11-23-2020 07:48 AM
Greetings community. I am running into an issue where my SIP provider requires authentication to place outbound calls. I have a 3825 VG setup as a CUBE that interfaces with them. I have it configured correctly from what I can tell to do the registration but outbound calls fail with a timeout:
Nov 23 2020 10:31:58.595 EST: //8018/D77DE4898EF7/SIP/Call/sipSPICallInfo:
Disconnect Cause (CC) : 102
Disconnect Cause (SIP) : 408
The CUBE is sending the invite and I get what looks like the 407 Proxy Authentication challenge back from the provider, but then my next Invite doesn't include the Proxy Authorization response. It's like the router is just ignoring that provider's challenge. Then it will timeout according to the timers I have set. I have a feeling their challenge is malformed, but I'm not sure. Here is what the provider is sending:
SIP/2.0 407 Proxy Authentication Required
v:SIP/2.0/UDP 172.16.60.254:5060;branch=z9hG4bK20FCDFE
f:"M Emschweiler"<sip:17873043045@sip.la2.didforsale.com>;tag=D68CEAC-C60
t:<sip:16104766934@sip.la2.didforsale.com>;tag=2DpKtp76ZUaZe
i:D78057C6-2CD711EB-8EFD8B21-645E2119@172.16.60.254:5060
CSeq:101 INVITE
User-Agent:DIDForSale
Accept:application/sdp
Allow:INVITE,ACK,BYE,CANCEL,OPTIONS,MESSAGE,INFO,UPDATE,REGISTER,REFER,NOTIFY,PUBLISH,SUBSCRIBE
k:timer,path,replaces
u:talk,hold,conference,presence,as-feature-event,dialog,line-seize,call-info,sla,include-session-description,presence.winfo,message-summary,refer
Proxy-Authenticate:Digest realm="sip.la2.didforsale.com",nonce="c4ae1ac8-94a8-49ca-a8e6-603729b52f08",algorithm=MD5,qop="auth"
l:0
They are using the abbreviated forms of the headers, which I think may be ok, but I'm not sure. They also don't have a space after their colons, but I'm not sure if that would cause an issue or not. The only thing that I can think though is that if their challenge is malformed in some type of way, then my CUBE would not recognize it to respond in the correct way. You can see that after their "challenge", my CUBE simply sends another Invite, then they challenge again, then I invite again, and so on and so forth until it times out:
INVITE sip:16104766934@sip.la2.didforsale.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.16.60.254:5060;branch=z9hG4bK20FCDFE
From: "M Emschweiler" <sip:17873043045@sip.la2.didforsale.com>;tag=D68CEAC-C60
To: <sip:16104766934@sip.la2.didforsale.com>
Date: Mon, 23 Nov 2020 15:31:54 GMT
Call-ID: D78057C6-2CD711EB-8EFD8B21-645E2119@172.16.60.254
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3615351945-0752292331-2398587681-1683890457
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1606145514
Contact: <sip:6061@172.16.60.254:5060>
Expires: 180
Allow-Events: telephone-event
Max-Forwards: 69
Supported: precondition
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 277
P-Asserted-Identity: <sip:7873043045@sip.la2.didforsale.com>
v=0
o=CiscoSystemsSIP-GW-UserAgent 5362 3474 IN IP4 172.16.60.254
s=SIP Call
c=IN IP4 172.16.60.254
t=0 0
a=rtr
m=audio 17136 RTP/AVP 0 101
c=IN IP4 172.16.60.254
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=direction:active
The CUBE is behind NAT and I verified that the IP addresses from the provider are permitted to talk 5060 to the VG and are not getting blocked. They are also permitted in the IP address trust list as you will see below.
I am using a SIP profile on the outbound dial-peer to match the SIP domain name I have registered on their side of things so when it sends back the challenge it should match but never does. Here is the relevant configuration. Is there anything else I can check or may be missing? This is driving me crazy!
voice service voip
ip address trusted list
ipv4 209.216.2.202 255.255.255.255
ipv4 209.216.2.203 255.255.255.255
ipv4 209.216.2.204 255.255.255.255
ipv4 209.216.2.205 255.255.255.255
ipv4 209.216.2.211 255.255.255.255
ipv4 209.216.2.212 255.255.255.255
ipv4 209.216.15.70 255.255.255.255
ipv4 209.216.15.71 255.255.255.255
ipv4 209.216.15.73 255.255.255.255
ipv4 209.216.15.74 255.255.255.255
address-hiding
allow-connections sip to sip
no supplementary-service sip moved-temporarily
redirect ip2ip
sip
bind control source-interface GigabitEthernet0/1
bind media source-interface GigabitEthernet0/1
header-passing
early-offer forced
registration passthrough static
voice class sip-profiles 2
request INVITE sip-header Remote-Party-ID modify "Remote-Party-ID:.*<sip:60..@.*>(.*)" "Remote-Party-ID: \"M Emschweiler\" <sip:17873043045@sip.la2.didforsale.com>\1"
request INVITE sip-header P-Asserted-Identity add "P-Asserted-Identity: <sip:7873043045@sip.la2.didforsale.com>"
request REINVITE sip-header From modify "From:.*<sip:17873043045@.*>(.*)" "From: \"M Emschweiler\" <sip:17873043045@sip.la2.didforsale.com>\1"
request INVITE sip-header From modify "From:.*<sip:60..@.*>(.*)" "From: \"M Emschweiler\" <sip:17873043045@sip.la2.didforsale.com>\1"
dial-peer voice 3000 voip
description Long Distance Dialing via SIP
preference 1
destination-pattern 1[2-9].........
session protocol sipv2
session target sip-server
session transport udp
voice-class codec 1
voice-class sip associate registered-number MySIPRegistrationNumber
voice-class sip outbound-proxy dns:sip.la2.didforsale.com
voice-class sip early-offer forced
voice-class sip profiles 2
voice-class sip pass-thru content sdp
dtmf-relay rtp-nte
dtmf-interworking standard
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad
authentication username MySIPRegistrationNumber password 7 SuperSecretPassword realm sip.la2.didforsale.com
sip-ua
credentials username MySIPRegistrationNumber password 7 SuperSecretPassword realm sip.la2.didforsale.com
authentication username MySIPRegistrationNumber password 7 SuperSecretPassword realm sip.la2.didforsale.com
nat symmetric role active
nat symmetric check-media-src
no remote-party-id
retry invite 3
retry register 10
registrar 1 dns:sip.la2.didforsale.com expires 600 auth-realm sip.la2.didforsale.com
sip-server dns:sip.la2.didforsale.com
I show registered with them so inbound calls work:
Line peer expires(sec) registered P-Associ-URI
================================ ========== ============ ========== ============
MySIPRegistrationNumber -1 434 yes
Solved! Go to Solution.
11-24-2020 08:53 PM
Well, after trying basically everything...upgrading, downgrading the IOS, making sure I was running an IOS that does CUBE, etc, enabling or disabling all the SIP options available on a dial peer, under the sip-ua section and voice service voip and sip sections, nothing seemed to work until I enabled the following:
voice service voip
sip
localhost dns:sip.la2.didforsale.com
As soon as that was enabled, the VG responded to the 407 Proxy Authentication Required challenge, succeeded and the call was successful.
Hopefully this helps anyone else that may be having the same issue!
11-24-2020 08:53 PM
Well, after trying basically everything...upgrading, downgrading the IOS, making sure I was running an IOS that does CUBE, etc, enabling or disabling all the SIP options available on a dial peer, under the sip-ua section and voice service voip and sip sections, nothing seemed to work until I enabled the following:
voice service voip
sip
localhost dns:sip.la2.didforsale.com
As soon as that was enabled, the VG responded to the 407 Proxy Authentication Required challenge, succeeded and the call was successful.
Hopefully this helps anyone else that may be having the same issue!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide