Hi, It looks to me that the 401 unauth packets aren't getting back to the phones. Which suggests a network/router/nat issue rather than anything wrong with the asterisk or phone configuration.
Cheers, Paul. On 8 May 2011, at 01:59, GNUbie <[email protected]> wrote: > Hello all, > > I have installed the .deb packages of the Asterisk v1.8.3.3 from the > upstream project on my Debian GNU/Linux Squeeze server and bought the > Comodo's PossitiveSSL SSL certificate to be used for my SIP/TLS > exercise. After setting up everything and trying to fix this problem, > I am still getting a 401 Unauthorized SIP message. So as of this > writing, I still cannot successfully REGISTER to my Asterisk box. > > Below are the snippets of my Asterisk and SNOM 300 configurations > including the logs for your reference. > > I hope anyone from this community can help me solve this problem. A > HOWTO of a similar scenario will help a lot. > > Thank you in advance. > > Regards, > > GNUbie > > - - - ASTERISK v1.8.3.3 - - - > > [ /etc/asterisk/sip.conf ] > > [general] > ... > ... > tlsenable=yes > tlsbindaddr=0.0.0.0 > tlscertfile=/etc/asterisk/keys/pbx.domain.com.pem > tlscipher=ALL > tlsclientmethod=tlsv1 > tlsbindport=5061 > externtlsport=5061 > externtcpport=5061 > tcpbindaddr=0.0.0.0 > tcpbindport=5061 > tcpenable=yes > srvlookup=yes > > [361] > username=361 > secret=******* > callerid="361-tls"<361> > mailbox=361@family > context=family > transport=tls > port=5061 > type=friend > host=dynamic > dtmfmode=rfc2833 > canreinvite=no > nat=yes > qualify=yes > autoframing=yes > encryption=yes > > *CLI> core show version > Asterisk 1.8.3.3-1digium1~squeeze built by pbuilder @ nighthawk on a > x86_64 running Linux on 2011-04-22 17:50:44 UTC > > *CLI> sip show settings > > Global Settings: > ---------------- > UDP Bindaddress: 0.0.0.0:5060 > TCP SIP Bindaddress: 0.0.0.0:5060 > TLS SIP Bindaddress: 0.0.0.0:5061 > Videosupport: No > Textsupport: No > Ignore SDP sess. ver.: No > AutoCreate Peer: No > Match Auth Username: No > Allow unknown access: No > Allow subscriptions: Yes > Allow overlap dialing: Yes > Allow promsic. redir: No > Enable call counters: No > SIP domain support: Yes > Realm. auth: No > Our auth realm pbx.domain.com > Use domains as realms: No > Call to non-local dom.: Yes > URI user is phone no: No > Always auth rejects: Yes > Direct RTP setup: No > User Agent: "Asterisk rocks!" > SDP Session Name: Asterisk PBX 1.8.3.3-1digium1~squeeze > SDP Owner Name: root > Reg. context: (not set) > Regexten on Qualify: No > Caller ID: asterisk > From: Domain: > Record SIP history: Off > Call Events: Off > Auth. Failure Events: Off > T.38 support: No > T.38 EC mode: Unknown > T.38 MaxDtgrm: -1 > SIP realtime: Disabled > Qualify Freq : 60000 ms > Q.850 Reason header: No > > Network QoS Settings: > --------------------------- > IP ToS SIP: CS0 > IP ToS RTP audio: CS0 > IP ToS RTP video: CS0 > IP ToS RTP text: CS0 > 802.1p CoS SIP: 4 > 802.1p CoS RTP audio: 5 > 802.1p CoS RTP video: 6 > 802.1p CoS RTP text: 5 > Jitterbuffer enabled: Yes > Jitterbuffer forced: No > Jitterbuffer max size: 200 > Jitterbuffer resync: 1200 > Jitterbuffer impl: fixed > Jitterbuffer log: No > > Network Settings: > --------------------------- > SIP address remapping: Enabled using externhost > Externhost: pbx.domain.com > externaddr: 11.22.33.44:0 > Externrefresh: 10 > Localnet: 192.168.101.0/255.255.255.0 > > Global Signalling Settings: > --------------------------- > Codecs: 0x60e (gsm|ulaw|alaw|speex|ilbc) > Codec Order: ulaw:20,alaw:20,gsm:20,speex:20,ilbc:30 > Relax DTMF: No > RFC2833 Compensation: No > Symmetric RTP: No > Compact SIP headers: No > RTP Keepalive: 0 (Disabled) > RTP Timeout: 15 > RTP Hold Timeout: 0 (Disabled) > MWI NOTIFY mime type: application/simple-message-summary > DNS SRV lookup: Yes > Pedantic SIP support: Yes > Reg. min duration 1800 secs > Reg. max duration: 3600 secs > Reg. default duration: 120 secs > Outbound reg. timeout: 20 secs > Outbound reg. attempts: 0 > Notify ringing state: Yes > Include CID: No > Notify hold state: No > SIP Transfer mode: open > Max Call Bitrate: 384 kbps > Auto-Framing: No > Outb. proxy: <not set> > Session Timers: Refuse > Session Refresher: uas > Session Expires: 1800 secs > Session Min-SE: 90 secs > Timer T1: 3000 > Timer T1 minimum: 100 > Timer B: 192000 > No premature media: Yes > Max forwards: 70 > > Default Settings: > ----------------- > Allowed transports: UDP > Outbound transport: UDP > Context: default > Force rport: No > DTMF: rfc2833 > Qualify: 0 > Use ClientCode: No > Progress inband: Never > Language: > MOH Interpret: default > MOH Suggest: > Voice Mail Extension: asterisk > > *CLI> sip show peer 361 > > * Name : 361 > Secret : <Set> > MD5Secret : <Not set> > Remote Secret: <Not set> > Context : family > Subscr.Cont. : <Not set> > Language : > AMA flags : Unknown > Transfer mode: open > CallingPres : Presentation Allowed, Not Screened > Callgroup : > Pickupgroup : > MOH Suggest : > Mailbox : 361@family > VM Extension : asterisk > LastMsgsSent : 32767/65535 > Call limit : 0 > Max forwards : 0 > Dynamic : Yes > Callerid : "361-tls" <361> > MaxCallBR : 384 kbps > Expire : -1 > Insecure : no > Force rport : Yes > ACL : No > DirectMedACL : No > T.38 support : No > T.38 EC mode : Unknown > T.38 MaxDtgrm: -1 > DirectMedia : No > PromiscRedir : No > User=Phone : No > Video Support: No > Text Support : No > Ign SDP ver : No > Trust RPID : No > Send RPID : No > Subscriptions: Yes > Overlap dial : Yes > DTMFmode : rfc2833 > Timer T1 : 3000 > Timer B : 192000 > ToHost : > Addr->IP : (null) > Defaddr->IP : (null) > Prim.Transp. : TLS > Allowed.Trsp : TLS > Def. Username: 361 > SIP Options : (none) > Codecs : 0x60e (gsm|ulaw|alaw|speex|ilbc) > Codec Order : (ulaw:20,alaw:20,gsm:20,speex:20,ilbc:30) > Auto-Framing : Yes > 100 on REG : No > Status : UNKNOWN > Useragent : > Reg. Contact : > Qualify Freq : 60000 ms > Sess-Timers : Refuse > Sess-Refresh : uas > Sess-Expires : 1800 secs > Min-Sess : 90 secs > RTP Engine : asterisk > Parkinglot : > Use Reason : No > Encryption : Yes > > > <--- SIP read from TLS:192.168.101.102:2061 ---> > REGISTER sip:pbx.domain.com SIP/2.0 > Via: SIP/2.0/TLS 192.168.101.102:2061;branch=z9hG4bK-b6veg4r2tybi;rport > From: "361" <sip:[email protected]>;tag=6ulxay5gxm > To: "361" <sip:[email protected]> > Call-ID: 3c26701f2ede-afeuhg58c60m > CSeq: 7 REGISTER > Max-Forwards: 70 > Contact: > <sip:[email protected]:2061;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO" > User-Agent: snom300/8.4.31 > Allow-Events: dialog > X-Real-IP: 192.168.101.102 > Supported: path, gruu > Expires: 3600 > Content-Length: 0 > > <-------------> > --- (14 headers 0 lines) --- > Sending to 192.168.101.102:2061 (no NAT) > > <--- Transmitting (NAT) to 192.168.101.102:2061 ---> > SIP/2.0 401 Unauthorized > Via: SIP/2.0/TLS > 192.168.101.102:2061;branch=z9hG4bK-b6veg4r2tybi;received=192.168.101.102;rport=2061 > From: "361" <sip:[email protected]>;tag=6ulxay5gxm > To: "361" <sip:[email protected]>;tag=as16189b66 > Call-ID: 3c26701f2ede-afeuhg58c60m > CSeq: 7 REGISTER > Server: "Asterisk rocks!" > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, > INFO, PUBLISH > Supported: replaces > WWW-Authenticate: Digest algorithm=MD5, realm="pbx.domain.com", > nonce="6408e8c3" > Content-Length: 0 > > > <------------> > Scheduling destruction of SIP dialog '3c26701f2ede-afeuhg58c60m' in > 192000 ms (Method: REGISTER) > > <--- SIP read from TLS:192.168.101.102:2061 ---> > REGISTER sip:pbx.domain.com SIP/2.0 > Via: SIP/2.0/TLS 192.168.101.102:2061;branch=z9hG4bK-9cuvn4fglawu;rport > From: "361" <sip:[email protected]>;tag=hr7nz4nopk > To: "361" <sip:[email protected]> > Call-ID: 3c26701f2ede-afeuhg58c60m > CSeq: 8 REGISTER > Max-Forwards: 70 > Contact: > <sip:[email protected]:2061;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO" > User-Agent: snom300/8.4.31 > Allow-Events: dialog > X-Real-IP: 192.168.101.102 > Supported: path, gruu > Expires: 3600 > Content-Length: 0 > > <-------------> > --- (14 headers 0 lines) --- > Sending to 192.168.101.102:2061 (no NAT) > > <--- Transmitting (NAT) to 192.168.101.102:2061 ---> > SIP/2.0 401 Unauthorized > Via: SIP/2.0/TLS > 192.168.101.102:2061;branch=z9hG4bK-9cuvn4fglawu;received=192.168.101.102;rport=2061 > From: "361" <sip:[email protected]>;tag=hr7nz4nopk > To: "361" <sip:[email protected]>;tag=as6231d59a > Call-ID: 3c26701f2ede-afeuhg58c60m > CSeq: 8 REGISTER > Server: "Asterisk rocks!" > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, > INFO, PUBLISH > Supported: replaces > WWW-Authenticate: Digest algorithm=MD5, realm="pbx.domain.com", > nonce="6ea5895a" > Content-Length: 0 > > > <------------> > Scheduling destruction of SIP dialog '3c26701f2ede-afeuhg58c60m' in > 192000 ms (Method: REGISTER) > > - - - SNOM 300 - - - > > [ Setup > Identity 1 > Login ] > > Displayname: 361 > Account: 361 > Password: ******** > Registrar: pbx.domain.com > Outbound Proxy: sips:pbx.domain.com:5061 > Authentication Username: 361 > > - - - > > [ Setup > Certificates > Server Certificates ] > > Country: ; State: ; Locality ; Organization: ; Common Name: > pbx.domain.com; eMail: > Version: 2 > Serial Number: 00b6b63eb67ed2111345253c228264d093 > Signature Algorithm: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption) > Signature: > 28ce574c9715e1e59dfc90829287ab31fdbf0e0212dc488b106e71ffaaa339610492dc091d440772... > Issuer: Country: GB; State: Greater Manchester; Locality Salford; > Organization: Comodo CA Limited; Common Name: PositiveSSL CA; eMail: > Validity: 27/04/11 - 26/04/12 > SHA1-Fingerprint: 38d13c709ab1cc9b434c2f05e927239fe4ae6f19 > MD5-Fingerprint: a9b62e186465055f34a04153ad7898de > PK Algorithm: 1.2.840.113549.1.1.1 (rsaEncryption) > RSA modulus: > 00b90412744fd50459d807a04d007a9fd7d667189f1394f11ecd46e8556bd861526eb9be582a2631... > RSA exponent: 010001 > Filename on FS: f6700ff3f3059f4c629df2bff8678aeacb291ddb.DER > > - - - > > [ Status > System Information ] > > System Information: > Phone Type: snom300-SIP > MAC-Address: 0004132F08DC > IP-Address: 192.168.101.102 > Firmware-Version: snom300-SIP 8.4.31 > Firmware-URL: http://provisioning.....4.31-SIP-f.bin > Production Information: Mac:0004132F08DC;Version:Standard;Hardware:snom300 > (H: R2A);Date:15/05/08;Copyright© snom technology AG > Uptime: 0 days, 1 hours, 27 minutes > LCS: 0 days, 0 hours, 53 minutes (0) > Memfree: 772 K > CPU: 0.04 0.02 0.03 1/10 96 > Bootloader-Version: 1.1.3-u > > SIP Identity Status: > Identity 1 Status: [email protected]: Network Failure > > - - - > > [ Status > SIP Trace ] > > Sent to tls:11.22.33.44:5061 at 24/12/2001 08:00:32:192 (729 bytes): > REGISTER sip:pbx.domain.com SIP/2.0 > Via: SIP/2.0/TLS 192.168.101.102:2055;branch=z9hG4bK-9i3rt6llzqd1;rport > From: "361" <sip:[email protected]>;tag=hpleutmwxu > To: "361" <sip:[email protected]> > Call-ID: 3c26701f3456-58is2wtgld05 > CSeq: 1 REGISTER > Max-Forwards: 70 > Contact: > <sip:[email protected]:2055;transport=tls>;q=1.0;reg-id=1;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods=" > INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO" > User-Agent: snom300/8.4.31 > Allow-Events: dialog > X-Real-IP: 192.168.101.102 > Supported: path, gruu > Expires: 3600 > Content-Length: 0 > Sent to tls:11.22.33.44:5061 at 8/5/2011 00:24:03:610 (729 bytes): > > REGISTER sip:pbx.domain.com SIP/2.0 > Via: SIP/2.0/TLS 192.168.101.102:2056;branch=z9hG4bK-lriexp5iqoio;rport > From: "361" <sip:[email protected]>;tag=b11o8j7lk4 > To: "361" <sip:[email protected]> > Call-ID: 3c26701f3456-58is2wtgld05 > CSeq: 2 REGISTER > Max-Forwards: 70 > Contact: > <sip:[email protected]:2056;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods=" > INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO" > User-Agent: snom300/8.4.31 > Allow-Events: dialog > X-Real-IP: 192.168.101.102 > Supported: path, gruu > Expires: 3600 > Content-Length: 0 > > - - - > > [ Status > Log ] > > [0] 24/12/2001 00:00:27: Phone::uboot_version:1.1.3-u > [1] 24/12/2001 00:00:29: Conf setup: code: 500, host: 127.0.0.1:80, > file: /dummy.htm > [0] 24/12/2001 08:00:31: TaskMon: LCS 21/0 recv LPCP took 1271 msecs > [0] 24/12/2001 08:00:31: LoopMon: LCS 21 took 1271 (290/0) msecs, read > 1, 3/1 tasks > [1] 24/12/2001 08:00:32: TLS: Warning: Certificate with subject > Country: ; State: ; Locality ; Organization: ; Common Name: > pbx.domain.com; eMail: has expired according to the local time of the > phone. > [0] 24/12/2001 08:00:33: TaskMon: LCS 30/0 recv LPCP took 934 msecs > [0] 24/12/2001 08:00:33: LoopMon: LCS 30 took 968 (42/32) msecs, read > 1, 3/1 tasks > [0] 8/5/2011 00:22:49: TaskMon: LCS 93/0 recv LPCP took 434 msecs > [0] 8/5/2011 00:22:49: TaskMon: LCS 94/0 recv LPCP took 461 msecs > [0] 8/5/2011 00:22:50: TaskMon: LCS 96/0 recv LPCP took 576 msecs > [0] 8/5/2011 00:23:03: TaskMon: LCS 148/0 recv LPCP took 238 msecs > [2] 8/5/2011 00:23:03: Transport Error: Pending packet 1000000: generating > fake > [2] 8/5/2011 00:23:03: Registrar [email protected] timed out > [0] 8/5/2011 00:23:05: TaskMon: LCS 157/0 recv LPCP took 372 msecs > [0] 8/5/2011 00:23:05: LoopMon: LCS 157 took 850 (499/478) msecs, read > 1, 4/1 tasks > [0] 8/5/2011 00:24:04: TaskMon: LCS 359/0 recv LPCP took 872 msecs > [0] 8/5/2011 00:24:04: LoopMon: LCS 359 took 872 (306/0) msecs, read > 1, 3/1 tasks > [2] 8/5/2011 00:24:34: Transport Error: Pending packet 1000002: generating > fake > [2] 8/5/2011 00:24:34: Registrar [email protected] timed out > [0] 8/5/2011 00:24:48: TaskMon: LCS 508/0 recv LPCP took 443 msecs > [0] 8/5/2011 00:24:48: LoopMon: LCS 508 took 444 (16/0) msecs, read 1, 3/1 > tasks > [0] 8/5/2011 00:24:48: TaskMon: LCS 509/0 recv LPCP took 506 msecs > [0] 8/5/2011 00:24:48: LoopMon: LCS 509 took 507 (72/0) msecs, read 1, 4/1 > tasks > [0] 8/5/2011 00:24:49: TaskMon: LCS 510/0 recv LPCP took 1293 msecs > [0] 8/5/2011 00:24:49: LoopMon: LCS 510 took 1337 (500/0) msecs, read > 1, 5/1 tasks > [0] 8/5/2011 00:25:35: TaskMon: LCS 673/0 recv LPCP took 871 msecs > [0] 8/5/2011 00:25:35: LoopMon: LCS 673 took 871 (118/0) msecs, read > 1, 3/1 tasks > [2] 8/5/2011 00:26:05: Transport Error: Pending packet 1000004: generating > fake > [2] 8/5/2011 00:26:05: Registrar [email protected] timed out > [0] 8/5/2011 00:27:06: TaskMon: LCS 986/0 recv LPCP took 871 msecs > [0] 8/5/2011 00:27:06: LoopMon: LCS 986 took 871 (419/0) msecs, read > 1, 3/1 tasks > [2] 8/5/2011 00:27:36: Transport Error: Pending packet 1000006: generating > fake > [2] 8/5/2011 00:27:36: Registrar [email protected] timed out > [0] 8/5/2011 00:28:37: TaskMon: LCS 1296/0 recv LPCP took 869 msecs > [0] 8/5/2011 00:28:37: LoopMon: LCS 1296 took 870 (387/0) msecs, read > 1, 3/1 tasks > [2] 8/5/2011 00:29:07: Transport Error: Pending packet 1000008: generating > fake > [2] 8/5/2011 00:29:07: Registrar [email protected] timed out > [0] 8/5/2011 00:30:08: TaskMon: LCS 1605/0 recv LPCP took 870 msecs > [0] 8/5/2011 00:30:08: LoopMon: LCS 1605 took 871 (458/0) msecs, read > 1, 3/1 tasks > [2] 8/5/2011 00:30:38: Transport Error: Pending packet 1000010: generating > fake > [2] 8/5/2011 00:30:38: Registrar [email protected] timed out > [0] 8/5/2011 00:31:39: TaskMon: LCS 1918/0 recv LPCP took 874 msecs > [0] 8/5/2011 00:31:39: LoopMon: LCS 1918 took 875 (346/0) msecs, read > 1, 3/1 tasks > [0] 8/5/2011 00:32:03: TaskMon: LCS 1996/0 recv LPCP took 424 msecs > [0] 8/5/2011 00:32:03: LoopMon: LCS 1996 took 430 (24/4) msecs, read > 1, 3/1 tasks > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
