Solved: CUBE is ignoring 407 Proxy Authentication Challenge

memschweiler · ‎11-23-2020

Greetings community. I am running into an issue where my SIP provider requires authentication to place outbound calls. I have a 3825 VG setup as a CUBE that interfaces with them. I have it configured correctly from what I can tell to do the registration but outbound calls fail with a timeout:

Nov 23 2020 10:31:58.595 EST: //8018/D77DE4898EF7/SIP/Call/sipSPICallInfo:

Disconnect Cause (CC) : 102

Disconnect Cause (SIP) : 408

The CUBE is sending the invite and I get what looks like the 407 Proxy Authentication challenge back from the provider, but then my next Invite doesn't include the Proxy Authorization response. It's like the router is just ignoring that provider's challenge. Then it will timeout according to the timers I have set. I have a feeling their challenge is malformed, but I'm not sure. Here is what the provider is sending:

SIP/2.0 407 Proxy Authentication Required

v:SIP/2.0/UDP 172.16.60.254:5060;branch=z9hG4bK20FCDFE

f:"M Emschweiler"<sip:17873043045@sip.la2.didforsale.com>;tag=D68CEAC-C60

t:<sip:16104766934@sip.la2.didforsale.com>;tag=2DpKtp76ZUaZe

i:D78057C6-2CD711EB-8EFD8B21-645E2119@172.16.60.254:5060

CSeq:101 INVITE

User-Agent:DIDForSale

Accept:application/sdp

Allow:INVITE,ACK,BYE,CANCEL,OPTIONS,MESSAGE,INFO,UPDATE,REGISTER,REFER,NOTIFY,PUBLISH,SUBSCRIBE

k:timer,path,replaces

u:talk,hold,conference,presence,as-feature-event,dialog,line-seize,call-info,sla,include-session-description,presence.winfo,message-summary,refer

Proxy-Authenticate:Digest realm="sip.la2.didforsale.com",nonce="c4ae1ac8-94a8-49ca-a8e6-603729b52f08",algorithm=MD5,qop="auth"

l:0

They are using the abbreviated forms of the headers, which I think may be ok, but I'm not sure. They also don't have a space after their colons, but I'm not sure if that would cause an issue or not. The only thing that I can think though is that if their challenge is malformed in some type of way, then my CUBE would not recognize it to respond in the correct way. You can see that after their "challenge", my CUBE simply sends another Invite, then they challenge again, then I invite again, and so on and so forth until it times out:

INVITE sip:16104766934@sip.la2.didforsale.com:5060 SIP/2.0

Via: SIP/2.0/UDP 172.16.60.254:5060;branch=z9hG4bK20FCDFE

From: "M Emschweiler" <sip:17873043045@sip.la2.didforsale.com>;tag=D68CEAC-C60

To: <sip:16104766934@sip.la2.didforsale.com>

Date: Mon, 23 Nov 2020 15:31:54 GMT

Call-ID: D78057C6-2CD711EB-8EFD8B21-645E2119@172.16.60.254

Supported: 100rel,timer,resource-priority,replaces,sdp-anat

Min-SE: 1800

Cisco-Guid: 3615351945-0752292331-2398587681-1683890457

User-Agent: Cisco-SIPGateway/IOS-12.x

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

CSeq: 101 INVITE

Timestamp: 1606145514

Contact: <sip:6061@172.16.60.254:5060>

Expires: 180

Allow-Events: telephone-event

Max-Forwards: 69

Supported: precondition

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 277

P-Asserted-Identity: <sip:7873043045@sip.la2.didforsale.com>

v=0

o=CiscoSystemsSIP-GW-UserAgent 5362 3474 IN IP4 172.16.60.254

s=SIP Call

c=IN IP4 172.16.60.254

t=0 0

a=rtr

m=audio 17136 RTP/AVP 0 101

c=IN IP4 172.16.60.254

a=rtpmap:0 PCMU/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=ptime:20

a=direction:active

The CUBE is behind NAT and I verified that the IP addresses from the provider are permitted to talk 5060 to the VG and are not getting blocked. They are also permitted in the IP address trust list as you will see below.

I am using a SIP profile on the outbound dial-peer to match the SIP domain name I have registered on their side of things so when it sends back the challenge it should match but never does. Here is the relevant configuration. Is there anything else I can check or may be missing? This is driving me crazy!

voice service voip

ip address trusted list

ipv4 209.216.2.202 255.255.255.255

ipv4 209.216.2.203 255.255.255.255

ipv4 209.216.2.204 255.255.255.255

ipv4 209.216.2.205 255.255.255.255

ipv4 209.216.2.211 255.255.255.255

ipv4 209.216.2.212 255.255.255.255

ipv4 209.216.15.70 255.255.255.255

ipv4 209.216.15.71 255.255.255.255

ipv4 209.216.15.73 255.255.255.255

ipv4 209.216.15.74 255.255.255.255

address-hiding

allow-connections sip to sip

no supplementary-service sip moved-temporarily

redirect ip2ip

sip

bind control source-interface GigabitEthernet0/1

bind media source-interface GigabitEthernet0/1

header-passing

early-offer forced

registration passthrough static

voice class sip-profiles 2

request INVITE sip-header Remote-Party-ID modify "Remote-Party-ID:.*<sip:60..@.*>(.*)" "Remote-Party-ID: \"M Emschweiler\" <sip:17873043045@sip.la2.didforsale.com>\1"

request INVITE sip-header P-Asserted-Identity add "P-Asserted-Identity: <sip:7873043045@sip.la2.didforsale.com>"

request REINVITE sip-header From modify "From:.*<sip:17873043045@.*>(.*)" "From: \"M Emschweiler\" <sip:17873043045@sip.la2.didforsale.com>\1"

request INVITE sip-header From modify "From:.*<sip:60..@.*>(.*)" "From: \"M Emschweiler\" <sip:17873043045@sip.la2.didforsale.com>\1"

dial-peer voice 3000 voip

description Long Distance Dialing via SIP

preference 1

destination-pattern 1[2-9].........

session protocol sipv2

session target sip-server

session transport udp

voice-class codec 1

voice-class sip associate registered-number MySIPRegistrationNumber

voice-class sip outbound-proxy dns:sip.la2.didforsale.com

voice-class sip early-offer forced

voice-class sip profiles 2

voice-class sip pass-thru content sdp

dtmf-relay rtp-nte

dtmf-interworking standard

ip qos dscp cs5 media

ip qos dscp cs4 signaling

no vad

authentication username MySIPRegistrationNumber password 7 SuperSecretPassword realm sip.la2.didforsale.com

sip-ua

credentials username MySIPRegistrationNumber password 7 SuperSecretPassword realm sip.la2.didforsale.com

authentication username MySIPRegistrationNumber password 7 SuperSecretPassword realm sip.la2.didforsale.com

nat symmetric role active

nat symmetric check-media-src

no remote-party-id

retry invite 3

retry register 10

registrar 1 dns:sip.la2.didforsale.com expires 600 auth-realm sip.la2.didforsale.com

sip-server dns:sip.la2.didforsale.com

I show registered with them so inbound calls work:

Line peer expires(sec) registered P-Associ-URI

================================ ========== ============ ========== ============

MySIPRegistrationNumber -1 434 yes

memschweiler · ‎11-24-2020

Well, after trying basically everything...upgrading, downgrading the IOS, making sure I was running an IOS that does CUBE, etc, enabling or disabling all the SIP options available on a dial peer, under the sip-ua section and voice service voip and sip sections, nothing seemed to work until I enabled the following:

voice service voip

sip

localhost dns:sip.la2.didforsale.com

As soon as that was enabled, the VG responded to the 407 Proxy Authentication Required challenge, succeeded and the call was successful.

Hopefully this helps anyone else that may be having the same issue!

View solution in original post

memschweiler · ‎11-24-2020