asterisk users - Oct 2008 - cisco phones getting SIP 401 unauthorized

I have a handful of cisco phones that has been working.
Today they started showing X's. looking at sip debug I see the 401 
unauthorized.

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP IP:52110;branch=z9hG4bK29694d4a;received=IP
From: <sip:304 at IP;user=phone>
To: <sip:304 at IP;user=phone>;tag=as3155786a
Call-ID: 000ff7c0-3fd70002-23a6b16f-6c9237da at 192.168.3.99
CSeq: 101 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
nonce="03362846"


Any idea what happened? Or how to get pasted the 401?

Jerry

Jerry Geis wrote:
> I have a handful of cisco phones that has been working.
> Today they started showing X's. looking at sip debug I see the 401 
> unauthorized.
>
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP IP:52110;branch=z9hG4bK29694d4a;received=IP
> From: <sip:304 at IP;user=phone>
> To: <sip:304 at IP;user=phone>;tag=as3155786a
> Call-ID: 000ff7c0-3fd70002-23a6b16f-6c9237da at 192.168.3.99
> CSeq: 101 REGISTER
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", 
> nonce="03362846"
>
>
> Any idea what happened? Or how to get pasted the 401?
>
> Jerry
>
>
This setup is actually running 1.2.14 asterisk. from way back - but till 
today had been working fine.

Jerry

As a followup to my previous email, change nat_enable to "1" and
reboot
the phones.

Jerry Geis wrote:
>> Did you check sip.conf to make sure that the port is correctly set to
5060?
>>
>> Please show the output of Cli> sip show peer <peernumber> and
the contents of your SEP<MAC>.cnf file.
>>
>> Dave
>>   
> 
> sip.conf has :
> 
> bindport=5060                   ; UDP Port to bind to (SIP standard port 
> is 5060)
> bindaddr=X.X.X.X            ; ress to bind to (0.0.0.0 binds to all)
> srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
>                          
> 
> One extension cisco in sip.conf is:
> [402]
> type=friend
> dtmfmode=rfc2833
> username=402
> secret=XXXXXXX
> disallow=all
> allow=ulaw
> allow=alaw
> host=dynamic
> context=local-sip
> nat=yes
> canreinvite=no
> callerid="John Smith" <402>
> 
> sip show peer 402
>   * Name       : 402
>   Secret       : <Set>
>   MD5Secret    : <Not set>
>   Context      : smvoice-sip
>   Subscr.Cont. : <Not set>
>   Language     : >
>   AMA flags    : Unknown
>   CallingPres  : Presentation Allowed, Not Screened
>   Callgroup    :
>   Pickupgroup  :
>   Mailbox      :
>   VM Extension : asterisk
>   LastMsgsSent : 32767/65535
>   Call limit   : 0
>   Dynamic      : Yes
>   Callerid     : "John Smith" <402>
>   Expire       : -1
>   Insecure     : no
>   Nat          : Always
>   ACL          : No
>   CanReinvite  : No
>   PromiscRedir : No
>   User=Phone   : No
>   Trust RPID   : No
>   Send RPID    : No
>   DTMFmode     : rfc2833
>   LastMsg      : 0
>   ToHost       :
>   Addr->IP     : (Unspecified) Port 0
>   Defaddr->IP  : 0.0.0.0 Port 5060
>   Def. Username: 402
>   SIP Options  : (none)
>   Codecs       : 0xc (ulaw|alaw)
>   Codec Order  : (ulaw,alaw)
>   Status       : Unmonitored
>   Useragent    :
>   Reg. Contact :
> 
> 
> SIP Config file:
> 
> # SIP Configuration Generic File (start)
> 
> 
> # Proxy Server
> proxy1_address: "X.X.X.X"  
> proxy2_address: "X.X.X.X"  
> proxy3_address: "X.X.X.X"  
> proxy4_address: "X.X.X.X"  
> proxy5_address: "X.X.X.X"  
> proxy6_address: "X.X.X.X"  
> 
> # Line 1 Settings
> line1_name: "402"                     ; Line 1 Extension\User ID
> line1_displayname: "402"           ; Line 1 Display Name
> line1_authname: "402"         ; Line 1 Registration
Authentication
> line1_password: "402"         ; Line 1 Registration Password
> 
> # Line 2 Settings
> line2_name: "403"                          ; Line 2
Extension\User ID
> line2_displayname: "403"                   ; Line 2 Display Name
> line2_authname: "403"         ; Line 2 Registration
Authentication
> line2_password: "403"         ; Line 2 Registration Password
> 
> # Emergency Proxy info
> proxy_emergency: ""
> proxy_emergency_port: "5060"
> 
> # Backup Proxy info
> proxy_backup: ""
> proxy_backup_port: "5060"
> 
> # Outbound Proxy info
> outbound_proxy: ""
> outbound_proxy_port: "5060"
> 
> # NAT/Firewall Traversal
> nat_enable: "0"
> nat_address: ""
> voip_control_port: "5060"
> start_media_port: "16384"
> end_media_port:  "32766"
> nat_received_processing: "1"
> 
> # Phone Label (Text desired to be displayed in upper right corner)
> phone_label: "JDA  402  "            ; Has no effect on SIP
messaging
> 
> # Time Zone phone will reside in
> time_zone: EST 
> 
> # Telnet Level (enable or disable the ability to telnet into this phone
> telnet_level: "0"      ; 0-Disabled (default), 1-Enabled,
2-Privileged
> 
> # Phone prompt/password for telnet/console session
> phone_prompt: "Go Away"                              ;
Telnet/Console Prompt
> phone_password: "cisco"                          ; Telnet/Console
Password
> 
> proxy_register: 1 
> 
> # Enable_VAD (1-enabled, 0-disabled)
> enable_vad: "0"
> 
> # Network Media Type (auto, full100, full10, half100, half10)
> network_media_type: "auto"
> user_info: phone
> 
> # URL for external Directory location
> #logo_url: "http://10.0.1.3/10-20logo.bmp"                    ;
URL for branding logo to be used on phone display
> 
> # SIP Configuration Generic File (stop)
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

Jerry Geis wrote:
>>
>> Did you check sip.conf to make sure that the port is correctly set to 
>> 5060?
>>
>> Please show the output of Cli> sip show peer <peernumber> and
the
>> contents of your SEP<MAC>.cnf file.
>>
>> Dave
>>  
>
>
>
>
>
This all ended up being CRAZY network stuff.

my server has 2 network cards in it. I thought I was the GW but in 
reality the customer change the setup
to point to GW device. so calls wer going OUT of the local network, then 
back in to the server.

I then made MAC address exceptions for the phones to use my server with 
two network cards as the GW for
the phones everything starting working again.

I had been setting the nat yes or enabled or whatever... I was getting 
limited success. But based on what the customer
has with the network I was surprised. Limited success I mean I had half 
channel audios...

Thanks for hte help...

Jerry