Summary: | ASTERISK-09395: check_auth fails with 'username mismatch' when using multiple registrations to same host | ||
Reporter: | Christoph Stadlmann (cstadlmann) | Labels: | |
Date Opened: | 2007-05-07 11:08:29 | Date Closed: | 2011-06-07 14:03:06 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Core/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | I have multiple accounts with my provider with different username and resulting phone number. sip.conf: [general] register=v205722aa:xxxxx:v205722aa@voip.mywave.at/v205722aa register=v205722ab:xxxxx:v205722ab@voip.mywave.at/v205722ab register=v205722ac:xxxxx:v205722ac@voip.mywave.at/v205722ac [v205722aa] username=v205722aa fromuser=v205722aa authname=v205722aa type=peer secret=xxxxx qualify=yes nat=yes language=de ;insecure=port,invite host=voip.mywave.at disallow=all allow=ulaw context=trunk-v205722aa canreinvite=no [v205722ab] username=v205722ab fromuser=v205722ab authname=v205722ab type=peer secret=xxxxx qualify=yes nat=yes language=de ;insecure=port,invite host=voip.mywave.at disallow=all allow=ulaw context=trunk-v205722ab canreinvite=no [v205722ac] username=v205722ac fromuser=v205722ac authname=v205722ac type=peer secret=xxxxx qualify=yes nat=yes language=de ;insecure=port,invite host=voip.mywave.at disallow=all allow=ulaw context=trunk-v205722ac canreinvite=no Outgoing Calls no problem, but incoming calls only with first account. If I get a call to the second peer, the following happens: <--- SIP read from 85.193.128.15:5060 ---> INVITE sip:83.65.56.171 SIP/2.0 Via: SIP/2.0/UDP 85.193.128.15:5060;branch=z9hG4bK606e012c;rport From: "0720440931017" <sip:0720440931017@85.193.128.15>;tag=as2dc901b6 To: <sip:83.65.56.171> Contact: <sip:0720440931017@85.193.128.15> Call-ID: 7bb0b84371131e974ea374eb7c489fae@85.193.128.15 CSeq: 103 INVITE User-Agent: mywave VoIP Gateway Max-Forwards: 70 Proxy-Authorization: Digest username="v205722ab", realm="asterisk", algorithm=MD5, uri="sip:83.65.56.171", nonce="58d62e22", response="de5d30a54b2d4c3695b5959b14c0acbc", opaque="" Date: Mon, 07 May 2007 14:49:00 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Content-Type: application/sdp Content-Length: 242 v=0 o=root 13547 13548 IN IP4 85.193.128.15 s=session c=IN IP4 85.193.128.15 t=0 0 m=audio 10346 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv <-------------> --- (15 headers 12 lines) --- Sending to 85.193.128.15 : 5060 (NAT) Using INVITE request as basis request - 7bb0b84371131e974ea374eb7c489fae@85.193.128.15 Found peer 'v205722aa' [May 7 16:49:01] WARNING[21698]: chan_sip.c:8126 check_auth: username mismatch, have <v205722aa>, digest has <v205722ab> [May 7 16:49:01] NOTICE[21698]: chan_sip.c:13379 handle_request_invite: Failed to authenticate user "0720440931017" <sip:0720440931017@85.193.128.15>;tag=as2dc901b6 asteriskdev*CLI> <--- Reliably Transmitting (NAT) to 85.193.128.15:5060 ---> SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 85.193.128.15:5060;branch=z9hG4bK606e012c;received=85.193.128.15;rport=5060 From: "0720440931017" <sip:0720440931017@85.193.128.15>;tag=as2dc901b6 To: <sip:83.65.56.171>;tag=as2691c9e1 Call-ID: 7bb0b84371131e974ea374eb7c489fae@85.193.128.15 CSeq: 103 INVITE User-Agent: VoiceOne Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Content-Length: 0 As you can see, Asterisk always tries to match against first matching peer. Also, because this is a DID account, invites always come in in the form: To: <sip:83.65.56.171> To: <sip:444@83.65.56.171> I tried everything to get this running, nothing helped. So please assist in configuring multiple registrations to the same host, maybe it's a bug in the authentication procedure in chan_sip.c. | ||
Comments: | By: Christoph Stadlmann (cstadlmann) 2007-05-08 08:31:32 Additional Info: If I could set a unique port for each registration and peer it would solve the issue, I guess. I could then set 'insecure=port,invite' in sip.conf. This would be the manner how SIP phones or ATA boxes with multiple lines cope with that issue. By: Olle Johansson (oej) 2007-05-09 08:39:38 THis is well known. There is a lot of available documentation out there. Basically: We only match the first peer on the incoming call, which is the last peer in the sip.conf file. Yes, I know it is awkward, but it is the way it works now. By: Olle Johansson (oej) 2007-05-09 08:40:15 For further questions, please use asterisk-users mailing list or the IRC channels. Thank you. |