[SR-Users] Kamailio Does NOT Forward Registration Requests To Asterisk.
Muhammad Shahzad
shaheryarkh at gmail.com
Tue Nov 18 14:26:42 CET 2014
OK, there are two parts of the setup.
1. SIP user registers on Kamailio.
2. Kamailio registers on Asterisk (using SIP user credentials).
As long as part 1 is not done, part 2 will not work. So lets break down the
problem, first just forget part 2 and try to register SIP user on kamailio.
Why it fails? There may be many reason, e.g.
a). bad username,
b). bad password,
c). bad realm,
d). expired or stale nonce
and so on..
The easiest way to identify what is causing this failure is edit your
config, go to route[AUTH] block and in inside IF block of auth_check print
the value of $retcode variable using xlog. After save, exit (config file),
restart kamailio and attempt to register again, look at kamailio logs in
syslog facility local0 (/var/log/syslog in debian / ubuntu or
/var/log/message in centos / redhat). If the value of $retcode variable is
printed, then compare it with this list of error codes,
http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#idp89440
This should tell you what is wrong where? Fix that and only after that you
need to worry about asterisk side.
Thank you.
On Tue, Nov 18, 2014 at 3:20 AM, Mahmoud Ramadan Ali <
cisco.and.more.blog at gmail.com> wrote:
> Hi Mohamed,
> Thank you for your interest in helping me,I've configured the the auth_db
> module with the Asterisk DB URL and the SIP username and password table
> name and verified the MYSQL remote connection from Kamailio to the Asterisk
> DB and get connected as predicted.
>
> I tried to register a phone after applying the changes and Kamailio
> forwarded the register request to Asterisk only once and without successful
> authentication ! now i didn't change anything in the configuration file and
> can NOT get any registration requests forwarded from Kamailio to Asterisk
> and get only events on Kamailio that it can NOT register the incoming
> registration request like this.
>
> root at debian:/usr/local/etc/kamailio# ngrep -W byline -d eth1 port 5060
> U 192.168.50.2:50886 -> 192.168.50.1:5060
> REGISTER sip:192.168.50.1 SIP/2.0.
> Via: SIP/2.0/UDP 192.168.50.2:50886
> ;branch=z9hG4bK-d8754z-cb65023b979d0a36-1---d8754z-;rport.
> Max-Forwards: 70.
> Contact: <sip:1001 at 192.168.50.2:50886;rinstance=8000799665fa4b54>.
> To: "Mahmoud Ramadan Ali"<sip:1001 at 192.168.50.1>.
> From: "Mahmoud Ramadan Ali"<sip:1001 at 192.168.50.1>;tag=9f381b5f.
> Call-ID: MzcxNzYwMmUyN2E0M2FkMWRmOTI0ZjNkMjJmNWNhYTc.
> CSeq: 2 REGISTER.
> Expires: 3600.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO.
> User-Agent: X-Lite 4.7.1 74247--W6.1.
> Authorization: Digest
> username="1001",realm="192.168.50.1",nonce="VGqbxVRqmpngschsiE6AuMiOfCS/MIp7",uri="sip:192.168.50.1",response="1788f6b9cfc322b863a93c91f3b623dc",algorithm=MD5.
> Content-Length: 0.
> #
> U 192.168.50.1:5060 -> 192.168.50.2:50886
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP 192.168.50.2:50886
> ;branch=z9hG4bK-d8754z-cb65023b979d0a36-1---d8754z-;rport=50886.
> To: "Mahmoud Ramadan Ali"<sip:1001 at 192.168.50.1
> >;tag=b27e1a1d33761e85846fc98f5f3a7e58.0bcb.
> From: "Mahmoud Ramadan Ali"<sip:1001 at 192.168.50.1>;tag=9f381b5f.
> Call-ID: MzcxNzYwMmUyN2E0M2FkMWRmOTI0ZjNkMjJmNWNhYTc.
> CSeq: 2 REGISTER.
> WWW-Authenticate: Digest realm="192.168.50.1",
> nonce="VGqbxVRqmpngschsiE6AuMiOfCS/MIp7".
> Server: kamailio (4.1.6 (i386/linux)).
> Content-Length: 0.
>
> But when using the Ngrep command on Asterisk to capture traffic on port
> 5050 or even 5060 i get no thing ! other troubleshooting steps i followed
> including :
> 1.Verfiying the Mysql connection from Kamailio and the account tabe name
> and SIP username / password column.
>
> root at debian:/usr/local/etc/kamailio# mysql -u sipuser -h 192.168.100.10 -p
> Enter password:
> Welcome to the MySQL monitor. Commands end with ; or \g.
> Your MySQL connection id is 149
> Server version: 5.1.73 Source distribution
>
> Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights
> reserved.
>
> Oracle is a registered trademark of Oracle Corporation and/or its
> affiliates. Other names may be trademarks of their respective
> owners.
>
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement.
>
> mysql> use asterisk;
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>
> Database changed
> mysql> SELECT * FROM sip;
> +------+------------------+---------------------------------+-------+
> | id | keyword | data | flags |
> +------+------------------+---------------------------------+-------+
> | 1001 | pickupgroup | | 22 |
> | 1001 | callgroup | | 21 |
> | 1001 | encryption | no | 20 |
> | 1001 | icesupport | no | 19 |
> | 1001 | force_avp | no | 18 |
> | 1001 | avpf | no | 17 |
> | 1001 | transport | udp,tcp,tls | 16 |
> | 1001 | qualifyfreq | 60 | 15 |
> | 1001 | qualify | yes | 14 |
> | 1001 | port | 5050 | 13 |
> | 1001 | nat | no | 12 |
> | 1001 | type | friend | 11 |
> | 1001 | sendrpid | no | 10 |
> | 1001 | trustrpid | yes | 9 |
> | 1001 | host | dynamic | 8 |
> | 1001 | context | from-internal | 7 |
> | 1001 | canreinvite | no | 6 |
> | 1001 | dtmfmode | rfc2833 | 5 |
> | 1001 | secret | 1001secret | 4 |
> | 1001 | secret_origional | 1001secret | 3 |
> | 1001 | sipdriver | chan_sip | 2 |
> | 1001 | dial | SIP/1001 | 25 |
> | 1002 | pickupgroup | | 22 |
> | 1002 | callgroup | | 21 |
> | 1002 | encryption | no | 20 |
> | 1002 | icesupport | no | 19 |
> | 1002 | force_avp | no | 18 |
> | 1002 | avpf | no | 17 |
> | 1002 | transport | udp,tcp,tls | 16 |
> | 1002 | qualifyfreq | 60 | 15 |
> | 1002 | qualify | yes | 14 |
> | 1002 | port | 5060 | 13 |
> | 1002 | nat | no | 12 |
> | 1002 | type | friend | 11 |
> | 1002 | sendrpid | no | 10 |
> | 1002 | trustrpid | yes | 9 |
> | 1002 | host | dynamic | 8 |
> | 1002 | context | from-internal | 7 |
> | 1002 | canreinvite | no | 6 |
> | 1002 | dtmfmode | rfc2833 | 5 |
> | 1002 | secret | 1002secret | 4 |
> | 1002 | secret_origional | 1002secret | 3 |
> | 1002 | sipdriver | chan_sip | 2 |
> | 1002 | dial | SIP/1002 | 25 |
> | 1002 | disallow | | 23 |
> | 1002 | allow | | 24 |
> | 1002 | accountcode | | 26 |
> | 1002 | mailbox | 1002 at device | 27 |
> | 1002 | deny | 0.0.0.0/0.0.0.0 | 28 |
> | 1002 | permit | 0.0.0.0/0.0.0.0 | 29 |
> | 1002 | account | 1002 | 30 |
> | 1002 | callerid | Ahmed Ramadan's Device <1002> | 31 |
> | 1001 | disallow | | 23 |
> | 1001 | allow | | 24 |
> | 1001 | accountcode | | 26 |
> | 1001 | mailbox | 1001 at device | 27 |
> | 1001 | deny | 0.0.0.0/0.0.0.0 | 28 |
> | 1001 | permit | 0.0.0.0/0.0.0.0 | 29 |
> | 1001 | account | 1001 | 30 |
> | 1001 | callerid | Mahmoud Ramadan's Device <1001> | 31 |
> +------+------------------+---------------------------------+-------+
> 60 rows in set (0.00 sec)
>
> 2.Verifying that Asterisk can listen at 5050 which is the same Asterisk
> port configured on Kamailio.
>
> [root at Asterisk VM 01 ~]# asterisk -r
> Asterisk 11.13.1, Copyright (C) 1999 - 2013 Digium, Inc. and others.
> Created by Mark Spencer <markster at digium.com>
> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for
> details.
> This is free software, with components licensed under the GNU General
> Public
> License version 2 and other licenses; you are welcome to redistribute it
> under
> certain conditions. Type 'core show license' for details.
> =========================================================================
> Connected to Asterisk 11.13.1 currently running on Asterisk VM 01 (pid =
> 2456)
> Asterisk VM 01*CLI> sip show settings
>
>
> Global Settings:
> ----------------
> UDP Bindaddress: 0.0.0.0:5050
>
> I know it is a long message but i wanted to give you all the INFO you
> might need also I've attached my configuration file so you can check
> it.Thank you Mohamed for your assistance.
>
> On Sun, Nov 16, 2014 at 8:25 PM, Muhammad Shahzad <shaheryarkh at gmail.com>
> wrote:
>
>> Because both kamailio and asterisk use the same db table for
>> authentication, see the auth_db module parameters in kamailio config.
>>
>> The REGISTER request from sip user is authenticated by kamailio using
>> auth_db module and upon success kamailio generates REGISTER request back to
>> asterisk (using the credentials sent by sip user for authentication with
>> kamailio), this request is now authenticated by asterisk using realtime sip
>> users interface.
>>
>> Thank you.
>>
>>
>>
>> On Sun, Nov 16, 2014 at 2:53 PM, Mahmoud Ramadan Ali <
>> cisco.and.more.blog at gmail.com> wrote:
>>
>>> Hi Muhammad,
>>> If the users MUST authenticate to Kamailio first,This means that
>>> Kamailio should be aware of the SIP users exist in the Asterisk DB to be
>>> able to authenticate them and NOT receive 401 Unauthorized error message
>>> from Kamailio.
>>> My question now might be simple but it a point of confusion to me and it
>>> is how to tell Kamailio about the SIP users in the Asterisk DB ?!
>>>
>>> Best Regards,
>>>
>>>
>>> On Sun, Nov 16, 2014 at 3:01 PM, Muhammad Shahzad <shaheryarkh at gmail.com
>>> > wrote:
>>>
>>>> This seems to be fine. The user MUST authenticate to Kamailio, only
>>>> then Kamailio will create REGISTER request that is send to asterisk. That's
>>>> the key security feature behind the idea.
>>>>
>>>> Look at the register architecture diagram,
>>>>
>>>>
>>>> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb#registration
>>>>
>>>> Thank you.
>>>>
>>>>
>>>>
>>>> On Sat, Nov 15, 2014 at 10:31 PM, Mahmoud Ramadan Ali <
>>>> cisco.and.more.blog at gmail.com> wrote:
>>>>
>>>>> Hi Dears,
>>>>> I'm trying to configure Kamailio as SBC in multi home mode for
>>>>> Asterisk by authenticating the inbound SIP registration requests,i'm
>>>>> following this tutorial
>>>>> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>>>>> to achieve this goal. i have modified the necessary changes like the
>>>>> Asterisk DB URL and the SIP table name and Username and password column and
>>>>> verified the connection.
>>>>>
>>>>> My topology like this *Asterisk (192.168.100.10)
>>>>> <----Internal:192.168.100.1---->Kamailio<---External:192.168.50.1-----> SIP
>>>>> Phone (192.168.50.2)*
>>>>> But when trying to register a SIP phone Kamailio does NOT forward the
>>>>> authentication request to Asterisk and sends 401 Unauthorized error
>>>>> message.I've attached my config file if any one wants to check it and
>>>>> thanks in advance.
>>>>> Best Regards
>>>>>
>>>>>
>>>>> U 192.168.50.2:37297 -> 192.168.50.1:5060
>>>>> REGISTER sip:192.168.50.1;transport=UDP SIP/2.0.
>>>>> Via: SIP/2.0/UDP 192.168.50.2:37297
>>>>> ;branch=z9hG4bK-d8754z-a46e0c7c9d98fe52-1---d8754z-;rport;transport=UDP.
>>>>> Max-Forwards: 70.
>>>>> Contact: <sip:1001 at 192.168.50.2:37297
>>>>> ;rinstance=1d7c44dbcb8a7a2f;transport=UDP>.
>>>>> To: <sip:1001 at 192.168.50.1;transport=UDP>.
>>>>> From: <sip:1001 at 192.168.50.1;transport=UDP>;tag=1d222e19.
>>>>> Call-ID: NTc2NDBjMGQ2YWFmZjdmNWI0MzVmN2Y4NzYyODJlMTc..
>>>>> CSeq: 2 REGISTER.
>>>>> Expires: 70.
>>>>> Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS,
>>>>> INFO, SUBSCRIBE.
>>>>> Supported: replaces, norefersub, extended-refer, timer,
>>>>> X-cisco-serviceuri.
>>>>> User-Agent: Z 3.2.21357 r21367.
>>>>> Authorization: Digest
>>>>> username="1001",realm="192.168.50.1",nonce="VGfAuFRnv4wMvoTG7wA9tqYD9fgZDe3D",uri="sip:192.168.50.1;transport=UDP",response="8bbd01d879250585eafee4f510689f73",algorithm=MD5.
>>>>> Allow-Events: presence, kpml.
>>>>> Content-Length: 0.
>>>>> #
>>>>> U 192.168.50.1:5060 -> 192.168.50.2:37297
>>>>> SIP/2.0 401 Unauthorized.
>>>>> Via: SIP/2.0/UDP 192.168.50.2:37297
>>>>> ;branch=z9hG4bK-d8754z-a46e0c7c9d98fe52-1---d8754z-;rport=37297;transport=UDP.
>>>>> To: <sip:1001 at 192.168.50.1
>>>>> ;transport=UDP>;tag=b27e1a1d33761e85846fc98f5f3a7e58.fe8b.
>>>>> From: <sip:1001 at 192.168.50.1;transport=UDP>;tag=1d222e19.
>>>>> Call-ID: NTc2NDBjMGQ2YWFmZjdmNWI0MzVmN2Y4NzYyODJlMTc..
>>>>> CSeq: 2 REGISTER.
>>>>> WWW-Authenticate: Digest realm="192.168.50.1",
>>>>> nonce="VGfAuFRnv4wMvoTG7wA9tqYD9fgZDe3D".
>>>>> Server: kamailio (4.1.6 (i386/linux)).
>>>>> Content-Length: 0.
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20141118/2e48491c/attachment.html>
More information about the sr-users
mailing list