REGISTER
> Max-Forwards: 70
> Contact: <sip:361 at 192.168.101.102:2055;transport=tls>;q=1.0;reg-id=1;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="
> INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
> User-Agent: snom300/8.4.31
> Allow-Events: dialog
> X-Real-IP: 192.168.101.102
> Supported: path, gruu
> Expires: 3600
> Content-Length: 0
> Sent to tls:11.22.33.44:5061 at 8/5/2011 00:24:03:610 (729 bytes):
> 
> REGISTER sip:pbx.domain.com SIP/2.0
> Via: SIP/2.0/TLS 192.168.101.102:2056;branch=z9hG4bK-lriexp5iqoio;rport
> From: "361" <sip:361 at pbx.domain.com>;tag=b11o8j7lk4
> To: "361" <sip:361 at pbx.domain.com>
> Call-ID: 3c26701f3456-58is2wtgld05
> CSeq: 2 REGISTER
> Max-Forwards: 70
> Contact: <sip:361 at 192.168.101.102:2056;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="
> INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
> User-Agent: snom300/8.4.31
> Allow-Events: dialog
> X-Real-IP: 192.168.101.102
> Supported: path, gruu
> Expires: 3600
> Content-Length: 0
> 
> - - -
> 
> [ Status > Log ]
> 
> [0] 24/12/2001 00:00:27: Phone::uboot_version:1.1.3-u
> [1] 24/12/2001 00:00:29: Conf setup: code: 500, host: 127.0.0.1:80,
> file: /dummy.htm
> [0] 24/12/2001 08:00:31: TaskMon: LCS 21/0 recv LPCP took 1271 msecs
> [0] 24/12/2001 08:00:31: LoopMon: LCS 21 took 1271 (290/0) msecs, read
> 1, 3/1 tasks
> [1] 24/12/2001 08:00:32: TLS: Warning: Certificate with subject
> Country: ; State: ; Locality ; Organization: ; Common Name:
> pbx.domain.com; eMail: has expired according to the local time of the
> phone.
> [0] 24/12/2001 08:00:33: TaskMon: LCS 30/0 recv LPCP took 934 msecs
> [0] 24/12/2001 08:00:33: LoopMon: LCS 30 took 968 (42/32) msecs, read
> 1, 3/1 tasks
> [0] 8/5/2011 00:22:49: TaskMon: LCS 93/0 recv LPCP took 434 msecs
> [0] 8/5/2011 00:22:49: TaskMon: LCS 94/0 recv LPCP took 461 msecs
> [0] 8/5/2011 00:22:50: TaskMon: LCS 96/0 recv LPCP took 576 msecs
> [0] 8/5/2011 00:23:03: TaskMon: LCS 148/0 recv LPCP took 238 msecs
> [2] 8/5/2011 00:23:03: Transport Error: Pending packet 1000000: generating fake
> [2] 8/5/2011 00:23:03: Registrar 361 at pbx.domain.com timed out
> [0] 8/5/2011 00:23:05: TaskMon: LCS 157/0 recv LPCP took 372 msecs
> [0] 8/5/2011 00:23:05: LoopMon: LCS 157 took 850 (499/478) msecs, read
> 1, 4/1 tasks
> [0] 8/5/2011 00:24:04: TaskMon: LCS 359/0 recv LPCP took 872 msecs
> [0] 8/5/2011 00:24:04: LoopMon: LCS 359 took 872 (306/0) msecs, read
> 1, 3/1 tasks
> [2] 8/5/2011 00:24:34: Transport Error: Pending packet 1000002: generating fake
> [2] 8/5/2011 00:24:34: Registrar 361 at pbx.domain.com timed out
> [0] 8/5/2011 00:24:48: TaskMon: LCS 508/0 recv LPCP took 443 msecs
> [0] 8/5/2011 00:24:48: LoopMon: LCS 508 took 444 (16/0) msecs, read 1, 3/1 tasks
> [0] 8/5/2011 00:24:48: TaskMon: LCS 509/0 recv LPCP took 506 msecs
> [0] 8/5/2011 00:24:48: LoopMon: LCS 509 took 507 (72/0) msecs, read 1, 4/1 tasks
> [0] 8/5/2011 00:24:49: TaskMon: LCS 510/0 recv LPCP took 1293 msecs
> [0] 8/5/2011 00:24:49: LoopMon: LCS 510 took 1337 (500/0) msecs, read
> 1, 5/1 tasks
> [0] 8/5/2011 00:25:35: TaskMon: LCS 673/0 recv LPCP took 871 msecs
> [0] 8/5/2011 00:25:35: LoopMon: LCS 673 took 871 (118/0) msecs, read
> 1, 3/1 tasks
> [2] 8/5/2011 00:26:05: Transport Error: Pending packet 1000004: generating fake
> [2] 8/5/2011 00:26:05: Registrar 361 at pbx.domain.com timed out
> [0] 8/5/2011 00:27:06: TaskMon: LCS 986/0 recv LPCP took 871 msecs
> [0] 8/5/2011 00:27:06: LoopMon: LCS 986 took 871 (419/0) msecs, read
> 1, 3/1 tasks
> [2] 8/5/2011 00:27:36: Transport Error: Pending packet 1000006: generating fake
> [2] 8/5/2011 00:27:36: Registrar 361 at pbx.domain.com timed out
> [0] 8/5/2011 00:28:37: TaskMon: LCS 1296/0 recv LPCP took 869 msecs
> [0] 8/5/2011 00:28:37: LoopMon: LCS 1296 took 870 (387/0) msecs, read
> 1, 3/1 tasks
> [2] 8/5/2011 00:29:07: Transport Error: Pending packet 1000008: generating fake
> [2] 8/5/2011 00:29:07: Registrar 361 at pbx.domain.com timed out
> [0] 8/5/2011 00:30:08: TaskMon: LCS 1605/0 recv LPCP took 870 msecs
> [0] 8/5/2011 00:30:08: LoopMon: LCS 1605 took 871 (458/0) msecs, read
> 1, 3/1 tasks
> [2] 8/5/2011 00:30:38: Transport Error: Pending packet 1000010: generating fake
> [2] 8/5/2011 00:30:38: Registrar 361 at pbx.domain.com timed out
> [0] 8/5/2011 00:31:39: TaskMon: LCS 1918/0 recv LPCP took 874 msecs
> [0] 8/5/2011 00:31:39: LoopMon: LCS 1918 took 875 (346/0) msecs, read
> 1, 3/1 tasks
> [0] 8/5/2011 00:32:03: TaskMon: LCS 1996/0 recv LPCP took 424 msecs
> [0] 8/5/2011 00:32:03: LoopMon: LCS 1996 took 430 (24/4) msecs, read
> 1, 3/1 tasks
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list