Page 1 of 1

Inbound issue - calls from freeswitch being rejected

PostPosted: Tue Mar 24, 2015 2:41 pm
by perci100
I am getting inbound calls from all of my 3 carriers. I bought a bunch of DIDs from a new provider today and they are using freeswitch , they are sending calls over in _+1xxxxxxxxxx format , I have uncommented the line in extensions.conf under context trunkinbound to allow these calls. I actually just added a it to the rest. Whenever i call a did , its giving me fast busy and in the CLI this is what I am getting : (I masked the last 4 of every phone number for privacy )


U 2015/03/24 15:31:07.661110 162.246.xx.xx:5060 -> 192.168.1.72:5060
INVITE sip:1505333xxxx@173.246.xx.xxSIP/2.0
Via: SIP/2.0/UDP 162.246.139.145;rport;branch=z9hG4bKacH2HaZ7c09rc
Max-Forwards: 47
From: "+1561350xxxx" <sip:561350xxxx@162.246.xx.xx>;tag=B1jD09jc0FSFF
To: <sip:1505333xxxx@173.246.xx.xx>
Call-ID: 2d5f4da5-4cc4-1233-65bf-00163c67f99f
CSeq: 73264003 INVITE
Contact: <sip:mod_sofia@162.246.xx.xx:5060>
User-Agent: FreeSWITCH-mod_sofia/1.5.15b+git~20141113T152002Z~dd61232163~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 276
X-FS-Support: update_display,send_info
Remote-Party-ID: "+1561350xxxx <sip:561350xxxx@162.246.xx.xx>;party=calling;screen=yes;privacy=off

v=0
o=FreeSWITCH 1427173017 1427173018 IN IP4 162.246.139.202
s=FreeSWITCH
c=IN IP4 162.246.139.202
t=0 0
m=audio 27116 RTP/AVP 0 8 3 101 13
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20

#
U 2015/03/24 15:31:07.661498 192.168.1.72:5060 -> 162.246.xx.xx:5060
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 162.246.xx.xx;branch=z9hG4bKacH2HaZ7c09rc;received=162.246.xx.xx;rport=5060
From: "+1561350xxxx" <sip:561350xxxx@162.246.xx.xx>;tag=B1jD09jc0FSFF
To: <sip:1505333xxxx@173.246.xx.xx>;tag=as097bace0
Call-ID: 2d5f4da5-4cc4-1233-65bf-00163c67f99f
CSeq: 73264003 INVITE
Server: Asterisk PBX 1.8.26.0-vici
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="3621d4fd"
Content-Length: 0


##
U 2015/03/24 15:31:07.672116 162.246.139.145:5060 -> 192.168.1.72:5060
ACK sip:1505333xxxx@173.246.xx.xxSIP/2.0
Via: SIP/2.0/UDP 162.246.xx.xx;5rport;branch=z9hG4bKacH2HaZ7c09rc
Max-Forwards: 47
From: "+1561350xxxx" <sip:561350xxxx@162.246.xx.xx>;tag=B1jD09jc0FSFF
To: <sip:1505333xxxx@173.246.xx.xx>;tag=as097bace0
Call-ID: 2d5f4da5-4cc4-1233-65bf-00163c67f99f
CSeq: 73264003 ACK
Content-Length: 0

--------------------------------------------------------------------------------


here are my inbound settings :

[xxxxDIDs]
disallow=all
allow=gsm
allow=ulaw
allow=g729
type=friend
host=162.246.xx.xx
qualify=yes
insecure=port,invite
nat=yes
context=trunkinbound


Ive tried a couple different settings but nothing is working. Just gets rejected every time. no matter what i do .

sip show peers shows the server as unreachable when qualify is yes.

any help at all is greatly appreciated , first time i have had an issue with inbound.

Re: Inbound issue - calls from freeswitch being rejected

PostPosted: Tue Mar 24, 2015 9:40 pm
by ambiorixg12
U 2015/03/24 15:31:07.661498 192.168.1.72:5060 -> 162.246.xx.xx:5060
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 162.246.xx.xx;branch=z9hG4bKacH2HaZ7c09rc;received=162.246.xx.xx;rport=5060
From: "+1561350xxxx" <sip:561350xxxx@162.246.xx.xx>;tag=B1jD09jc0FSFF
To: <sip:1505333xxxx@173.246.xx.xx>;tag=as097bace0
Call-ID: 2d5f4da5-4cc4-1233-65bf-00163c67f99f
CSeq: 73264003 INVITE
Server: Asterisk PBX 1.8.26.0-vici
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="3621d4fd"
Content-Length: 0


when you get 401, you need to go through to the end of the result of the repeat of the INVITE with authentication.

Also change type=peer

insecure=port,invite should solve this problem in older version of asterisk insecure=very also fix it.


if the remote device doesn't proceed beyond the 401, it means it does not know how to authenticate itself.

Re: Inbound issue - calls from freeswitch being rejected

PostPosted: Wed Mar 25, 2015 12:24 am
by perci100
ambiorixg12 wrote:
when you get 401, you need to go through to the end of the result of the repeat of the INVITE with authentication.



I dont understand what you mean above. Can you explain a little further.

type=peer and type=friend should both work as type=friend is both a user and a peer

I am using insecure=port,invite

Re: Inbound issue - calls from freeswitch being rejected

PostPosted: Wed Mar 25, 2015 1:17 am
by ambiorixg12
401
When a UAS receives a request from a UAC, the UAS MAY authenticate
the originator before the request is processed. If no credentials
(in the Authorization header field) are provided in the request, the
UAS can challenge the originator to provide credentials by rejecting
the request with a 401 (Unauthorized) status code.

Note 401 is not an error. It is normal stage in the registration process. If the registering device doesn't proceed beyond the 401, it means it does not know how to authenticate itself.

peer vs friend


For SIP, type=peer matches on IP address only, after registration, and type=friend matches on IP address or the SIP username.

If you have type=friend and invite=insecure, an attacker can simulate the ITSP, if they know the sip.conf section name. There are also cases, that have happened in real life, where a call arriving on a trunk has a caller ID that matches a local, type=friend, "extension", and has matched the extension, rather than the trunk.



Another little known fact about the difference between peer and friend:
Friend will challenge INVITEs. When making outbound calls from a registered phone/peer another challenge will be issued.

This means type=friend requires second INVITE with authentication credentials, while peer will accept INVITE without challenge.

In other words type=friend does not care about the phone registration status and always tries to authenticate as if the phone never registered.



http://forums.digium.com/viewtopic.php?t=79338

http://forums.asterisk.org/viewtopic.ph ... lit=+david

Re: Inbound issue - calls from freeswitch being rejected

PostPosted: Wed Mar 25, 2015 8:22 am
by perci100
SOLVED: Helps when the DID provider actually gives you the right IP address. or when you call them and they start pointing the finger if they at least check to see if i am connected . Sip show peers was showing them unreachable. should have known . i need a bigger hand to palm my face.