cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6583
Views
0
Helpful
6
Replies

problem with 407 proxy authentication required

landrievsky
Level 1
Level 1

Hello all,

I am configuring a cisco 3640 with IOS ver 12.4(13b) wich has 2 fxs ports and I want to use them with an ITSP. I can register each port using diferent usenames. everything works fine for a while, but then, when I want to place a call, the gateway sends the INVITE and receives a 407 Proxy Authentication Required from the sip-proxy...as far as I know the GW must reply with an ACK followed by an INVITE message with credentials...the problem is that the GW is replying with an ACK but never sends the new INVITE with credentials. Do I have to configure such reply anywhere via CLI?

I am attaching my GW's VoIP config and the sip debug.

Thank you all in advance!!

Fernando

6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

Hola Fernando,

credentials under dial-peer is only for registration purposes.

For placing calls, you need to configure authentication with username/password/realm unser "sip-ua".

Note, in case you want to remove / change these in the configuration, you have to re-enter them in clear text, because this sip-ua part of code is quite peculiar in some aspects.

Hope this helps, please rate post if it does!

Hi Paolo,

Unfortunately it did not help. I configured as you said but had no changes in the behavior, I am attaching the debugged sip signaling and the voip config of my router. In case it would work, each FXS port has its own user and password?I mean, if your example would work I can only configure one user/pass under sip-ua authentication.

What I am trying to do is to use the 3640 as an ATA-186, registered in a sip-proxy and each port is a different user.

Thank you!!

Fernando.

Hi Fernando,

The SIP authentication mechanism in IOS is quite confusing, and I must say, not very well written.

For outgoing calls, you can specify only asingle set of username/password. You can specify different realms, but always with the same username/password. The idea (I think) is that you could get multiple authentication challenges from proxies in a chain.

For registration, you can specify each pots dial-peer to have its own authentication. Confusingly enough, you can also specify a global authentication username/password/realm under sip-ua, in that case it is referred as credentials.

Now in your case, I see that the proxy is sending an empty realm, and the router doesn't go further, possibly because it is unable to match this empty realm to the authentication you configured under sip-ua, that has no real at all.

Can you have the proxy to specify a realm, and configure the same under sip-ua ?

Hope all this makes sense, good luck!

Hello Paolo,

I configured both sip-proxy and cisco 3640 with sip-realm. On the 3640 I configured the realm under sip-ua and under each dial-peer...Unfortunately there is no change in the sip signalling....I am attaching the "show run" and the ccsip debug.

I also opened a ticket on Cisco support...lets see if they can help me.

Thank you!!

Fernando

Hi,

I shall collect a successful authentication debug so can be compared to your.

As soon I have one I will post it.

Good luck!

esmeraldaduran
Level 1
Level 1

Hi Fernando

yo sad that you resolve your problem, i have the same problem with router 2801 could you please help me.

regards