Summary: | ASTERISK-29659: res_pjsip: Authentication fails with wildix | ||
Reporter: | Stanislav Abramenkov (silentindark) | Labels: | |
Date Opened: | 2021-09-17 07:36:36 | Date Closed: | 2021-09-29 05:12:12 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | Channels/chan_pjsip Resources/res_pjsip |
Versions: | 16.20.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) asterisk_debug_info.txt ( 1) connection_schema_002.jpeg ( 2) connection_shema_001.jpeg | |
Description: | Hello,
I have problem with registration SIP trunk using chan_pjsip. Every time the device sends a registration, I get the following notice: {noformat} NOTICE[811]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:wildix@XXX.XXX.XXX.YYY>' failed for 'AAA.AAA.AAA.AAA:5062' (callid: b1c25da9455a50d1) - Failed to authenticate {noformat} The same device (Wildix) properly registers to asterisk using chan_sip. REGISTER package in chan_sip looks like this {noformat} Authorization: Digest username="wildix",realm="asterisk",nonce="5f2836de",uri="sip:XXX.XXX.XXX.XXX:5060",response="2b291572a571f6a60d7946989be50151",algorithm=MD5 Authentication Scheme: Digest Username: "wildix" Realm: "asterisk" Nonce Value: "5f2836de" Authentication URI: "sip:XXX.XXX.XXX.XXX:5060" Digest Authentication Response: "2b291572a571f6a60d7946989be50151" Algorithm: MD5 {noformat} But in pjsip REGISTER package looks like {noformat} [truncated]Authorization: Digest username="wildix",realm="asterisk",nonce="1631876453/f814683d0e1942cfcbb09ca72f849097",uri="sip:XXX.XXX.XXX.YYY:5060",response="e56b4e054d99f21d57bfeb148ab94a1f",algorithm=md5,opaque="4672ff0a1cfb56b2",qop= Authentication Scheme: Digest Username: "wildix" Realm: "asterisk" Nonce Value: "1631876453/f814683d0e1942cfcbb09ca72f849097" Authentication URI: "sip:XXX.XXX.XXX.YYY:5060" Digest Authentication Response: "e56b4e054d99f21d57bfeb148ab94a1f" Algorithm: md5 Opaque Value: "4672ff0a1cfb56b2" QOP: auth CNonce Value: "f7b3c5c7" Nonce Count: 00000001 {noformat} Why is "Nonce Value" so long and also contains "/" symbol? I have double checked configuration on wildix side, and it is identical for chan_sip and for chan_pjsip. SIP trunk settings in chan_sip: {noformat} [wildix] description=wildix defaultuser=wildix secret=e6NrLEcLG6T3 disallow=all type=friend allow=alaw host=dynamic transport=udp,tcp port=5060 qualifyfreq=60 qualify=3000 canreinvite=no dtmfmode=auto progressinband=never nat=force_rport,comedia directrtpsetup=no directmedia=no context=incoming insecure=port,invite ;trustrpid = yes sendrpid = yes sendrpid = pai rpid_update = yes accountcode=wildix {noformat} SIP trunk settings in chan_pjsip: {noformat} [wildix] type = aor max_contacts = 1 qualify_frequency = 60 [wildix] type = auth username = wildix password = e6NrLEcLG6T3 [wildix] type=identify endpoint=wildix match=AAA.AAA.AAA.AAA:5062/32 [wildix] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = wildix aors = wildix accountcode = wildix {noformat} | ||
Comments: | By: Asterisk Team (asteriskteam) 2021-09-17 07:36:41.129-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Stanislav Abramenkov (silentindark) 2021-09-17 07:37:28.555-0500 connection shema By: Joshua C. Colp (jcolp) 2021-09-17 07:43:59.083-0500 It is that long and contains a / because that is how we generate a nonce. The nonce value is arbitrary, there is no defined specification or format for it. There is no configuration to change this. Have you confirmed your PJSIP configuration works properly with a different endpoint? By: Stanislav Abramenkov (silentindark) 2021-09-17 07:50:40.530-0500 Yes, this PJSIP trunk configuration works properly with other endpoints. (SIP trunks/devices) By: Kevin Harwell (kharwell) 2021-09-17 11:03:09.692-0500 Please enable debugging [1] in the Asterisk log and set to level 5. Then re-run the failing scenario and attach the resulting log data to this issue with a .txt extension. [1] https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information Thanks! By: Stanislav Abramenkov (silentindark) 2021-09-20 01:59:09.065-0500 I added additional scheme with more details. (connection_schema_002.jpeg) Problem seems to be in "identify" section, because I have two SIP connection behind one public IP. And when I comment out section on second SIP trunk "openscape" ;[openscape] ;type=identify ;endpoint=openscape ;match=AAA.AAA.AAA.AAA:5062/32 then first connection "wildix" registers on the server. How can I solve this problem? By: Stanislav Abramenkov (silentindark) 2021-09-20 01:59:48.663-0500 more information By: Joshua C. Colp (jcolp) 2021-09-20 05:01:42.386-0500 You can't have two identify sections with the same match information, it would have no way of knowing which is the correct one to use since it matches based on IP address/port alone. You either have to use different ports or use a different matching mechanism (such as based on username in the From header). By: Stanislav Abramenkov (silentindark) 2021-09-20 06:11:52.729-0500 1. For first connection defined port 5062 [wildix] type=identify endpoint=wildix match=AAA.AAA.AAA.AAA:5062/32 And for second connection port 5063 [openscape] type=identify endpoint=openscape match=AAA.AAA.AAA.AAA:5063/32 First SIP trunk is now registered. But second is still not working: NOTICE[1609]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:openscape@XXX.XXX.XXX.YYY>' failed for 'AAA.AAA.AAA.AAA:5063' (callid: bf4410f3341dde1b) - Failed to authenticate Looks that configuration doesn't care about the port. 2. We also tried option "identify_by" in Endpoint settings (https://wiki.asterisk.org/wiki/display/AST/Asterisk+16+Configuration_res_pjsip#Asterisk16Configuration_res_pjsip-endpoint_identify_by) We added option (identify_by = auth_username) to openscape endpoint. [openscape] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = openscape aors = openscape accountcode = openscape identify_by = auth_username And both SIP connections (wildix and openscape) registered. Currect config that works. First Connection: {noformat} [wildix] type = aor max_contacts = 1 qualify_frequency = 60 [wildix] type = auth username = wildix password = e6NrLEcLG6T3 [wildix] type=identify endpoint=wildix match=AAA.AAA.AAA.AAA:5062/32 [wildix] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = wildix aors = wildix accountcode = wildix {noformat} Second connection: {noformat} [openscape] type = aor max_contacts = 1 qualify_frequency = 60 [openscape] type = auth username = openscape password = 3TGLcELrN6e [openscape] type=identify endpoint=openscape match=AAA.AAA.AAA.AAA:5063/32 [openscape] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = openscape aors = openscape accountcode = openscape identify_by = auth_username {noformat} Any ideas why port definition doesn't give the expected result? match=AAA.AAA.AAA.AAA:5062/32 match=AAA.AAA.AAA.AAA:5063/32 By: Joshua C. Colp (jcolp) 2021-09-20 06:46:38.575-0500 Does removing /32 from the match line change things? Additionally you can enable Asterisk debugging, and it will tell you what it actually matches. By: Stanislav Abramenkov (silentindark) 2021-09-20 07:20:52.289-0500 core set debug 5 By: Stanislav Abramenkov (silentindark) 2021-09-20 07:25:51.754-0500 Removing /32 doesn't help. Attached log file - asterisk_debug_info.txt For some reason matching process can't find AOR for the second registration. [Sep 20 15:06:21] WARNING[7798] res_pjsip_registrar.c: AOR '' not found for endpoint 'openscape' (AAA.AAA.AAA.AAA:5063) By: Kevin Harwell (kharwell) 2021-09-20 12:11:12.743-0500 When I use your exact configuration for both "wildix" and "openscape" endpoints I do not receive any error, and both endpoints register okay. Note, I just used {{127.0.0.1}} for the IP. I even removed the {{identify_by = auth_username}} from "openscape" and it still registered fine. Can you enable SIP (pjsip set logger on) tracing in the log, and debug (level 5) as well and attach that too? By: Stanislav Abramenkov (silentindark) 2021-09-21 06:56:10.936-0500 i will provide log as soon as possible. Could you please try. # remove the identify_by = auth_username from "openscape". Only leaving IP identification and port in identity section. Stop asterisk #systemctl stop asterisk # rename or remove ast database /var/lib/asterisk/astdb.sqlite3 Start asterisk #systemctl start asterisk # check status of SIP trunks By: Stanislav Abramenkov (silentindark) 2021-09-21 07:39:16.180-0500 We have changed of use name on "openscape" side and we put exactly same username and password as have "wildix" and then we got NOTICE message res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:openscape@XXX.XXX.XXX.YYY>' failed for 'AAA.AAA.AAA.AAA:5063' (callid: e9fec3931a05f449) - Failed to authenticate As we understood, if two SIP trunk behind one public IP have same credentials (username and password), then we got this message. This is correct behavior? Sorry for consing, we put different credentials in jira (for easy understanding), but we used the same credentials for both connection. By: Kevin Harwell (kharwell) 2021-09-21 11:41:54.075-0500 If I stop Asterisk, delete astdb.sqlite3, and then restart with {{identify_by}} removed from the config both endpoints register fine. And no, two endpoints can have the same username/password for their auth sections. For example, using the following I was able to successfully register both 'wildix' and 'openscape' endpoints: {noformat} [wildix] type = aor max_contacts = 1 qualify_frequency = 60 [wildix] type = auth username = wildix password = e6NrLEcLG6T3 [wildix] type=identify endpoint=wildix match=127.0.0.1:5062/32 [wildix] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = wildix aors = wildix accountcode = wildix [openscape] type = aor max_contacts = 1 qualify_frequency = 60 [openscape] type = auth username = wildix password = e6NrLEcLG6T3 ; username = openscape ; password = 3TGLcELrN6e [openscape] type=identify endpoint=openscape match=127.0.0.1:5063/32 [openscape] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = openscape aors = openscape accountcode = openscape {noformat} Or I could have also used the following endpoint definition for 'openscape' (note its {{auth}} parameter): {noformat} [openscape] type = endpoint context = incoming dtmf_mode = auto disallow = all allow = alaw rtp_symmetric = yes force_rport = yes rewrite_contact = yes timers = no direct_media = no send_rpid = yes inband_progress = no tos_audio = ef tos_video = af41 auth = wildix aors = openscape accountcode = openscape {noformat} By: Stanislav Abramenkov (silentindark) 2021-09-29 05:11:43.253-0500 Thank you so much for your help! By: Stanislav Abramenkov (silentindark) 2021-09-29 05:12:12.435-0500 solved |