Rx Interface connected, get error code: SIP/2.0 403 Forbidden - You must register first with a S-CSCF
Hi,
I have installed Kamailio version 4.4.1. Everything works just fine. If I connect a PCRF via Rx to the P-CSCF, the registration still runs through as expected but the subsequent SUBSCRIBE is rejected with "403 Forbidden - You must register first with a S-CSCF" error cause or is simply ignored (see attached wireshark traces).
And, if I disconnect Rx and restart the P-CSCF, the "forbidden" problem still persists. (But I can work around this by cleaning up the P-CSCF database.)
Any suggestions how I could get Rx working?
Thanks, Kristian
Dear Kristian,
Just take a look at the value you have at "Auth Lifetime" or "Session Timeout" AVPs on AAR request from P-CSCF through PCRF. Those are (afaik) Base Diameter AVPs. Those values are referring to a timeout to cleanup the diameter session. It seems like, when this timer will expire, the session will be cleaned up together with the infos in usrloc. This way, P-CSCF receives a packet from an UE which is basically unknown, so the request will be dropped and an error will be sent out. So, in theory, this value should be much more than the re-registration of the client itself. Anyway, i am only guessing because i haven't still completely addressed the problem
Best,
Federico Favaro
On 07/14/2016 06:14 PM, Kristian Martens wrote:
Hi,
I have installed Kamailio version 4.4.1. Everything works just fine. If I connect a PCRF via Rx to the P-CSCF, the registration still runs through as expected but the subsequent SUBSCRIBE is rejected with "403 Forbidden - You must register first with a S-CSCF" error cause or is simply ignored (see attached wireshark traces).
And, if I disconnect Rx and restart the P-CSCF, the "forbidden" problem still persists. (But I can work around this by cleaning up the P-CSCF database.)
Any suggestions how I could get Rx working?
Thanks, Kristian
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Kristian,
I will look into your pcaps this weekend. One point to look out for in the meantime.
Make sure that the "contact" can be found for the subscribe. The 403 is issued because we cannot find a contact based on the SUBSCRIBE message. depending on your cfg, usrloc will try to use contact header, via and/or received IPs and ports to locate your contact. This is a 'workaround' in the absence of ipsec which uniquely identifies each UE connection.
Can you also, please send your cfg file as well as the log file when you get the 403.
Cheers Jason
On Fri, Jul 15, 2016 at 2:07 PM, Federico Favaro < federico.favaro@athonet.com> wrote:
Dear Kristian,
Just take a look at the value you have at "Auth Lifetime" or "Session Timeout" AVPs on AAR request from P-CSCF through PCRF. Those are (afaik) Base Diameter AVPs. Those values are referring to a timeout to cleanup the diameter session. It seems like, when this timer will expire, the session will be cleaned up together with the infos in usrloc. This way, P-CSCF receives a packet from an UE which is basically unknown, so the request will be dropped and an error will be sent out. So, in theory, this value should be much more than the re-registration of the client itself. Anyway, i am only guessing because i haven't still completely addressed the problem
Best,
Federico Favaro
On 07/14/2016 06:14 PM, Kristian Martens wrote:
Hi,
I have installed Kamailio version 4.4.1. Everything works just fine. If I connect a PCRF via Rx to the P-CSCF, the registration still runs through as expected but the subsequent SUBSCRIBE is rejected with "403 Forbidden - You must register first with a S-CSCF" error cause or is simply ignored (see attached wireshark traces).
And, if I disconnect Rx and restart the P-CSCF, the "forbidden" problem still persists. (But I can work around this by cleaning up the P-CSCF database.)
Any suggestions how I could get Rx working?
Thanks, Kristian
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing listsr-users@lists.sip-router.orghttp://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Federico Favaro R&D Department Athonet s.r.lfederico.favaro@athonet.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
All,
thank you for the prompt response. Attached you can find the current configuration files. SUBSCRIBE works fine, if Rx isn't connected.
Best Regards, Kristian
All,
thank you for the prompt response. Attached you can find the current configuration files. SUBSCRIBE works fine, if Rx isn't connected. "Auth Lifetime" or "Session Timeout" are set to 7200 in AAR - should be OK in my opinion.
Best Regards, Kristian
Thanks Krisitan,
Was last request ;) -- can you please send your log file with debug enabled during the SUBSCRIBE. If you are concerned about sensitive info, you can send to me privately.
Cheers Jason
On Mon, Jul 18, 2016 at 3:21 PM, Kristian Martens < kristian.martens@freenet.de> wrote:
All,
thank you for the prompt response. Attached you can find the current configuration files. SUBSCRIBE works fine, if Rx isn't connected. "Auth Lifetime" or "Session Timeout" are set to 7200 in AAR - should be OK in my opinion.
Best Regards, Kristian
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
All,
thank you for the prompt response. Attached you can find the current configuration files. SUBSCRIBE works fine, if Rx isn't connected. "Auth Lifetime" or "Session Timeout" are set to 7200 in AAR - should be OK in my opinion.
Unfortunately archives are blocked by the server so I attached the config files separately.
Best Regards, Kristian
All,
forgot to append the log-file output.
Regards, Kristian
Jul 18 10:39:27 ng40kvm-openims scscf/scscf[3839]: INFO: ims_auth [cxdx_mar.c:81]: create_return_code(): created AVP successfully : [maa_return_code] - [1] Jul 18 10:39:27 ng40kvm-openims pcscf/pcscf[3887]: ERROR: <script>: REGISTER (sip:bob@open-ims.test (104.0.0.5:5090) to sip:bob@open-ims.test, RgeX-146883116784465@104.0.0.5) Jul 18 10:39:27 ng40kvm-openims scscf/scscf[3584]: INFO: ims_auth [authorize.c:841]: authenticate(): uri=sip:open-ims.test nonce=a6e9166c4760c1133aba2a658a2860af response=6d243815c638a86f98a769157b427dc9 qop=auth,auth-int nc=00000001 cnonce=A3A22E6C hbody= Jul 18 10:39:27 ng40kvm-openims scscf/scscf[3584]: INFO: ims_auth [authorize.c:893]: authenticate(): UE said: 6d243815c638a86f98a769157b427dc9 and we expect 6d243815c638a86f98a769157b427dc9 ha1 b0342795e048d7e9f4e2432285776dd3 (REGISTER) Jul 18 10:39:27 ng40kvm-openims scscf/scscf[3584]: INFO: ims_registrar_scscf [cxdx_sar.c:84]: create_return_code(): created AVP successfully : [saa_return_code] - [-2] Jul 18 10:39:27 ng40kvm-openims scscf/scscf[3840]: INFO: ims_registrar_scscf [cxdx_avp.c:138]: cxdx_get_avp(): cxdx_get_experimental_result_code: Failed finding avp Jul 18 10:39:28 ng40kvm-openims scscf/scscf[3840]: INFO: ims_registrar_scscf [cxdx_sar.c:84]: create_return_code(): created AVP successfully : [saa_return_code] - [1] Jul 18 10:39:28 ng40kvm-openims scscf/scscf[3861]: ERROR: tm [ut.h:296]: uri2dst2(): ERROR: uri2dst: failed to resolve "192.168.177.100" :ip AF mismatch (-11) Jul 18 10:39:28 ng40kvm-openims scscf/scscf[3861]: ERROR: tm [uac.c:262]: t_uac_prepare(): t_uac: no socket found Jul 18 10:39:28 ng40kvm-openims pcscf/pcscf[3893]: ERROR: <script>: SUBSCRIBE (sip:bob@open-ims.test (104.0.0.5:5090) to sip:bob@open-ims.test, Ssbs-146883116827792@104.0.0.5) Jul 18 10:39:30 ng40kvm-openims pcscf/pcscf[3900]: ERROR: <script>: SUBSCRIBE (sip:bob@open-ims.test (104.0.0.5:5090) to sip:bob@open-ims.test, Ssbs-146883116827792@104.0.0.5) Jul 18 10:39:32 ng40kvm-openims pcscf/pcscf[3889]: ERROR: <script>: SUBSCRIBE (sip:bob@open-ims.test (104.0.0.5:5090) to sip:bob@open-ims.test, Ssbs-146883116827792@104.0.0.5) Jul 18 10:39:36 ng40kvm-openims pcscf/pcscf[3897]: ERROR: <script>: SUBSCRIBE (sip:bob@open-ims.test (104.0.0.5:5090) to sip:bob@open-ims.test, Ssbs-146883116827792@104.0.0.5) Jul 18 10:39:42 ng40kvm-openims pcscf/pcscf[3874]: ERROR: <script>: SUBSCRIBE (sip:bob@open-ims.test (104.0.0.5:5090) to sip:bob@open-ims.test, Ssbs-146883116827792@104.0.0.5) Jul 18 10:40:31 ng40kvm-openims pcscf/pcscf[3953]: ERROR: cdp [receiver.c:981]: peer_send_msg(): peer_send_msg(): Peer pcrf.open-ims.test has no attached send pipe Jul 18 10:41:01 ng40kvm-openims pcscf/pcscf[3953]: WARNING: cdp [peermanager.c:310]: peer_timer(): Inactivity on peer [pcrf.open-ims.test] and no DWA, Closing peer...
-
Federico Favaro -
Jason Penton -
Kristian Martens