ASTERISK-26787: Received incoming SIP connection from unknown peer" from registered sip provider

[Home]

Summary: ASTERISK-26787: Received incoming SIP connection from unknown peer" from registered sip provider

Reporter: Andy Woolford (andy_woolford) Labels:

Date Opened: 2017-02-12 02:05:49.000-0600 Date Closed: 2017-02-12 05:34:06.000-0600

Priority: Major Regression?

Status: Closed/Complete Components: Channels/chan_sip/General Channels/chan_sip/Registration

Versions: 11.24.1 Frequency of
Occurrence Constant

Related
Issues:

Environment: FreePBX Distro 10.13.66-17 / (Centos) Attachments:

Description: We started to notice that inbound calls from one sip provider (internetcalls.com) were being rejected as follows:

{code:java}
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX@from-sip-external:1] NoOp("SIP/sip.internetcalls.com-00000bbc", "Received incoming SIP connection from unknown peer to 44XXXXXXXXXX") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX@from-sip-external:2] Set("SIP/sip.internetcalls.com-00000bbc", "DID=44XXXXXXXXXX") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX@from-sip-external:3] Goto("SIP/sip.internetcalls.com-00000bbc", "s,1") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Goto (from-sip-external,s,1)
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/sip.internetcalls.com-00000bbc", "0?checklang:noanonymous") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Goto (from-sip-external,s,5)
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:5] Set("SIP/sip.internetcalls.com-00000bbc", "TIMEOUT(absolute)=15") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] func_timeout.c: -- Channel will hangup at 2017-02-01 09:33:25.707 UTC.
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:6] Log("SIP/sip.internetcalls.com-00000bbc", "WARNING,"Rejecting unknown SIP connection from 77.72.169.134"") in new stack
[2017-02-01 09:33:10] WARNING[23991][C-00000b80] Ext. s: "Rejecting unknown SIP connection from 77.72.169.134"
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:7] Answer("SIP/sip.internetcalls.com-00000bbc", "") in new stack
[2017-02-01 09:33:11] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:8] Wait("SIP/sip.internetcalls.com-00000bbc", "2") in new stack
[2017-02-01 09:33:13] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:9] Playback("SIP/sip.internetcalls.com-00000bbc", "ss-noservice") in new stack
[2017-02-01 09:33:13] VERBOSE[23991][C-00000b80] file.c: -- <SIP/sip.internetcalls.com-00000bbc> Playing 'ss-noservice.alaw' (language 'en')
[2017-02-01 09:33:18] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:10] PlayTones("SIP/sip.internetcalls.com-00000bbc", "congestion") in new stack
[2017-02-01 09:33:18] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:11] Congestion("SIP/sip.internetcalls.com-00000bbc", "5") in new stack
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: == Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/sip.internetcalls.com-00000bbc'
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [h@from-sip-external:1] Hangup("SIP/sip.internetcalls.com-00000bbc", "") in new stack
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/sip.internetcalls.com-00000bbc'
{code}

The trunk configuration for this provider looks like this (sip_additional.conf):

{code:java}
[Andy_ICalls_Out]
username=xxx
type=peer
sendrpid=yes
secret=xxx
qualify=yes
nat=no
insecure=port,invite
host=sip.internetcalls.com
fromuser=xxx
fromdomain=internetcalls.com
dtmfmode=rfc2833
canreinvite=yes
authuser=xxx
context=from-trunk-sip-Andy_ICalls_Out
{code}

The registration string also uses sip.internetcalls.com as the host url.

# dig sip.internetcalls.com returns:

{code:java}
;; ANSWER SECTION:
sip.internetcalls.com. 1121 IN A 77.72.169.134
sip.internetcalls.com. 1121 IN A 77.72.169.129
{code}

asterisk sip show peers:

{code:java}
Andy_ICalls_Out/[username] 77.72.169.129 No No 5060 OK (17 ms)
{code}

I have noticed that incoming calls to the registered IP address 77.72.169.129 are accepted, but incoming calls from the alternative IP address 77.72.169.134 are rejected.

The temporary workaround is to replace the URL in the host=sip.internetcalls.com statement with one IP address and to create a duplicate trunk using the other IP address. In this case, both IP addresses will register and then both will be accepted.

It seems to me that the purpose of using a URL in the "host=internetcalls.com" statement of the trunk configuration should avoid having to do this. It is not a huge problem where only 2 IP addresses are expected, but may be a bigger problem for other providers.

There is an asterisk blog as follows which addresses this issue:

https://blogs.asterisk.org/2016/01/27/the-pjsip-outbound-registration-line-option/

This proposes that under chan_sip the following example configuration should be used:

{{[inbound-configuration]
type=peer
context=incoming-itsp
disallow=all
allow=ulaw
insecure=host,port

[inbound1](inbound-configuration)
host=94.100.23.82

[inbound2](inbound-configuration)
host=94.100.23.83

[inbound3](inbound-configuration)
host=94.100.23.84

[inbound4](inbound-configuration)
host=94.100.23.85

[inbound5](inbound-configuration)
host=94.100.23.86}}

I am not familiar with the use of "insecure=host, port". I understood that this is normally either "insecure=very" for asterisk version 1.0.9 or earlier, or for later versions:

insecure=port ; Allow matching of peer by IP address without matching port number;
insecure=invite ; Do not require authentication of incoming INVITEs or
insecure=port,invite ; (both)

Typically used to allow incoming calls (e.g. from FWD) while having a type=friend entry defined with username and password.

Accordingly, can you clarify if the use of a URL in the "host=internetcalls.com" field with type=peer is allowed and, if so, if it is a bug that incoming calls are being rejected from one or other of the IP addresses which are resolved.

Comments: By: Asterisk Team (asteriskteam) 2017-02-12 02:05:50.152-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Joshua C. Colp (jcolp) 2017-02-12 05:34:06.609-0600

This is not a bug as chan_sip does not allow multiple IP addresses even when a hostname is provided. It will resolve, and store, only one. The approach of using multiple peers one with each IP address is the way to support this in chan_sip.