asterisk users - Jul 2015 - SIP/2.0 401 Unauthorized when calling from one SIP extension to another

Hello everyone,

A few days ago I had a problem with a couple of extensions. I have about 12
Aastra 6731i phones, 6 are at our main office and 6 more on remote
branches. We use VPN to communicate to our branches so there's no NAT
involved any where.

The problem I had was that I couldn't call from two extensions located at
two branch offices. But I could call to them just fine. On any call placed
from those phones I got the following error:

SIP/2.0 401 Unauthorized

This is the console output of a call placed from one of those phones:

----------------------------------------------------------------------------------------------------
<--- SIP read from UDP:192.168.96.141:5060 --->
INVITE sip:85004 at 192.168.10.227:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.96.141:5060
;branch=z9hG4bKd4511cd84a4f22669.bbb2635a0516602e8
Max-Forwards: 70
From: "" <sip:85014 at 192.168.10.227:5060>;tag=5dde10fb77
To: "85004" <sip:85004 at 192.168.10.227:5060>
Call-ID: 169216acc663493c
CSeq: 28267 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK,
SUBSCRIBE, INFO
Allow-Events: talk, hold, conference, LocalModeStatus
Contact: "" <sip:85014 at 192.168.96.141:5060
;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-00085D2B85C3>"
Supported: gruu, path, timer, 100rel, replaces
User-Agent: Aastra 6731i/2.6.0.1007
Content-Type: application/sdp
Content-Length: 698

v=0
o=MxSIP 0 0 IN IP4 192.168.96.141
s=SIP Call
c=IN IP4 192.168.96.141
t=0 0
m=audio 3000 RTP/AVP 0 18 106 107 113 110 111 112 4 4 98 97 115 96 9 108 8
101
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=rtpmap:106 BV16/8000
a=rtpmap:107 BV32/16000
a=rtpmap:113 L16/16000
a=rtpmap:110 PCMU/16000
a=rtpmap:111 PCMA/16000
a=rtpmap:112 L16/8000
a=rtpmap:4 G723/8000
a=rtpmap:4 G723/8000
a=rtpmap:98 G726-16/8000
a=rtpmap:97 G726-24/8000
a=rtpmap:115 G726-32/8000
a=rtpmap:96 G726-40/8000
a=rtpmap:9 G722/8000
a=rtpmap:108 G7221/16000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=silenceSupp:on - - - -
a=fmtp:18 annexb=yes
a=fmtp:101 0-15
a=ptime:30
a=sendrecv
<------------->
--- (14 headers 29 lines) ---
Sending to 192.168.96.141:5060 (no NAT)
Sending to 192.168.96.141:5060 (no NAT)
Using INVITE request as basis request - 169216acc663493c
Found peer '85014' for '85014' from 192.168.96.141:5060

<--- Reliably Transmitting (NAT) to 192.168.96.141:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.96.141:5060
;branch=z9hG4bKd4511cd84a4f22669.bbb2635a0516602e8;received=192.168.96.141;rport=5060
From: "" <sip:85014 at 192.168.10.227:5060>;tag=5dde10fb77
To: "85004" <sip:85004 at 192.168.10.227:5060>;tag=as52309181
Call-ID: 169216acc663493c
CSeq: 28267 INVITE
Server: Asterisk PBX 11.10.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
nonce="03eab1fd"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog '169216acc663493c' in 32000 ms
(Method: INVITE)

<--- SIP read from UDP:192.168.96.141:5060 --->
ACK sip:85004 at 192.168.10.227:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.96.141:5060
;branch=z9hG4bKd4511cd84a4f22669.bbb2635a0516602e8
Max-Forwards: 70
From: "" <sip:85014 at 192.168.10.227:5060>;tag=5dde10fb77
To: "85004" <sip:85004 at 192.168.10.227:5060>;tag=as52309181
Call-ID: 169216acc663493c
CSeq: 28267 ACK
User-Agent: Aastra 6731i/2.6.0.1007
Content-Length: 0
----------------------------------------------------------------------------------------------------

And that just keep repeating and repeating but the call never actually
takes place.

The contents of my sip.conf file:

----------------------------------------------------------------------------------------------------
[general]
context=unauthenticated
allowguest=no
srvlookup=no
udpbindaddr=0.0.0.0
tcpenable=no
shrinkcallerid=no

[office-phone](!)
type=peer
context=LocalSets
host=dynamic
nat=force_rport,comedia
dtmfmode=auto
disallow=all
allow=g729

[85004](office-phone)
defaultuser=85004
secret=securepass
callerid="Phone 4" <85004>

[85014](office-phone)
defaultuser=85014
secret=securepass
callerid="Phone 14" <85014>
host=192.168.96.141
transport=udp,tcp
----------------------------------------------------------------------------------------------------

Originally I had not have the defaultuser option on any of the extensions,
nor the host and transport on the [85014] one, but the problem was the same
with or without those options.

Note that I'm including only two extensions to simplify things up and that
the extension with the problem is 85014.

Also, I said there's no NAT involved here but I'm using the option
nat=force_rport,comedia as suggested by "Asterisk The Definitive Guide 4th
edition". I've also switched that option to nat=no and the result was
been
the same.

My dialplan is also really simple. extensions.conf file:

----------------------------------------------------------------------------------------------------
[LocalSets]
exten => 85004,1,Dial(SIP/85004)

exten => 85014,1,NoOp()
 same => n,System(echo ${CALLERID(all)})
 same => n,Dial(SIP/85014)
----------------------------------------------------------------------------------------------------

In the beginning exten 85014 had only the Dial application just like exten
85004 but I added that echo for debugging purposes.

I now know that this issue was caused because those two phones couldn't
authenticate correctly. To solve this issue what I did was removing the
secret from sip.conf for those to extensions and configuring the phones to
register without password. Now it's possible to call from those phones and
all is working great. Still, I like having those to extensions without a
password.

It doesn't worries me much because on the dialplan those extensions
don't
have access to the PSTN, but I don't think it's a good practice to have
things the way I have. So I would like to know if any of you have an idea
on how to solve this issue? As I said all my phones are Aastra 6731i and
all where configured the same.

Any idea?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20150706/af666c09/attachment.html>