Summary:ASTERISK-10261: [post 1.4] SIP change at r77616 (rizzo) causes all outbound calls to fail authentication with 403 Forbidden
Reporter:Fred Meyer (mensaiq)Labels:
Date Opened:2007-09-09 15:22:35Date Closed:2007-11-19 12:58:34.000-0600
Versions:Frequency of
Environment:Attachments:( 0) SIPCap
Description:Before r77616, outgoing calls properly send a second INVITE in response to a 401 Unauthorized response to the initial INVITE. Both INVITE headers contain the same IP address in Via:.
After r77616, the second INVITE's Via: header has a real IP address in it, the first contains the internal IP. This difference causes the provider (Broadvoice) to return a 403 Forbidden in response to the second INVITE.


Verified at r82029 by commenting out the call to check_via_response() at line 13555 in chan_sip.c
Comments:By: Olle Johansson (oej) 2007-11-06 01:28:10.000-0600

Please always add a SIP DEBUG output, not a wireshark/ethereal capture (it's in the bug guidelines). SIP DEBUG tells us much more about what's going on inside Asterisk. Thanks.

By: Fred Meyer (mensaiq) 2007-11-10 15:58:28.000-0600

So what part of the file I sent even looks like a wireshark/ethereal capture? This is as much of a DEBUG that Asterisk produces. Captured with SIP SET DEBUG ON and CORE SET DEBUG 99. If you want anything else, I will gladly attach it.

By: Olle Johansson (oej) 2007-11-15 06:16:55.000-0600

Yes, that's a bad patch to have mandatory. Some communication badly enough rely on not sending a public IP/Port, since NAT's may change that. NAT's are very evil.

We need to implement an option for this, so we can set it on a peer/user level.

Sorry, I missed this patch earlier. Thanks for reporting this bug.

By: Olle Johansson (oej) 2007-11-19 12:58:34.000-0600

Ok, temporarily disabled rizzo's new NAT handling code. It does need a configuration option to be enabled again. Also needs more testing.