Brekeke not responding to INVITE with 401.

[nico-adenc]

1. Brekeke Product Name and Version:
PBX 3.6.3 - upgraded to PBX 3.8.5.2/493-3

2. Java version:
1.7 - upgraded to 1.8.0-181

3. OS type and the version:
Linux Debian 8u15

4. UA (phone), gateway or other hardware/software involved:
Cisco & Gigaset.. phones

5. Your problem:
Brekeke registers with VOIP-ISP (no problem there)
When a call arrives it is accepted and works (not in trace below).

When a Call is placed outside (INVITE) a 401 response is received and immediately another INVITE is sent but WITHOUT authentication

After a few refusals there is a final timeout where the UA received 486 Busy.

[llucy]

nico-adenc,

The PBX sent INVITE requests many times and it would be re-try packets maybe because it did not receive a respnse (or bad response) from the UAS.

Please check if the PBX can receive packets from VOIP-SIP or the response packets are correct.


Lucy

[nico-adenc]

@Lucy, Please take note THERE are responces to the requests.
Those are the 401 status responces. The 401 response SHOULD cuase a new INVITE WITH authentication info, problem is it doesn't create those but just retransmists the un-authenticated.

AFAICT the 401 on INVITE has never been picked up by the SIP server.
The VOIP provider wants to authenticate INVITEs as well as REGISTER.
I tried using linphone & zoiper and they DO respond to the 401 adequately and get an immediate conversation.

I can confirm form the logging this is handled like a timeout:
Here is the logging from the New Brekeke sv.log
From a test.

A full .PCAP is available for brekeke developpers if needed.

[Tata]

Let you enable "Listener" at [SIP Server log settings] of [Diagnostics]->[Debug Logs] page, and push [Update] button.

After you reproduced the issue, paste the log here again.

The Listener log will show why 401 is not picked.

[nico-adenc]

So this shows several of these:

[Tata]

Check 401's Call-ID, From tag, Via's IP address and branch parameter whether they are same as INVITE's request.

[nico-adenc]

The Via is different.
From & To are equal.
Call-ID matches.

The Via line containing the 192.168.105.244 most probably is a belgacom CPE gateway item.

Brekeke is behind a router behind the Belgacom CPE.
A gigaset phone behind this same router can dial & be called without problems.

[janP]

Disable SIP-ALG at the gateway.

[nico-adenc]

There is no option for disabling ALG or not. (user mode config)
Admin access is not provided by PROXIMUS to their BBOX.
There is no possibity to replace the box.

[janP]

Which parts of Via are changed?
IP address? or Branch parameter? or just added received parameter?

[nico-adenc]

It is an added received parameter see above packet log:

Transmitted: Via: SIP/2.0/UDP Brekeke.public.ipad.ress:5060;branch=z9hG4bKd5e97fff51c4-30-2e4886

Receved as:
Via: SIP/2.0/UDP 192.168.105.244:5060;branch=z9hG4bKca0749ec694c-30-2e72e6;received=brekeke.public.ipad.ress

The 192.168.105.244 is the ipaddress on the PROXIUMUS network
(Proximus modem has 192.168.105.1)

[janP]

Hi nico,

It seems the Belgacom gateways replaced the Via's IP address ("sent-by" address defined in RFC3261).

It is a common issue with bad gateway.

According to the following document, it seems there is a way to disable SIP-ALG at the gateway.
https://www.proximus.com/sites/default/files/Documents/Group/Governance/Regulatory/BGC%20IMS%20Corporate%20VOIP%20-%20UNI%20specification%20-%20General%20v1%207_0.pdf

[nico-adenc]

Thanks for the document.
I'll read it. atm we are setting up the network for PPPoE (it requires some extra hardware etc. to get it done, then at least we can be sure something that works for 2 years should not automagically fail in the future).

OTOH, why can Gigaset, Cisco phones work by ignoring this extra header and isn't this even an option for brekeke.

[nico-adenc]

Summary:
Ok PPPoE transiotion complete... effectivly a lot less hassle and more reliability. (It will need some cabling and extra WiFi AP...)

Thinks for responces at least it helped solve some issues.

It would be nice if Brekeke could accept Rogue ALG inserted Via Records somehow. (even if it could be made an option).

wrt. Poximus: ADSL is done with ALG disabled, VDSL2 is done with ALG enabled. Probably it canbe disabled from ADMIN mode. That password is not provided.
Chapter 12 mentions that they don't anticipate SBC's on Customer Premises..... so it just S****s.

[janP]

> OTOH, why can Gigaset, Cisco phones work by ignoring this extra header and isn't this even an option for brekeke.

If they are SIP clients, they may omit the Via header inspection. (because they don't expect concurrent SIP sessions with multiple unique callers and callees).
As a SIP proxy, Brekeke SIP Server inspects Via header's sent-by address.

RFC3261 said:

[janP]

> It would be nice if Brekeke could accept Rogue ALG inserted Via Records somehow. (even if it could be made an option).

It might cause a routing issue and also increases a chance of Denial-of-Service attacks.


I'm not sure whether the following DialPlan rule avoid the issue but let you try.

Matching Patterns

$request = ^INVITE To = @sipvoice.isp

Deploy Patterns

$ifdst = 192.168.105.244 $continue = true

Put the above DialPlan rule in the top of DialPlan page.

[nico-adenc]

I cannot test this any more. Yesterday we migrated it to PPPoE with a firewall we actually control, that has no ALG active.
Anyway we now have a standards compliant working environment.

So BBOX behaviour is now irrelevant outside bridging DSL -> Ethernet.