We help IT Professionals succeed at work.

xlite works, asterisk returns "403" error

darkbluegr
darkbluegr used Ask the Experts™
on
Hi all:

Has anyone here tried using indigonetworks' SIP line with Asterisk? There SIP account worked fine with Xlite. And I was able to register SIP account with Asterisk. However, when I try to make calls through these trunks, all I get was the 403 forbidden message back from the provider. Nothing much informational. And believe me that I have tried every combination of trunk settings there would be trying to dial out with these SIP lines.

The asterisk server sits behind a sonicwall firewall. I was able to make phone calls by using vitelity and other SIP providers. However i need to use indigo's trunk - the other providers were used just for testing.

Here is a copy of the log:

-- Executing [s@macro-dialout-trunk:19] Dial("SIP/705-0000007f", "SIP/2420000000-out/12423273792,300,") in new stack
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
Audio is at 5060
Adding codec 0x4 (ulaw) to SDP
Adding codec 0x8 (alaw) to SDP
Adding codec 0x2 (gsm) to SDP
Adding codec 0x1000 (g722) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (NAT) to 69.4.164.10:5060:
INVITE sip:12423273792@nas-sbc-01.srg.com.bs;user=phone SIP/2.0
Via: SIP/2.0/UDP MY-IP:5060;branch=z9hG4bK231d0451;rport
Max-Forwards: 70
From: "2420000000" <sip:2420000000@sia-nas01ca146.srg.com.bs>;tag=as6dcfa14f
To: <sip:12423273792@nas-sbc-01.srg.com.bs;user=phone>
Contact: <sip:2420000000@MY-IP:5060>
Call-ID: 42a9088e539b4e94664ee67531b07880@sia...146.srg.com.bs
CSeq: 102 INVITE
User-Agent: xlite
Date: Mon, 01 Aug 2011 20:19:15 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 292

v=0
o=root 674195259 674195259 IN IP4 MY-IP
s=xlite
c=IN IP4 MY-IP
t=0 0
m=audio 19460 RTP/AVP 0 8 3 9 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

---
-- Called 2420000000-out/12423273792

<--- SIP read from UDP:69.4.164.10:5060 --->
SIP/2.0 100 Trying
Via: SIP/2.0/UDP MY-IP:5060;received=MY-IP;branch=z9hG4bK231d0451;rport=52056
From: "2420000000" <sip:2420000000@sia-nas01ca146.srg.com.bs>;tag=as6dcfa14f
To: <sip:12423273792@nas-sbc-01.srg.com.bs;user=phone>
Call-ID: 42a9088e539b4e94664ee67531b07880@sia...146.srg.com.bs
CSeq: 102 INVITE

<------------->
--- (6 headers 0 lines) ---

<--- SIP read from UDP:69.4.164.10:5060 --->
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP MY-IP:5060;received=MY-IP;branch=z9hG4bK231d0451;rport=52056
From: "2420000000" <sip:2420000000@sia-nas01ca146.srg.com.bs>;tag=as6dcfa14f
To: <sip:12423273792@nas-sbc-01.srg.com.bs;user=phone>;tag=aprqngfrt-i40hac20000c6
Call-ID: 42a9088e539b4e94664ee67531b07880@sia...146.srg.com.bs
CSeq: 102 INVITE

<------------->
--- (6 headers 0 lines) ---
Transmitting (NAT) to 69.4.164.10:5060:
ACK sip:12423273792@nas-sbc-01.srg.com.bs;user=phone SIP/2.0
Via: SIP/2.0/UDP MY-IP:5060;branch=z9hG4bK231d0451;rport
Max-Forwards: 70
From: "2420000000" <sip:2420000000@sia-nas01ca146.srg.com.bs>;tag=as6dcfa14f
To: <sip:12423273792@nas-sbc-01.srg.com.bs;user=phone>;tag=aprqngfrt-i40hac20000c6
Contact: <sip:2420000000@MY-IP:5060>
Call-ID: 42a9088e539b4e94664ee67531b07880@sia...146.srg.com.bs
CSeq: 102 ACK
User-Agent: xlite
Content-Length: 0


Can someone please provide a working sample sip.conf for Indigo?

I am also attaching below:

1) diagnostic log from my x-lite that works with default settings.
2) x-lite screenshots.

download link: http://ge.tt/9ZWyfX6?c

I'm using asterisk 1.4.21.2 but had the same issue with 1.8.4.1.

thank you in advance for any help..
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Also the provider said they can not provide configuration instructions but also said that they are not blocking asterisk. thanks in advance for any help.
Most Valuable Expert 2012

Commented:
Change your callerID to something that is an actual number on your DID block. They are probably not allowing you to outpulse: 2420000000.

Author

Commented:
Sorry i forgot to mention that i just edited my actual DID number in the log before posting.

Thank you

Author

Commented:
maybe it has to do with x-lite's header "Authorization:" that Asterisk doesn't do?
Most Valuable Expert 2012

Commented:
Please post your sip.conf.
Most Valuable Expert 2012
Commented:
403 forbidden means the server understood the request, but is refusing to fulfill it. Authorization is a moot point. It is not that Asterisk doesn't do authorization (because that is simply false). It means that there is potentially a problem with your account or there is a problem with your configuration.

(Asterisk DOES support authorization. Authorization takes place with a 401 Unauthorized response. )

403 means: "I understand what you want, but you're not getting it. Period. Don't ask again."

This could be because you're submitting requests in the wrong format (for example, leaving the +1 off from a number). Or it could be because there is a problem with your account.

Author

Commented:
type=peer
fromdomain=sia-nas01ca146.srg.com.bs
fromuser=242xxxxxxx (my did)
host=sia-nas01ca146.srg.com.bs
outboundproxy=nas-sbc-01.srg.com.bs
insecure=port,invite&very
secret=xx
username=242xxxxxxx (my did)
dtmfmode=rfc2833
disallow=all
canreinvite=no
authuser=242xxxxxxx (my did)
allow=alaw&ulaw&gsm&slinear&ilbc
sendrpid=yes

i've tried several differnet parameters over 3 days and also several asterisk versions, and didn't have any luck. a typical debug log is the one posted above.

Obviously the problem is that the provider doesn't provide sip.conf for their trunk... But they have mentioned they are not "blocking" asterisk.

Given that x-lite works with the same settings, would there be any way for me to use this information in order to configure asterisk in a way that might work?

Author

Commented:
I've also experimented with several other configurations that helped me get the trunk registered, but again, in any phone calls initiated from any phone connected to asterisk, the debug log shows "403 forbidden"

other sip trunks work without issues in asterisk.

this same indigo trunk works in my xlite without issues.

it's the combination of indigo in asterisk that does not want to work :/

type=peer
secret= xx
username=242xxxxxxx (my did)
host=sia-nas01ca146.srg.com.bs
outboundproxy=nas-sbc-01.srg.com.bs
fromuser=242xxxxxxx (my did)
canreinvite=no
insecure=very
qualify=yes
nat=yes
Could you please attach through EE tools a copy of the call when it connects with your XLITE and when it tries to connect but fails through asterisk? I couldn't find one example from the attached TXT where an INVITE was extended to nas-sbc-01.srg.com.bs, which is being used in the INVITE posted initially.

From your asterisk server, you may want to install ngrep and use this command:

ngrep -p -q -w byline port 5060 > /tmp/siptrace.txt

and then try the call. Or, you can run tcpdump, and from the PC running XLITE, use wireshark or collect another call attempt. Try to make calls to same destination in both cases. And provide us with the called number.
Or just keep the debugging feature in Asterisk for that peer specifically, I forgot about this, its probably the very best option.

Author

Commented:
Thank you very much, i will do right now and provide the logs. really appreciate your help!

Author

Commented:
this is my siptrace from asterisk when attempting a call, as per the instructions

interface: eth0 (192.168.1.0/255.255.255.0)
filter: (ip) and ( udp and port 5060 )
match: 2420000000(my_did)

U 192.168.1.9:5060 -> 69.4.167.16:5060
INVITE sip:4317578@sia-nas01ca146.srg.com.bs SIP/2.0.
Via: SIP/2.0/UDP 0.0.0.0(my-ip):5060;branch=z9hG4bK089bbc7b;rport.
Max-Forwards: 70.
From: "23232" <sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as3c52a250.
To: <sip:4317578@sia-nas01ca146.srg.com.bs>.
Contact: <sip:2420000000(my_did)@0.0.0.0(my-ip):5060>.
Call-ID: 092372522b728fb13b71875a5c1dc279@0.0.0.0(my-ip):5060.
CSeq: 102 INVITE.
User-Agent: FPBX-2.8.1(1.8.4).
Date: Fri, 05 Aug 2011 01:23:59 GMT.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH.
Supported: replaces, timer.
Content-Type: application/sdp.
Content-Length: 328.
.
v=0.
o=root 1432446705 1432446705 IN IP4 0.0.0.0(my-ip).
s=Asterisk PBX 1.8.4.
c=IN IP4 0.0.0.0(my-ip).
t=0 0.
m=audio 10018 RTP/AVP 0 8 3 18 101.
a=rtpmap:0 PCMU/8000.
a=rtpmap:8 PCMA/8000.
a=rtpmap:3 GSM/8000.
a=rtpmap:18 G729/8000.
a=fmtp:18 annexb=no.
a=rtpmap:101 telephone-event/8000.
a=fmtp:101 0-16.
a=ptime:20.
a=sendrecv.


U 192.168.1.9:5060 -> 69.4.167.16:5060
INVITE sip:4317578@sia-nas01ca146.srg.com.bs SIP/2.0.
Via: SIP/2.0/UDP 0.0.0.0(my-ip):5060;branch=z9hG4bK089bbc7b;rport.
Max-Forwards: 70.
From: "23232" <sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as3c52a250.
To: <sip:4317578@sia-nas01ca146.srg.com.bs>.
Contact: <sip:2420000000(my_did)@0.0.0.0(my-ip):5060>.
Call-ID: 092372522b728fb13b71875a5c1dc279@0.0.0.0(my-ip):5060.
CSeq: 102 INVITE.
User-Agent: FPBX-2.8.1(1.8.4).
Date: Fri, 05 Aug 2011 01:23:59 GMT.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH.
Supported: replaces, timer.
Content-Type: application/sdp.
Content-Length: 328.
.
v=0.
o=root 1432446705 1432446705 IN IP4 0.0.0.0(my-ip).
s=Asterisk PBX 1.8.4.
c=IN IP4 0.0.0.0(my-ip).
t=0 0.
m=audio 10018 RTP/AVP 0 8 3 18 101.
a=rtpmap:0 PCMU/8000.
a=rtpmap:8 PCMA/8000.
a=rtpmap:3 GSM/8000.
a=rtpmap:18 G729/8000.
a=fmtp:18 annexb=no.
a=rtpmap:101 telephone-event/8000.
a=fmtp:101 0-16.
a=ptime:20.
a=sendrecv.


U 69.4.167.16:5060 -> 192.168.1.9:5060
SIP/2.0 403 Forbidden.
Via: SIP/2.0/UDP  0.0.0.0(my-ip):5060;branch=z9hG4bK089bbc7b;rport=5060;received=174.36.237.26.
From: "23232"<sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as3c52a250.
To: <sip:4317578@sia-nas01ca146.srg.com.bs>;tag=1_1146_t44081_91q0.
Call-ID: 092372522b728fb13b71875a5c1dc279@0.0.0.0(my-ip):5060.
CSeq: 102       INVITE.
Server: BTS10200/900-04.05.01.V32 (SIA).
Content-Length: 0.
.


U 192.168.1.9:5060 -> 69.4.167.16:5060
ACK sip:4317578@sia-nas01ca146.srg.com.bs SIP/2.0.
Via: SIP/2.0/UDP 0.0.0.0(my-ip):5060;branch=z9hG4bK089bbc7b;rport.
Max-Forwards: 70.
From: "23232" <sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as3c52a250.
To: <sip:4317578@sia-nas01ca146.srg.com.bs>;tag=1_1146_t44081_91q0.
Contact: <sip:2420000000(my_did)@0.0.0.0(my-ip):5060>.
Call-ID: 092372522b728fb13b71875a5c1dc279@0.0.0.0(my-ip):5060.
CSeq: 102 ACK.
User-Agent: FPBX-2.8.1(1.8.4).
Content-Length: 0.
.


U 69.4.167.16:5060 -> 192.168.1.9:5060
SIP/2.0 403 Forbidden.
Via: SIP/2.0/UDP  0.0.0.0(my-ip):5060;branch=z9hG4bK089bbc7b;rport=5060;received=174.36.237.26.
From: "23232"<sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as3c52a250.
To: <sip:4317578@sia-nas01ca146.srg.com.bs>;tag=1_1146_t44081_91q0.
Call-ID: 092372522b728fb13b71875a5c1dc279@0.0.0.0(my-ip):5060.
CSeq: 102       INVITE.
Server: BTS10200/900-04.05.01.V32 (SIA).
Content-Length: 0.
.


U 192.168.1.9:5060 -> 69.4.167.16:5060
INVITE sip:12424317578@sia-nas01ca146.srg.com.bs SIP/2.0.
Via: SIP/2.0/UDP 0.0.0.0(my-ip):5060;branch=z9hG4bK5b34aff5;rport.
Max-Forwards: 70.
From: "23232" <sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as77b73f20.
To: <sip:12424317578@sia-nas01ca146.srg.com.bs>.
Contact: <sip:2420000000(my_did)@0.0.0.0(my-ip):5060>.
Call-ID: 0df26578007dc489683f41d4389141e2@0.0.0.0(my-ip):5060.
CSeq: 102 INVITE.
User-Agent: FPBX-2.8.1(1.8.4).
Date: Fri, 05 Aug 2011 01:24:15 GMT.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH.
Supported: replaces, timer.
Content-Type: application/sdp.
Content-Length: 326.
.
v=0.
o=root 839141727 839141727 IN IP4 0.0.0.0(my-ip).
s=Asterisk PBX 1.8.4.
c=IN IP4 0.0.0.0(my-ip).
t=0 0.
m=audio 10048 RTP/AVP 0 8 3 18 101.
a=rtpmap:0 PCMU/8000.
a=rtpmap:8 PCMA/8000.
a=rtpmap:3 GSM/8000.
a=rtpmap:18 G729/8000.
a=fmtp:18 annexb=no.
a=rtpmap:101 telephone-event/8000.
a=fmtp:101 0-16.
a=ptime:20.
a=sendrecv.


U 192.168.1.9:5060 -> 69.4.167.16:5060
INVITE sip:12424317578@sia-nas01ca146.srg.com.bs SIP/2.0.
Via: SIP/2.0/UDP 0.0.0.0(my-ip):5060;branch=z9hG4bK5b34aff5;rport.
Max-Forwards: 70.
From: "23232" <sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as77b73f20.
To: <sip:12424317578@sia-nas01ca146.srg.com.bs>.
Contact: <sip:2420000000(my_did)@0.0.0.0(my-ip):5060>.
Call-ID: 0df26578007dc489683f41d4389141e2@0.0.0.0(my-ip):5060.
CSeq: 102 INVITE.
User-Agent: FPBX-2.8.1(1.8.4).
Date: Fri, 05 Aug 2011 01:24:15 GMT.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH.
Supported: replaces, timer.
Content-Type: application/sdp.
Content-Length: 326.
.
v=0.
o=root 839141727 839141727 IN IP4 0.0.0.0(my-ip).
s=Asterisk PBX 1.8.4.
c=IN IP4 0.0.0.0(my-ip).
t=0 0.
m=audio 10048 RTP/AVP 0 8 3 18 101.
a=rtpmap:0 PCMU/8000.
a=rtpmap:8 PCMA/8000.
a=rtpmap:3 GSM/8000.
a=rtpmap:18 G729/8000.
a=fmtp:18 annexb=no.
a=rtpmap:101 telephone-event/8000.
a=fmtp:101 0-16.
a=ptime:20.
a=sendrecv.


U 69.4.167.16:5060 -> 192.168.1.9:5060
SIP/2.0 403 Forbidden.
Via: SIP/2.0/UDP  0.0.0.0(my-ip):5060;branch=z9hG4bK5b34aff5;rport=5060;received=174.36.237.26.
From: "23232"<sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as77b73f20.
To: <sip:12424317578@sia-nas01ca146.srg.com.bs>;tag=1_1146_t77615_sa49.
Call-ID: 0df26578007dc489683f41d4389141e2@0.0.0.0(my-ip):5060.
CSeq: 102       INVITE.
Server: BTS10200/900-04.05.01.V32 (SIA).
Content-Length: 0.
.


U 192.168.1.9:5060 -> 69.4.167.16:5060
ACK sip:12424317578@sia-nas01ca146.srg.com.bs SIP/2.0.
Via: SIP/2.0/UDP 0.0.0.0(my-ip):5060;branch=z9hG4bK5b34aff5;rport.
Max-Forwards: 70.
From: "23232" <sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as77b73f20.
To: <sip:12424317578@sia-nas01ca146.srg.com.bs>;tag=1_1146_t77615_sa49.
Contact: <sip:2420000000(my_did)@0.0.0.0(my-ip):5060>.
Call-ID: 0df26578007dc489683f41d4389141e2@0.0.0.0(my-ip):5060.
CSeq: 102 ACK.
User-Agent: FPBX-2.8.1(1.8.4).
Content-Length: 0.
.


U 69.4.167.16:5060 -> 192.168.1.9:5060
SIP/2.0 403 Forbidden.
Via: SIP/2.0/UDP  0.0.0.0(my-ip):5060;branch=z9hG4bK5b34aff5;rport=5060;received=174.36.237.26.
From: "23232"<sip:2420000000(my_did)@0.0.0.0(my-ip)>;tag=as77b73f20.
To: <sip:12424317578@sia-nas01ca146.srg.com.bs>;tag=1_1146_t77615_sa49.
Call-ID: 0df26578007dc489683f41d4389141e2@0.0.0.0(my-ip):5060.
CSeq: 102       INVITE.
Server: BTS10200/900-04.05.01.V32 (SIA).
Content-Length: 0.
.

Open in new window


for x-lite, i posted the whole log, should I change it?

I tried to call two numbers, 431XXXX and then 1242327XXXX

thank you again

Author

Commented:
just in case it wasn't mentioned above, my diagnostic log while I was making a successful call with x-lite (directly connected to sip server, not through asterisk), is posted below:

http://ge.tt/9ZWyfX6

also includes x-lite screenshots.

Thank you!
is your Server behind a NAT?  was externip and localnet setup on the server?

Author

Commented:
Yes behind a nat, externip and localnet are setup. Thank you

Author

Commented:
In my network I'm using a sonicwall NSA240 (enhanced OS)..  maybe this is the problem?

On a brand new box hosted elsewhere, I was able to make calls with asterisk, by using the following SIP.conf:

[indigo-out]
host=sia-nas01ca146.srg.com.bs
type=friend
username=2420000000(my did/edited)
fromuser=2420000000(my did/edited)
fromdomain=sia-nas01ca146.srg.com.bs
sendrpid=yes
qualify=no
secret=xx
dtmfmode=rfc2833
disallow=all
allow=ulaw
allow=gsm
context=users
insecure=port,invite

there is some info here on configuring the sonicwall NAT for voip. I think i've done everything correctly, but maybe I'm still missing something?

http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=391&dl=1
http://biztechstore.com/blog/?p=191

Thank you
The sonicwall seems to be a sip aware device. Can you debug the failed call?

Author

Commented:
i am still trying several settings on the sonicwall. I have a fiber modem from my provider in my X1 interface on the sonicwall. I also have 6 Public IP's. and I have a nat policy that forwards 5060/5061 and 10000-20000 to the internal asterisk IP.

It appears sonicwall have issues with sip protocol:
http://www.fonality.com/trixbox/forums/trixbox-forums/help/sonicwall-enable-sip-transformations

I will try some more settings in the sonicwall and report back.
Most Valuable Expert 2012
Commented:
If possible, please temporarily put the asterisk box on a public IP to confirm or deny it is asn asterisk or sonicwall problem.

The typical issues you will experience with a firewall are one way voice, NOT a 403. 403 is the SERVER (your provider) refusing to complete a request.

Author

Commented:
i temporarily put the asterisk box on public ip and my laptop with softphone on a public ip.. and i had one way audio. very strange!

Author

Commented:
and this happened with two distinct asterisk boxes - one running raw asterisk and one running pbxinaflash latest distro..
My standpoint is that you should debug the SIP call in the Sonicwall thing to verify the communication on both legs =D
Most Valuable Expert 2012

Commented:
One way audio is a symptom of NAT. Was the softphone behind a firewall when you did this?

Author

Commented:
turns out if i do not choose "send outbound via proxy" on x-lite, then I get one way audio.

my provider has given me username, password, domain, and outbound proxy.

turns out asterisk does not instruct all outgoing calls to be send via the outbound proxy.

trying to find a solution for this now
According to http://www.venturevoip.com/news.php?rssid=1677, the outbound proxy handles all the outbound signaling. Could it be that Asterisk dialplan is taking effect first, thus overriding the use of the proxy? What would happen if your peer has an empty context for outbound calls?

Author

Commented:
@willlywilburwoka:

Thank you, it seems that these may be a bit outdated as I'm using 1.8.4.1

I was wondering if the ngrep output above is helpful for troubleshooting?

It appears my one-way audio problems above may be caused because the proxy wasn't used when making outgoing calls. in my trace above i had set the outbound proxy in my configuration but kept getting 401.