Cant figure out SIP/2.0 401 Unauthorized and 488 Not acceptable here

Posted on 2011-10-20
Last Modified: 2012-05-12
Hi all,

Im having problems with inbound/outbound calls on my ip phone. Registration is OK, but whenever I try to call a number (or just a feature code), im getting a 488 error. Sip trace on my ip phone reveals a 401 unauthorized, which i cant figure out.
Since the registration is working, i wouldnt suspect the extension+sip secret to be wrong.
I seem to have googled my way to the 488 being caused by a codec thing - but i cant figure out what im missing on my asterisk. I just tested the phone on my production asterisk, and its working beautifully in its factory default configuration (apart from network/identity of course).

Im on Asterisk and Freepbx

First part of sip trace:

a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:99 G726-32/8000
a=rtpmap:3 GSM/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:4 G723/8000

Which tells me that its pretty much open to anything (except pidgeons and smoke signals). I've allowed most common codecs on asterisk.

Asterisk then replies back:

SIP/2.0 401 Unauthorized

Hmm. Any clues?
Question by:DD-Operations
    LVL 31

    Expert Comment

    401 Unauthorized occasionally happens to me when qualify is on when the device (or the server if you are talking about trunk) doesn't support it. If you get the occasional unauthorized message at about the same rate as your extension's qualifyfreq that would confirm it.

    A few things to doublecheck:

    - Make sure the secret is correct. For now, make it something short and simple to eliminate any possibility of special characters or unexpectedly long length causing problems. Remember to change it to something more secure later.
    - Turn off qualify, in case the device doesn't support it. Remember to turn back on after everything is working
    - Turn NAT on if the device is on the WAN.
    - Check the permit/deny settings, they should both be to allow everything until you get it working. Remember to secure it down more later.
    - On my setup, I have trustrpid=yes, and sendrpid=no for the extension. Not sure if that applies to you.

    Is there a default permit/deny in sip_general.conf or any of its includes?

    ... with all of that out of the way, the 488 error looks like a codec issue, like you said in your question. There's four/five places to look on your asterisk server as far as codec restrictions are concerned:

    Under FreePBX->Tools Tab->Asterisk SIP Settings (you may need to install the Asterisk SIP Settings plugin)  (e.g. in sip_general_additional.conf)

    Under FreePBX->Setup Tab->Extensions->Allow/Disallow settings (e.g. in sip_additional.conf)

    Under FreePBX->Setup Tab->Trunks->PEER Details box, if there are any disallow/allow directives set (e.g. in sip_general_additional.conf)

    On your sip phone - in the web interface or settings page that they provide look for any codec restrictions

    On your VoIP provider's configuration - you may or may not have control over what codecs you can use, but if you are given a control panel to configure your voip service, check there for any codec restrictions.

    If all of that fails.... I don't know what to do next, sorry.

    Accepted Solution

    Hi Frosty555,

    Thanks for the tips! Lots of good stuff to try...and I got it working - it was rtp encryption on the phone which seems to trigger something on my new setup (read below for solution). To recap:

     - The secret is 6 digits, no problems there
     - "qualify" has always been on - cant find it anywhere on my snom 370 (with latest firmware), but I tried turning it off, no luck
     - NAT is off as asterisk+client is on the same network
     - permit/deny settings was checked, i had only one permit-setting. I reset it to 0/0 as suggested
     - trustrpid/sendrpid was checked - seems like your suggestion is default on freepbx

    I grepped through /etc/asterisk for "permit" and "dey" to find settings that would conflict, but no luck.

    I've captured traffic with wireshark to see whats going on. A SIP analysis reveals nothing out of the ordinary. Turns out that 401 unauth is a default response from the server - so thats no longer considered an error.

    The problem was that the phone had RTP encryption ON as default. When I disabled it, everything was working beatifully. Its a bit strange though - as encryption never was enabled on my production system...but the phone works great when registerered against it, with default settings ( = rtp encryption on). So..well - not really sure whats going on, but it seems that the 488 error also can represent an encryption error.

    Author Closing Comment

    On Snom 360/370 (maybe others too!):  Disable RTP encryption on the active phone line.
    LVL 31

    Expert Comment

    Hi DD-Operations,

    Glad to hear you got the issue solved! I would not have thought of that.

    You ought to accept your own comment as the answer to your question - you will not be deducted any points for your question, and the information in this article will go into the EE knowledgebase for others who may run into the same issue later.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    The Zaptel people ( got kind of annoyed with the fact that they were getting bombarded with searches for the zaptel driver system for Asterisk (not to mention they own the trademark on zaptel). So, they kindly requested that Digium ch…
    So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone! First, let's talk about the intended audience for…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now