Proxy authentication required even if UA is registered

[uhupfeld]

1. Brekeke Product Name and Version: 3.5.2.8

2. Java version: 8, build 65

3. OS type and the version: Win7 Pro

4. UA (phone), gateway or other hardware/software involved: Fritzbox Fon

5. Your problem: 2 UAs are well registered, but when calling themselves or a PSTN gateway I get a 407 Proxy authentication required error, followed by a 481 Call leg/transaction doesn't exist
Dial Plan:
MP
$request=^INVITE
From=sip:1135266733@
To=sip:([0-9]{8,9})@
DP
To=sip%1@PSTN_gateway_IP_address


INVITE sip:984521110@10.33.60.12 SIP/2.0
Via: SIP/2.0/UDP 10.33.31.2:5060;rport;branch=z9hG4bK0097DD20EF0922C7
Route: <sip:10.33.60.12;lr>
From: "35266733" <sip:1135266733@10.33.60.12>;tag=F6E10CB914D67205
To: <sip:984521110@10.33.60.12>
Call-ID: 8A8AF37DBC741134@10.33.31.2
CSeq: 13 INVITE
Contact: <sip:1135266733@10.33.31.2;uniq=4ECD8B1AC41BEB50326B42E983485>
Max-Forwards: 70
Expires: 120
User-Agent: AVM FRITZ!Box Fon WLAN 7390 84.06.30 (Aug 20 2015)
Supported: 100rel,replaces
Allow-Events: telephone-event,refer
Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,UPDATE,PRACK,INFO,SUBSCRIBE,NOTIFY,REFER,MESSAGE,PUBLISH
Content-Type: application/sdp
Accept: application/sdp, multipart/mixed
Accept-Encoding: identity
Content-Length: 449

v=0
o=user 9571234 9571234 IN IP4 10.33.31.2
s=call
c=IN IP4 10.33.31.2
t=0 0
m=audio 7078 RTP/AVP 9 8 0 2 102 100 99 97 18 120 121 101
a=sendrecv
a=rtpmap:2 G726-32/8000
a=rtpmap:102 G726-32/8000
a=rtpmap:100 G726-40/8000
a=rtpmap:99 G726-24/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=fmtp:18 annexb=no
a=rtpmap:120 PCMA/16000
a=rtpmap:121 PCMU/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtcp:7079
a=ptime:20

==============================================
============================================
PreCheck [BloqueioUserAgent]
Pattern: $str.lowercase(User-Agent) = friendly-scanner|sundayddr|sipcli/v1.8|linphone/3.7.0 (belle-sip/1.3.0)
Input: $str.lowercase(User-Agent) = avm fritz!box fon wlan 7390 84.06.30 (aug 20 2015)
Result: false

============================================

============================================
Rule [00]
Pattern: $request = ^INVITE
Input: $request = INVITE sip:984521110@10.33.60.12 SIP/2.0
Result: true

Pattern: To = sip:(00.+)@
Input: To = <sip:984521110@10.33.60.12>
Result: false

============================================

============================================
Rule [Outbound GVT 67xx]
Pattern: $request = ^INVITE
Input: $request = INVITE sip:984521110@10.33.60.12 SIP/2.0
Result: true

Pattern: From = sip:675(.)@
Input: From = "35266733" <sip:1135266733@10.33.60.12>;tag=F6E10CB914D67205
Result: false

============================================

============================================
Rule [Discagem0]
Pattern: $request = ^INVITE
Input: $request = INVITE sip:984521110@10.33.60.12 SIP/2.0
Result: true

Pattern: From = sip:11352667(..)@
Input: From = "35266733" <sip:1135266733@10.33.60.12>;tag=F6E10CB914D67205
%1 <= 33
Result: true

Pattern: To = sip:([0-9]{8,9})@
Input: To = <sip:984521110@10.33.60.12>
%2 <= 984521110
Result: true

============================================

Dispatcher: failed: send response=407: No Auth header
svlistener: send response=407: authorization failed
at 10/25/15 16:43:02.899

Please note:
In my Dial Plan I have a rule to remove the routing statement at registration:
MP
$request=^REGISTER
Route=.+
DP
Route=
$action=register

[RickBRP]

Who returned an error response such as 481 and 407?

Did you find them in the Session Logs page ? Or Error logs page?

If you find them in the Session Logs, the callee returned the error response.
If you find them in the Error Logs page, the Brekeke SIP Server returned the error response.

[uhupfeld]

Always BSS sending the answer.
But based on your answer on the other question, I will first double-check the network.

[taitan]

You don't have to worry about 407 because it happens every time if the SIP Server authenticates SIP requests.

For 481, can you find it in the Error logs page?
Which SIP request method was it? INVITE?

[uhupfeld]

Sorry for the late answer.
The weird thing is, that sometimes it works, but I don't know why.
If I turn authentication off in the dial plan, all works ok.
However, if authentication request is on, I keep getting these errors (from the error logs):

2015-12-20 21:05:37.306 10.33.31.33:3072 INVITE 407 Authorization failed sip:994395973@10.33.60.12 sip:603@10.33.60.12 sip:994395973@10.33.60.12 Gateway
2015-12-20 21:05:54.958 10.33.31.33:3072 CANCEL 481 Call Leg does not exist sip:994395973@10.33.60.12 sip:603@10.33.60.12 sip:994395973@10.33.60.12

10.33.31.33 is the User agent
10.33.60.12 is the BSS.
Both are in separate networks but the networks are interconnected with a VPN which may drop eventually ever 2 days, but recovers within seconds.

[ambrosio]

Does the same issue happen even if you use another SIP client instead of Fritzbox Fon ?

[uhupfeld]

Yes, it actually happened first with a Grandstream gateway and a Snom IP phone

Udo

[ambrosio]

Brekeke SIP Server sends "407" to any SIP clients. It is normal so you don't have to consider about it.

If you find "481" sent to other than Fritzbox Fon in the error log, it is unusual...

Do you still get "481" error?

[uhupfeld]

I keep getting these 481 errors.
Typically happens in calls between extensions in the VPN network, when the extension is outside of the LAN of BSS. But the VPNs are integrated into the network gateways and when the extensions get registered only their real IP shows up, not the VPN gateway's IP address.

Now to call between extensions I have to make outbound/inbound calls...

[uhupfeld]

Looking at the Wireshark traces I see that when the INVITE comes from the extension with problems, BSS effectively DOESN'T send the INVITE to the target IP phone.
However, when the call happens the other way around, Wireshark shows the SIP packets flowing between both extensions without problems.
For some reason, when the call comes from this UA (a SNOM IP phone in this case now), the BSS doesn't relay the calls to the destination IP phone.
Very weird.

[taitan]

Are you still using Brekeke SIP Server version 3.5.2.8?
If so, let you upgrade it to the latest version because there are new logging function which may help your analysis.

http://www.brekeke.com/downloads/sip-server.php

[uhupfeld]

Ok, found it.
I had BSS challenging the UA with a 407 when making calls between extensions.
$auth=false solved the issue.

I have UAs (of different brands) that for some reason stop the SIP communication when receiving a 407 Proxy authorization required.
Other UAs answer the 407 with a new INVITE, now with user/password, and then BSS makes the call.

Does anybody know which setting controls this behavior in an UA?

My current BSS is 3.8.5.2

BR

Udo

[janP]

Have you set correct username and password in an UA?

[uhupfeld]

Sure!
UA is well registered on BSS, and needs correct user/password for this purpose.
Also, if this was to be the issue, the UA would have answered to the 407 with another INVITE, but with wrong user/password.
This is not the case, it simply accepts the 407 and stays quiet instead of answering the challenge with another INVITE.
BSS is acting correctly. The UA may (or may not!) just be acting according to configuration.
I just have no idea what is called this behavior in the settings of a UA. I went through pages of configuration, there is nothing obvious. The only option that had "challenge" has nothing to do with the current situation.

BR

udo

[janP]

DialPlan example Ex 38 in the tutorial may work..
http://www.brekeke.com/doc/sip/sip_tutorial_dialplan.pdf

Here is my DialPlan rule which disables auth if a caller is already registered in Brekeke SIP Server (It means this user has valid password.)

Matching Patterns

$request = ^INVITE $registered( From ) = true

Deploy Patterns

$auth = false $continue = true

So.. UA will not receive 407 if it keeps sending REGISTER periodically.

[uhupfeld]

I like your dial plan for registered user, will use it as well.
Thanks!