Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS

[Henning Westerholt]

Hello Laurent,

(you might want to anonymize your msg dumps bit on this public list)

You probably did already this steps, but nevertheless some debugging ideas:

- capture a longer network trace and compare the network data of a working 
against non-working case

- try to see to find a pattern (e.g. does it happens during a certain time, 
only to certain users or devices)

- have a look to network interface statistics on server and router/firewall if 
maybe some corruption is caused from an interface

- have a look to other network services that are using the same network 
infrastructure to see if they are also affected

Cheers,

Henning

Am 29.08.19 um 10:58 schrieb Laurent Schweizer:
Hello,

I try to get some log,
I only see that password seems wrong but he was not changed and registration of 
this user was ok just before ☹

Any idea how to debug this ?

Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: 
auth_check_response(): check_response: Our result = 
'bc946bb4ea732eb35d11d0970631c6f8'
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: 
auth_check_response(): check_response: Authorization failed
Aug 29 10:21:38 de5029 kamailio[22615]: WARNING: <script>: auth error -2 
username XXXX7011537 - src ip: 93.229.221.67
Aug 29 10:21:38 de5029 kamailio[22615]: ERROR: debugger [debugger_mod.c:581]: 
w_dbg_sip_msg(): CONFIG LINE 871
------------------------- START OF SIP message debug --------------------------
REGISTER sip:pbxs.peoplefone.de:5060 SIP/2.0^M
Via: SIP/2.0/TCP 192.168.2.113:5060;branch=z9hG4bK2816544140^M
From: "11 - Juergen XXXX" 
<sip:xxxx7011...@pbxs.peoplefone.de:5060><mailto:sip:xxxx7011...@pbxs.peoplefone.de:5060>;tag=4042485072^M
To: "11 - Juergen XXXX" 
<sip:xxxx7011...@pbxs.peoplefone.de:5060><mailto:sip:xxxx7011...@pbxs.peoplefone.de:5060>^M
Call-ID: 0_228669251@192.168.2.113^M<mailto:0_228669251@192.168.2.113^M>
CSeq: 3 REGISTER^M
Contact: 
<sip:XXXX7011537@192.168.2.113:5060;transport=TCP><mailto:sip:XXXX7011537@192.168.2.113:5060;transport=TCP>^M
Authorization: Digest username="XXXX7011537", realm="pbxs.peoplefone.de", 
nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn", uri="sip:pbxs.peoplefone.de:5060", 
response="XXXXXX7142356b40754f30e0dc6cd", algorithm=MD5^M
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, 
SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M
Max-Forwards: 69^M
User-Agent: Yealink SIP-T42S 66.82.0.30^M
Expires: 300^M
Allow-Events: talk,hold,conference,refer,check-sync^M
Content-Length: 0^M
^M
------------------------------ SIP header diffs -------------------------------
------------------------------- SIP body diffs --------------------------------
-------------------------- END OF SIP message debug ---------------------------
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:165]: 
get_challenge_hf(): realm='pbxs.peoplefone.de'
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:275]: 
get_challenge_hf(): auth: 'WWW-Authenticate: Digest realm="pbxs.peoplefone.de", 
nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn"^M




From: sr-users 
<sr-users-boun...@lists.kamailio.org><mailto:sr-users-boun...@lists.kamailio.org>
 On Behalf Of Laurent Schweizer
Sent: lundi, 26 août 2019 14:04
To: Kamailio (SER) - Users Mailing List 
<sr-users@lists.kamailio.org><mailto:sr-users@lists.kamailio.org>
Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with 
TCP/TLS

Wireshark was missing .

From: Laurent Schweizer
Sent: lundi, 26 août 2019 10:25
To: 'Kamailio (SER) - Users Mailing List' 
<sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>>
Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS

Dear all,

I have a kamailio running in version 5.0.8 and since fee weeks we have an issue 
with different users connected in TCP or TLS, sometimes authorization like for 
REGISTER are rejected and after a moment (can be few minute or hours) it work 
again and of course no change was done in the password ….

We see this issue with different device, snom swyx, …  and on UDP we have no 
issue.

I can see that when the Register is rejected it’s with the error -2, so wrong 
password…

# Authentication route
route[AUTH] {
        if (is_method("REGISTER"))
        {
                # authenticate requests
                if (!auth_check("$fd", "subscriber", "1")) {

                        switch($retcode) {
                                case -1:
                                        sl_send_reply("503","Service not 
available");
                                        exit;
                                case -2:
                                         xlog("L_WARN", "auth error -2 username 
$au - src ip: $si \n");
                                        auth_challenge("$fd", "0");
                                        exit;


I have attached an example of a trace where we can see a first REGISTER 
accepted and  less than 2 minutes after a new one is rejected. ( in between 
they is a REGISTER without any Authorization header)

Any idea ?

BR

Laurent



_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


--
Henning Westerholt - https://skalatan.de/blog/
Kamailio services - https://skalatan.de/services

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users