[asterisk-users] 401 Unauthorized when originating SIP user exists on remote server

Markus universe at truemetal.org
Sat Aug 29 15:37:56 CDT 2020 

Hi list!

I'm trying to make a SIP test call from Bria and/or 3CXPhone from a PC 
behind NAT.

 From Bria/3CXPhone I connect to an Asterisk 11.25.0 server on the 
internet at 100.100.94.210 with a SIP account "3333" created in sip.conf:

[3333]
type=friend
secret=something
host=dynamic
nat=yes
qualify=no
disallow=all
allow=alaw
allow=ulaw
canreinvite=no
context=voipin

I dial +1234 which goes to remote-server:

exten => +1234,1,Dial(SIP/${EXTEN}@remote-server)

On remote-server (IP: 100.100.92.16), which is running Asterisk 10.7.1, 
I have the following entry for 100.100.94.210 in sip.conf:

[incoming-server]
host=100.100.94.210
type=peer
insecure=port,invite
context=voipin
disallow=all
allow=alaw
canreinvite=no
dtmfmode=rfc2833

However, there's also a SIP account "3333" on that same server:

[3333]
type=friend
secret=something
host=dynamic
nat=yes
qualify=no
disallow=all
allow=alaw
allow=ulaw
canreinvite=no
context=voipin

When I make that call I get "401 Unauthorized" from remote-server. When 
I modify the username on 100.100.94.210 to "4444" or anything else that 
doesn't exist on 100.100.92.16, the call connects.

tcpdump:

100.100.94.210.5060 > 100.100.92.16.5060: SIP, length: 839
INVITE sip:+1234 at 100.100.92.16 SIP/2.0
Via: SIP/2.0/UDP 100.100.94.210:5060;branch=z9hG4bK0aa2c03b
Max-Forwards: 70
From: <sip:3333 at 100.100.94.210>;tag=as14990327
To: <sip:+1234 at 100.100.92.16>
Contact: <sip:3333 at 100.100.94.210:5060>
Call-ID: 6c33aa196f7a2c206a6b50a27b6a23d6 at 100.100.94.210:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.25.0

Shouldn't Asterisk check first for IP-based authentication and ignore 
the From: part? In my case, use only the "incoming-server" peer.

Let's imagine remote-server would receive SIP calls which originate from 
the PSTN... and the originating caller somewhere in the world uses 
"3333" as username/CLI so that it makes it into the "From: sip:....@" 
part. That call would also get rejected with 401 Unauthorized if I'm not 
mistaken?

Is there a switch I'm missing?

Thank you, as always!
Markus

More information about the asterisk-users mailing list