Dear all,
I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password ....
We see this issue with different device, snom swyx, ... and on UDP we have no issue.
I can see that when the Register is rejected it's with the error -2, so wrong password...
# Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) {
switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit;
I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header)
Any idea ?
BR
Laurent
Wireshark was missing .
From: Laurent Schweizer Sent: lundi, 26 août 2019 10:25 To: 'Kamailio (SER) - Users Mailing List' sr-users@lists.kamailio.org Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS
Dear all,
I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password ....
We see this issue with different device, snom swyx, ... and on UDP we have no issue.
I can see that when the Register is rejected it's with the error -2, so wrong password...
# Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) {
switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit;
I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header)
Any idea ?
BR
Laurent
Hello,
I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹
Any idea how to debug this ?
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING: <script>: auth error -2 username 90707011537 - src ip: 93.229.221.67 Aug 29 10:21:38 de5029 kamailio[22615]: ERROR: debugger [debugger_mod.c:581]: w_dbg_sip_msg(): CONFIG LINE 871 ------------------------- START OF SIP message debug -------------------------- REGISTER sip:pbxs.peoplefone.de:5060 SIP/2.0^M Via: SIP/2.0/TCP 192.168.2.113:5060;branch=z9hG4bK2816544140^M From: "11 - Juergen Worm" sip:90707011537@pbxs.peoplefone.de:5060;tag=4042485072^M To: "11 - Juergen Worm" sip:90707011537@pbxs.peoplefone.de:5060^M Call-ID: 0_228669251@192.168.2.113^M CSeq: 3 REGISTER^M Contact: sip:90707011537@192.168.2.113:5060;transport=TCP^M Authorization: Digest username="90707011537", realm="pbxs.peoplefone.de", nonce="XWeigl1nixKoIygitcq45XMNGX2z9hwn", uri="sip:pbxs.peoplefone.de:5060", response="a539b29d47142356b40754f30e0dc6cd", algorithm=MD5^M Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M Max-Forwards: 69^M User-Agent: Yealink SIP-T42S 66.82.0.30^M Expires: 300^M Allow-Events: talk,hold,conference,refer,check-sync^M Content-Length: 0^M ^M ------------------------------ SIP header diffs ------------------------------- ------------------------------- SIP body diffs -------------------------------- -------------------------- END OF SIP message debug --------------------------- Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:165]: get_challenge_hf(): realm='pbxs.peoplefone.de' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:275]: get_challenge_hf(): auth: 'WWW-Authenticate: Digest realm="pbxs.peoplefone.de", nonce="XWeigl1nixKoIygitcq45XMNGX2z9hwn"^M
From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of Laurent Schweizer Sent: lundi, 26 août 2019 14:04 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Wireshark was missing .
From: Laurent Schweizer Sent: lundi, 26 août 2019 10:25 To: 'Kamailio (SER) - Users Mailing List' <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS
Dear all,
I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password ….
We see this issue with different device, snom swyx, … and on UDP we have no issue.
I can see that when the Register is rejected it’s with the error -2, so wrong password…
# Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) {
switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit;
I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header)
Any idea ?
BR
Laurent
Hello Laurent,
(you might want to anonymize your msg dumps bit on this public list)
You probably did already this steps, but nevertheless some debugging ideas:
- capture a longer network trace and compare the network data of a working against non-working case
- try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices)
- have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface
- have a look to other network services that are using the same network infrastructure to see if they are also affected
Cheers,
Henning
Am 29.08.19 um 10:58 schrieb Laurent Schweizer: Hello,
I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹
Any idea how to debug this ?
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING: <script>: auth error -2 username XXXX7011537 - src ip: 93.229.221.67 Aug 29 10:21:38 de5029 kamailio[22615]: ERROR: debugger [debugger_mod.c:581]: w_dbg_sip_msg(): CONFIG LINE 871 ------------------------- START OF SIP message debug -------------------------- REGISTER sip:pbxs.peoplefone.de:5060 SIP/2.0^M Via: SIP/2.0/TCP 192.168.2.113:5060;branch=z9hG4bK2816544140^M From: "11 - Juergen XXXX" sip:XXXX7011537@pbxs.peoplefone.de:5060mailto:sip:XXXX7011537@pbxs.peoplefone.de:5060;tag=4042485072^M To: "11 - Juergen XXXX" sip:XXXX7011537@pbxs.peoplefone.de:5060mailto:sip:XXXX7011537@pbxs.peoplefone.de:5060^M Call-ID: 0_228669251@192.168.2.113^Mmailto:0_228669251@192.168.2.113^M CSeq: 3 REGISTER^M Contact: sip:XXXX7011537@192.168.2.113:5060;transport=TCPmailto:sip:XXXX7011537@192.168.2.113:5060;transport=TCP^M Authorization: Digest username="XXXX7011537", realm="pbxs.peoplefone.de", nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn", uri="sip:pbxs.peoplefone.de:5060", response="XXXXXX7142356b40754f30e0dc6cd", algorithm=MD5^M Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M Max-Forwards: 69^M User-Agent: Yealink SIP-T42S 66.82.0.30^M Expires: 300^M Allow-Events: talk,hold,conference,refer,check-sync^M Content-Length: 0^M ^M ------------------------------ SIP header diffs ------------------------------- ------------------------------- SIP body diffs -------------------------------- -------------------------- END OF SIP message debug --------------------------- Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:165]: get_challenge_hf(): realm='pbxs.peoplefone.de' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:275]: get_challenge_hf(): auth: 'WWW-Authenticate: Digest realm="pbxs.peoplefone.de", nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn"^M
From: sr-users sr-users-bounces@lists.kamailio.orgmailto:sr-users-bounces@lists.kamailio.org On Behalf Of Laurent Schweizer Sent: lundi, 26 août 2019 14:04 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Wireshark was missing .
From: Laurent Schweizer Sent: lundi, 26 août 2019 10:25 To: 'Kamailio (SER) - Users Mailing List' <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS
Dear all,
I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password ….
We see this issue with different device, snom swyx, … and on UDP we have no issue.
I can see that when the Register is rejected it’s with the error -2, so wrong password…
# Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) {
switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit;
I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header)
Any idea ?
BR
Laurent
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://skalatan.de/services
-
Henning Westerholt -
Laurent Schweizer