[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2961
  • Last Modified:

Cant figure out SIP/2.0 401 Unauthorized and 488 Not acceptable here

Hi all,

Im having problems with inbound/outbound calls on my ip phone. Registration is OK, but whenever I try to call a number (or just a feature code), im getting a 488 error. Sip trace on my ip phone reveals a 401 unauthorized, which i cant figure out.
Since the registration is working, i wouldnt suspect the extension+sip secret to be wrong.
I seem to have googled my way to the 488 being caused by a codec thing - but i cant figure out what im missing on my asterisk. I just tested the phone on my production asterisk, and its working beautifully in its factory default configuration (apart from network/identity of course).

Im on Asterisk and Freepbx

First part of sip trace:

a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:99 G726-32/8000
a=rtpmap:3 GSM/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:4 G723/8000

Which tells me that its pretty much open to anything (except pidgeons and smoke signals). I've allowed most common codecs on asterisk.

Asterisk then replies back:

SIP/2.0 401 Unauthorized

Hmm. Any clues?
  • 2
  • 2
1 Solution
401 Unauthorized occasionally happens to me when qualify is on when the device (or the server if you are talking about trunk) doesn't support it. If you get the occasional unauthorized message at about the same rate as your extension's qualifyfreq that would confirm it.

A few things to doublecheck:

- Make sure the secret is correct. For now, make it something short and simple to eliminate any possibility of special characters or unexpectedly long length causing problems. Remember to change it to something more secure later.
- Turn off qualify, in case the device doesn't support it. Remember to turn back on after everything is working
- Turn NAT on if the device is on the WAN.
- Check the permit/deny settings, they should both be to allow everything until you get it working. Remember to secure it down more later.
- On my setup, I have trustrpid=yes, and sendrpid=no for the extension. Not sure if that applies to you.

Is there a default permit/deny in sip_general.conf or any of its includes?

... with all of that out of the way, the 488 error looks like a codec issue, like you said in your question. There's four/five places to look on your asterisk server as far as codec restrictions are concerned:

Under FreePBX->Tools Tab->Asterisk SIP Settings (you may need to install the Asterisk SIP Settings plugin)  (e.g. in sip_general_additional.conf)

Under FreePBX->Setup Tab->Extensions->Allow/Disallow settings (e.g. in sip_additional.conf)

Under FreePBX->Setup Tab->Trunks->PEER Details box, if there are any disallow/allow directives set (e.g. in sip_general_additional.conf)

On your sip phone - in the web interface or settings page that they provide look for any codec restrictions

On your VoIP provider's configuration - you may or may not have control over what codecs you can use, but if you are given a control panel to configure your voip service, check there for any codec restrictions.

If all of that fails.... I don't know what to do next, sorry.
DD-OperationsAuthor Commented:
Hi Frosty555,

Thanks for the tips! Lots of good stuff to try...and I got it working - it was rtp encryption on the phone which seems to trigger something on my new setup (read below for solution). To recap:

 - The secret is 6 digits, no problems there
 - "qualify" has always been on - cant find it anywhere on my snom 370 (with latest firmware), but I tried turning it off, no luck
 - NAT is off as asterisk+client is on the same network
 - permit/deny settings was checked, i had only one permit-setting. I reset it to 0/0 as suggested
 - trustrpid/sendrpid was checked - seems like your suggestion is default on freepbx

I grepped through /etc/asterisk for "permit" and "dey" to find settings that would conflict, but no luck.

I've captured traffic with wireshark to see whats going on. A SIP analysis reveals nothing out of the ordinary. Turns out that 401 unauth is a default response from the server - so thats no longer considered an error.

The problem was that the phone had RTP encryption ON as default. When I disabled it, everything was working beatifully. Its a bit strange though - as encryption never was enabled on my production system...but the phone works great when registerered against it, with default settings ( = rtp encryption on). So..well - not really sure whats going on, but it seems that the 488 error also can represent an encryption error.
DD-OperationsAuthor Commented:
On Snom 360/370 (maybe others too!):  Disable RTP encryption on the active phone line.
Hi DD-Operations,

Glad to hear you got the issue solved! I would not have thought of that.

You ought to accept your own comment as the answer to your question - you will not be deducted any points for your question, and the information in this article will go into the EE knowledgebase for others who may run into the same issue later.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now