OK, there are two parts of the setup.
1. SIP user registers on Kamailio.
2. Kamailio registers on Asterisk (using SIP user credentials).
As long as part 1 is not done, part 2 will not work. So lets break down the
problem, first just forget part 2 and try to register SIP user on kamailio.
Why it fails? There may be many reason, e.g.
a). bad username,
b). bad password,
c). bad realm,
d). expired or stale nonce
and so on..
The easiest way to identify what is causing this failure is edit your
config, go to route[AUTH] block and in inside IF block of auth_check print
the value of $retcode variable using xlog. After save, exit (config file),
restart kamailio and attempt to register again, look at kamailio logs in
syslog facility local0 (/var/log/syslog in debian / ubuntu or
/var/log/message in centos / redhat). If the value of $retcode variable is
printed, then compare it with this list of error codes,
This should tell you what is wrong where? Fix that and only after that you
need to worry about asterisk side.
Thank you.
On Tue, Nov 18, 2014 at 3:20 AM, Mahmoud Ramadan Ali <
cisco.and.more.blog(a)gmail.com> wrote:
Hi Mohamed,
Thank you for your interest in helping me,I've configured the the auth_db
module with the Asterisk DB URL and the SIP username and password table
name and verified the MYSQL remote connection from Kamailio to the Asterisk
DB and get connected as predicted.
I tried to register a phone after applying the changes and Kamailio
forwarded the register request to Asterisk only once and without successful
authentication ! now i didn't change anything in the configuration file and
can NOT get any registration requests forwarded from Kamailio to Asterisk
and get only events on Kamailio that it can NOT register the incoming
registration request like this.
root@debian:/usr/local/etc/kamailio# ngrep -W byline -d eth1 port 5060
U 192.168.50.2:50886 -> 192.168.50.1:5060
REGISTER sip:192.168.50.1 SIP/2.0.
Via: SIP/2.0/UDP 192.168.50.2:50886
;branch=z9hG4bK-d8754z-cb65023b979d0a36-1---d8754z-;rport.
Max-Forwards: 70.
Contact: <sip:1001@192.168.50.2:50886;rinstance=8000799665fa4b54>.
To: "Mahmoud Ramadan Ali"<sip:1001@192.168.50.1>.
From: "Mahmoud Ramadan Ali"<sip:1001@192.168.50.1>;tag=9f381b5f.
Call-ID: MzcxNzYwMmUyN2E0M2FkMWRmOTI0ZjNkMjJmNWNhYTc.
CSeq: 2 REGISTER.
Expires: 3600.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO.
User-Agent: X-Lite 4.7.1 74247--W6.1.
Authorization: Digest
username="1001",realm="192.168.50.1",nonce="VGqbxVRqmpngschsiE6AuMiOfCS/MIp7",uri="sip:192.168.50.1",response="1788f6b9cfc322b863a93c91f3b623dc",algorithm=MD5.
Content-Length: 0.
#
U 192.168.50.1:5060 -> 192.168.50.2:50886
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP 192.168.50.2:50886
;branch=z9hG4bK-d8754z-cb65023b979d0a36-1---d8754z-;rport=50886.
To: "Mahmoud Ramadan Ali"<sip:1001@192.168.50.1
;tag=b27e1a1d33761e85846fc98f5f3a7e58.0bcb.
From: "Mahmoud Ramadan Ali"<sip:1001@192.168.50.1>;tag=9f381b5f.
Call-ID: MzcxNzYwMmUyN2E0M2FkMWRmOTI0ZjNkMjJmNWNhYTc.
CSeq: 2 REGISTER.
WWW-Authenticate: Digest realm="192.168.50.1",
nonce="VGqbxVRqmpngschsiE6AuMiOfCS/MIp7".
Server: kamailio (4.1.6 (i386/linux)).
Content-Length: 0.
But when using the Ngrep command on Asterisk to capture traffic on port
5050 or even 5060 i get no thing ! other troubleshooting steps i followed
including :
1.Verfiying the Mysql connection from Kamailio and the account tabe name
and SIP username / password column.
root@debian:/usr/local/etc/kamailio# mysql -u sipuser -h 192.168.100.10 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 149
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights
reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current
input
statement.
mysql> use asterisk;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SELECT * FROM sip;
+------+------------------+---------------------------------+-------+
| id | keyword | data | flags |
+------+------------------+---------------------------------+-------+
| 1001 | pickupgroup | | 22 |
| 1001 | callgroup | | 21 |
| 1001 | encryption | no | 20 |
| 1001 | icesupport | no | 19 |
| 1001 | force_avp | no | 18 |
| 1001 | avpf | no | 17 |
| 1001 | transport | udp,tcp,tls | 16 |
| 1001 | qualifyfreq | 60 | 15 |
| 1001 | qualify | yes | 14 |
| 1001 | port | 5050 | 13 |
| 1001 | nat | no | 12 |
| 1001 | type | friend | 11 |
| 1001 | sendrpid | no | 10 |
| 1001 | trustrpid | yes | 9 |
| 1001 | host | dynamic | 8 |
| 1001 | context | from-internal | 7 |
| 1001 | canreinvite | no | 6 |
| 1001 | dtmfmode | rfc2833 | 5 |
| 1001 | secret | 1001secret | 4 |
| 1001 | secret_origional | 1001secret | 3 |
| 1001 | sipdriver | chan_sip | 2 |
| 1001 | dial | SIP/1001 | 25 |
| 1002 | pickupgroup | | 22 |
| 1002 | callgroup | | 21 |
| 1002 | encryption | no | 20 |
| 1002 | icesupport | no | 19 |
| 1002 | force_avp | no | 18 |
| 1002 | avpf | no | 17 |
| 1002 | transport | udp,tcp,tls | 16 |
| 1002 | qualifyfreq | 60 | 15 |
| 1002 | qualify | yes | 14 |
| 1002 | port | 5060 | 13 |
| 1002 | nat | no | 12 |
| 1002 | type | friend | 11 |
| 1002 | sendrpid | no | 10 |
| 1002 | trustrpid | yes | 9 |
| 1002 | host | dynamic | 8 |
| 1002 | context | from-internal | 7 |
| 1002 | canreinvite | no | 6 |
| 1002 | dtmfmode | rfc2833 | 5 |
| 1002 | secret | 1002secret | 4 |
| 1002 | secret_origional | 1002secret | 3 |
| 1002 | sipdriver | chan_sip | 2 |
| 1002 | dial | SIP/1002 | 25 |
| 1002 | disallow | | 23 |
| 1002 | allow | | 24 |
| 1002 | accountcode | | 26 |
| 1002 | mailbox | 1002@device | 27 |
| 1002 | deny | 0.0.0.0/0.0.0.0 | 28 |
| 1002 | permit | 0.0.0.0/0.0.0.0 | 29 |
| 1002 | account | 1002 | 30 |
| 1002 | callerid | Ahmed Ramadan's Device <1002> | 31 |
| 1001 | disallow | | 23 |
| 1001 | allow | | 24 |
| 1001 | accountcode | | 26 |
| 1001 | mailbox | 1001@device | 27 |
| 1001 | deny | 0.0.0.0/0.0.0.0 | 28 |
| 1001 | permit | 0.0.0.0/0.0.0.0 | 29 |
| 1001 | account | 1001 | 30 |
| 1001 | callerid | Mahmoud Ramadan's Device <1001> | 31 |
+------+------------------+---------------------------------+-------+
60 rows in set (0.00 sec)
2.Verifying that Asterisk can listen at 5050 which is the same Asterisk
port configured on Kamailio.
[root@Asterisk VM 01 ~]# asterisk -r
Asterisk 11.13.1, Copyright (C) 1999 - 2013 Digium, Inc. and others.
Created by Mark Spencer <markster(a)digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for
details.
This is free software, with components licensed under the GNU General
Public
License version 2 and other licenses; you are welcome to redistribute it
under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 11.13.1 currently running on Asterisk VM 01 (pid =
2456)
Asterisk VM 01*CLI> sip show settings
Global Settings:
----------------
UDP Bindaddress: 0.0.0.0:5050
I know it is a long message but i wanted to give you all the INFO you
might need also I've attached my configuration file so you can check
it.Thank you Mohamed for your assistance.
On Sun, Nov 16, 2014 at 8:25 PM, Muhammad Shahzad <shaheryarkh(a)gmail.com>
wrote:
Because both kamailio and asterisk use the same
db table for
authentication, see the auth_db module parameters in kamailio config.
The REGISTER request from sip user is authenticated by kamailio using
auth_db module and upon success kamailio generates REGISTER request back to
asterisk (using the credentials sent by sip user for authentication with
kamailio), this request is now authenticated by asterisk using realtime sip
users interface.
Thank you.
On Sun, Nov 16, 2014 at 2:53 PM, Mahmoud Ramadan Ali <
cisco.and.more.blog(a)gmail.com> wrote:
Hi Muhammad,
If the users MUST authenticate to Kamailio first,This means that
Kamailio should be aware of the SIP users exist in the Asterisk DB to be
able to authenticate them and NOT receive 401 Unauthorized error message
from Kamailio.
My question now might be simple but it a point of confusion to me and it
is how to tell Kamailio about the SIP users in the Asterisk DB ?!
Best Regards,
On Sun, Nov 16, 2014 at 3:01 PM, Muhammad Shahzad <shaheryarkh(a)gmail.com
wrote:
This seems to be fine. The user MUST authenticate
to Kamailio, only
then Kamailio will create REGISTER request that is send to asterisk. That's
the key security feature behind the idea.
Look at the register architecture diagram,
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb…
Thank you.
On Sat, Nov 15, 2014 at 10:31 PM, Mahmoud Ramadan Ali <
cisco.and.more.blog(a)gmail.com> wrote:
> Hi Dears,
> I'm trying to configure Kamailio as SBC in multi home mode for
> Asterisk by authenticating the inbound SIP registration requests,i'm
> following this tutorial
>
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
> to achieve this goal. i have modified the necessary changes like the
> Asterisk DB URL and the SIP table name and Username and password column and
> verified the connection.
>
> My topology like this *Asterisk (192.168.100.10)
> <----Internal:192.168.100.1---->Kamailio<---External:192.168.50.1----->
SIP
> Phone (192.168.50.2)*
> But when trying to register a SIP phone Kamailio does NOT forward the
> authentication request to Asterisk and sends 401 Unauthorized error
> message.I've attached my config file if any one wants to check it and
> thanks in advance.
> Best Regards
>
>
> U 192.168.50.2:37297 -> 192.168.50.1:5060
> REGISTER sip:192.168.50.1;transport=UDP SIP/2.0.
> Via: SIP/2.0/UDP 192.168.50.2:37297
> ;branch=z9hG4bK-d8754z-a46e0c7c9d98fe52-1---d8754z-;rport;transport=UDP.
> Max-Forwards: 70.
> Contact: <sip:1001@192.168.50.2:37297
> ;rinstance=1d7c44dbcb8a7a2f;transport=UDP>.
> To: <sip:1001@192.168.50.1;transport=UDP>.
> From: <sip:1001@192.168.50.1;transport=UDP>;tag=1d222e19.
> Call-ID: NTc2NDBjMGQ2YWFmZjdmNWI0MzVmN2Y4NzYyODJlMTc..
> CSeq: 2 REGISTER.
> Expires: 70.
> Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS,
> INFO, SUBSCRIBE.
> Supported: replaces, norefersub, extended-refer, timer,
> X-cisco-serviceuri.
> User-Agent: Z 3.2.21357 r21367.
> Authorization: Digest
>
username="1001",realm="192.168.50.1",nonce="VGfAuFRnv4wMvoTG7wA9tqYD9fgZDe3D",uri="sip:192.168.50.1;transport=UDP",response="8bbd01d879250585eafee4f510689f73",algorithm=MD5.
> Allow-Events: presence, kpml.
> Content-Length: 0.
> #
> U 192.168.50.1:5060 -> 192.168.50.2:37297
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP 192.168.50.2:37297
> ;branch=z9hG4bK-d8754z-a46e0c7c9d98fe52-1---d8754z-;rport=37297;transport=UDP.
> To: <sip:1001@192.168.50.1
> ;transport=UDP>;tag=b27e1a1d33761e85846fc98f5f3a7e58.fe8b.
> From: <sip:1001@192.168.50.1;transport=UDP>;tag=1d222e19.
> Call-ID: NTc2NDBjMGQ2YWFmZjdmNWI0MzVmN2Y4NzYyODJlMTc..
> CSeq: 2 REGISTER.
> WWW-Authenticate: Digest realm="192.168.50.1",
> nonce="VGfAuFRnv4wMvoTG7wA9tqYD9fgZDe3D".
> Server: kamailio (4.1.6 (i386/linux)).
> Content-Length: 0.
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users