| Summary: | ASTERISK-25648: chan_sip returns forbidden 403, if the incoming number was determined as the present. | ||
| Reporter: | Alexey A. Astashov (Alexey_Astashov) | Labels: | |
| Date Opened: | 2015-12-29 11:02:13.000-0600 | Date Closed: | |
| Priority: | Major | Regression? | |
| Status: | Open/New | Components: | Channels/chan_sip/General |
| Versions: | 13.5.0 13.6.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) Debug-GW.txt ( 1) Debug-Users-Asterisk.txt ( 2) incall.cap ( 3) Initial-PBX-call.txt ( 4) Truble_chan_sip.jpg ( 5) Users-asteriskmini.txt | |
| Description: | I detected a problem with the call processing protocol SIP.
For example: "Some PBX" (num's 1100-1299) --> call came to my GW Asterisk with internal CID "Some PBX" --> then call routed to my PBX Asterisk (num's 1100-1500), but last determine existing number and return Forbidden 403. In configuration TRUNK on My PBX I have insecure=port,invite The error is that if the final PBX will see that an incoming call comes CID number that it has, it sends to the gateway error 403. The error was discovered with 13 versions of Asterisk, on Asterisk 11 - everything worked well. At the same time the IAX2 protocol, this is not a problem. Unfortunately, I can not test the functionality of the protocol PJSIP. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2015-12-29 11:02:14.538-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Matt Jordan (mjordan) 2015-12-29 11:21:10.280-0600 Thanks for the report and debug. However we also need protocol specific debug captured at the time of the issue. Please include the following: * Asterisk log files generated using the instructions on the Asterisk wiki [1], with the appropriate protocol debug options enabled, e.g. 'pjsip set logger on' if the issue involves the chan_pjsip channel driver. * Configuration information for the relevant channel driver, e.g. pjsip.conf. * A wireshark compatible packet capture, captured at the same time as the Asterisk log output. [1] https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information By: Alexey A. Astashov (Alexey_Astashov) 2015-12-29 12:21:03.982-0600 I compiled Asterisk without support PJSIP. Other now try to collect. By: Alexey A. Astashov (Alexey_Astashov) 2015-12-29 13:37:55.186-0600 Files containing debug information, I made a call from PBX 172.16.10.173 to 172.16.15.194 through 172.16.15.196, вut everything else like in the picture. Oh, I almost forgot. Unless the PBX (for which a call comes in) remove the subscriber number which can come at CID, the calls begin to work normally. By: Alexey A. Astashov (Alexey_Astashov) 2015-12-29 14:00:01.543-0600 Minimize the file by turning off all subscribers to Asterisk By: Rusty Newton (rnewton) 2016-01-05 17:45:02.266-0600 {noformat} [2015-12-29 22:01:15] WARNING[12881][C-00000002]: chan_sip.c:16653 check_auth: username mismatch, have <1101>, digest has <001002> [2015-12-29 22:01:15] NOTICE[12881][C-00000002]: chan_sip.c:25550 handle_request_invite: Failed to authenticate device "TEST 123" <sip:1101@172.16.15.196>;tag=as17bda15c {noformat} Looks like an authentication problem. If you don't intend to have authentication happen then you will want to double check your SIP peer/friend configuration. This doesn't appear to be a bug unless you can demonstrate that it is attempting to authenticate despite proper configuration. You didn't attach configuration as requested so I don't see any configuration to look at. If you post the configuration we can take a quick look at that but otherwise this is a support issue that should be posted to the forums or mailing lists and not the bug tracker. By: Alexey A. Astashov (Alexey_Astashov) 2016-01-06 15:02:29.883-0600 Oh. What exactly should be sent from the configuration? sip.conf - (GW Server) ............. [001001] username=001002 type=friend insecure=port, invite secret=MyPassword qualify=yes host=172.16.15.194 allow=all context=from-trunk-sip-001001 part of extensions.conf - gw-server {code} ................. exten => 21,1,Set(TDIAL_STRING=SIP/001001) exten => 21,n,Set(DIAL_TRUNK=21) exten => 21,n,Goto(ext-trunk,tdial,1) exten => tdial,1,Set(OUTBOUND_GROUP=OUT_${DIAL_TRUNK}) exten => tdial,n,GotoIf($["${OUTMAXCHANS_${DIAL_TRUNK}}" = ""]?nomax) exten => tdial,n,GotoIf($[${GROUP_COUNT(OUT_${DIAL_TRUNK})} >= ${OUTMAXCHANS_${DIAL_TRUNK}}]?hangit) exten => tdial,n(nomax),ExecIf($["${CALLINGPRES_SV}" != ""]?Set(CALLERPRES()=${CALLINGPRES_SV})) exten => tdial,n,Set(DIAL_NUMBER=${FROM_DID}) exten => tdial,n,GosubIf($["${PREFIX_TRUNK_${DIAL_TRUNK}}" != ""]?sub-flp-${DIAL_TRUNK},s,1()) exten => tdial,n,Set(OUTNUM=${OUTPREFIX_${DIAL_TRUNK}}${DIAL_NUMBER}) exten => tdial,n,Set(DIAL_TRUNK_OPTIONS=${IF($["${DB_EXISTS(TRUNK/${DIAL_TRUNK}/dialopts)}" = "1"]?${DB_RESULT}:${TRUNK_OPTIONS})}) exten => tdial,n,Dial(${TDIAL_STRING}/${OUTNUM},${TRUNK_RING_TIMER},${DIAL_TRUNK_OPTIONS}) exten => tdial,n,Set(CALLERID(number)=${CALLERID(number):0:40}) exten => tdial,n,Set(CALLERID(name)=${CALLERID(name):0:40}) exten => tdial,n(hangit),Hangup ;--== end of [ext-trunk] ==--; [from-trunk-sip-001001] exten => _.,1,Set(GROUP()=OUT_21) exten => _.,n,Goto(from-trunk,${EXTEN},1) ;--== end of [from-trunk-sip-001001] ==--; [outrt-24] ; TO-NEW-OFFICE exten => _11XX,1,Macro(user-callerid,LIMIT,EXTERNAL,) exten => _11XX,n,GosubIf($[${LEN(${FROM_DID})}>0 & "${FROM_DID}"!="s"]?sub-diversion-header,s,1()) exten => _11XX,n,Set(INTRACOMPANYROUTE=YES) exten => _11XX,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}) exten => _11XX,n,Set(_NODEST=) exten => _11XX,n,Gosub(sub-record-check,s,1(out,${EXTEN},)) exten => _11XX,n,Macro(dialout-trunk,8,${EXTEN},,off) exten => _11XX,n,Macro(outisbusy,) exten => _12XX,1,Macro(user-callerid,LIMIT,EXTERNAL,) exten => _12XX,n,GosubIf($[${LEN(${FROM_DID})}>0 & "${FROM_DID}"!="s"]?sub-diversion-header,s,1()) exten => _12XX,n,Set(INTRACOMPANYROUTE=YES) exten => _12XX,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}) exten => _12XX,n,Set(_NODEST=) exten => _12XX,n,Gosub(sub-record-check,s,1(out,${EXTEN},)) exten => _12XX,n,Macro(dialout-trunk,8,${EXTEN},,off) exten => _12XX,n,Macro(outisbusy,) ;--== end of [outrt-24] ==--; {code} ............ part of sip.conf - (users server which gives an Forbidden 403) [001002] defaultuser=001001 type=friend insecure=port,invite secret=MyPassword qualify=yes host=172.16.15.196 allow=all context=from-trunk-sip-001002 ........ part of extensions.conf users-server: {code} [from-trunk-sip-001002] include => from-trunk-sip-001002-custom exten => _.,1,Set(GROUP()=OUT_1) exten => _.,n,Goto(from-trunk,${EXTEN},1) ;--== end of [from-trunk-sip-001002] ==--; [from-trunk-iax2-00704] include => from-trunk-iax2-00704-custom exten => _.,1,Set(GROUP()=OUT_2) exten => _.,n,Goto(from-trunk,${EXTEN},1) ;--== end of [from-trunk-iax2-00704] ==--; [ext-trunk] include => ext-trunk-custom exten => 1,1,Set(TDIAL_STRING=SIP/001002) exten => 1,n,Set(DIAL_TRUNK=1) exten => 1,n,Goto(ext-trunk,tdial,1) exten => 2,1,Set(TDIAL_STRING=IAX2/00704) exten => 2,n,Set(DIAL_TRUNK=2) exten => 2,n,Goto(ext-trunk,tdial,1) exten => tdial,1,Set(OUTBOUND_GROUP=OUT_${DIAL_TRUNK}) exten => tdial,n,GotoIf($["${OUTMAXCHANS_${DIAL_TRUNK}}" = ""]?nomax) exten => tdial,n,GotoIf($[${GROUP_COUNT(OUT_${DIAL_TRUNK})} >= ${OUTMAXCHANS_${DIAL_TRUNK}}]?hangit) exten => tdial,n(nomax),ExecIf($["${CALLINGNAMEPRES_SV}" != ""]?Set(CALLERPRES(name-pres)=${CALLINGNAMEPRES_SV})) exten => tdial,n,ExecIf($["${CALLINGNUMPRES_SV}" != ""]?Set(CALLERPRES(num-pres)=${CALLINGNUMPRES_SV})) exten => tdial,n,Set(DIAL_NUMBER=${FROM_DID}) exten => tdial,n,GosubIf($["${PREFIX_TRUNK_${DIAL_TRUNK}}" != ""]?sub-flp-${DIAL_TRUNK},s,1()) exten => tdial,n,Set(OUTNUM=${OUTPREFIX_${DIAL_TRUNK}}${DIAL_NUMBER}) exten => tdial,n,Set(DIAL_TRUNK_OPTIONS=${IF($["${DB_EXISTS(TRUNK/${DIAL_TRUNK}/dialopts)}" = "1"]?${DB_RESULT}:${TRUNK_OPTIONS})}) exten => tdial,n,Dial(${TDIAL_STRING}/${OUTNUM}${TDIAL_SUFFIX},${TRUNK_RING_TIMER},${DIAL_TRUNK_OPTIONS}) exten => tdial,n,Set(CALLERID(number)=${CALLERID(number):0:40}) exten => tdial,n,Set(CALLERID(name)=${CALLERID(name):0:40}) exten => tdial,n(hangit),Hangup ;--== end of [ext-trunk] ==--; {code} By: Alexey A. Astashov (Alexey_Astashov) 2016-01-06 15:46:57.548-0600 hmm, maybe a bug that freepbx substitute "username =" on "defaultuser ="? I unfortunately in the next few days, I could not check. On the holiday weekend I will be in another country. By: Rusty Newton (rnewton) 2016-01-07 09:55:09.171-0600 {quote} username mismatch, have <1101>, digest has <001002> {quote} The username that is being matched against is 1101 - that is the peer that you need to check. The digest username should be 1101 if you want it to authenticate against 1101. If the digest username is correct, then the problem is that Asterisk is matching against the wrong peer - probably due to the IP used since you are using insecure=port,invite. By: Alexey A. Astashov (Alexey_Astashov) 2016-01-07 14:41:34.714-0600 Hmm, I do not understand why the Asterisk 11 does not require re-examination, and it requires Asterisk 13.5(13.6) .. Just enough to remove the extension (for examle 1101), and everything works well. in this case are not important setting is "insecure" - is of particular importance CID party, and as soon as the final Asterisk receives the value corresponding to the extension number - an error 403. At the same time IAX2 protocol, everything works perfectly By: Rusty Newton (rnewton) 2016-01-07 16:26:26.689-0600 I don't understand your last comment. As I mentioned previously the issue does not appear to be a bug. This is not the appropriate place to go in-depth into configuration issues (technical support). Therefore I'm closing this issue out as Not a Bug. At this point you probably want to show the debug to experienced FreePBX users so they can help you identify any issues in your configuration. Perhaps between your move from 11 and 13 something within your configuration or environment has changed. Again this is not the appropriate place to dig into all of that. Since you use FreePBX to configure your Asterisk system it makes sense to ask that community for help. They can help you determine whether or not there is a bug present in Asterisk or FreePBX. By: Alexey A. Astashov (Alexey_Astashov) 2016-01-11 09:45:08.576-0600 I do not want to check the authenticity of 1101, as end users are on both sides. The authenticity of the circuit is checked at the server (peer) over IP. The addresses are correct. And also with another type of protocol - it works. The point is that, if at the final station, user 1101 is removed, the calls are fine. The problem is that the external service provider cuts the all CID to 4 digits, and if the CID overlaps with one at my Asterisk 13.5, the external provider receives a 403 error from my Asterisk. By: Asterisk Team (asteriskteam) 2016-01-11 09:45:09.394-0600 This issue has been reopened as a result of your commenting on it as the reporter. It will be triaged once again as applicable. By: Alexey A. Astashov (Alexey_Astashov) 2016-01-12 15:03:25.852-0600 I tested operation of my circuit with different protocols: IAX2 - PASSED PJSIP - PASSED SIP (chan_sip) - FAILED with error 403 I also checked out circuit: server-to-server (without an intermediate gateway) chan_sip - Received response: "Forbidden" :( Of course - I can try to find at what point (versions/release) the error occurred. but for me this is not an easy task now. P.S. Please do not scold me if I write something unreadable. I had to use Google Translate, which is a bad translation difficult thoughts. Sometimes, friends help me with the translation. | ||
