Cannot register (Registration failed with Forbidden)

Support zone
Post Reply
wilsonhlacerda
Posts: 11
Joined: Thu Aug 30, 2007 10:02 pm
Location: Sao Paulo - Brazil

Cannot register (Registration failed with Forbidden)

Post by wilsonhlacerda » Sun Sep 02, 2007 8:11 am

Hi all,

I have a Brazilian voip provider (http://www.tudomais.com.br) that I cannot have MySipSwitch registered to it.

I can register to this provider with no error these 4 ways:
- with my ATA (Linksys WRTP54G-NA)
- with softphone (Counterpath X-PRO and eyeBeam)
- with www.gtalk2voip.com
- with www.pbxes.com

But unfortunately when trying to register to it with MySipSwitch I get in the monitoring tool: "Registration failed with Forbidden for 10000423 on 200.170.136.196"
Can I (or MySipSwitch administrators) see a more detailed log for this error? What does "forbidden" can mean in this situation?

I've set it this way:
Username: 10000423 (my voip user)
Password: (my voip password. I can PM you if needed to test.)
Server: 200.170.136.196 (my voip sip server)
Domain/Realm [optional]: (blank and also tried 200.170.136.196)
Expiry Seconds (60 to 3600): 3600
Contact: 945766@213.200.94.182 (945766 is mysipswitch user)

By the way, I could register other 2 voip providers with no error. The problem is just with the one above.

wilsonhlacerda
Posts: 11
Joined: Thu Aug 30, 2007 10:02 pm
Location: Sao Paulo - Brazil

Post by wilsonhlacerda » Thu Sep 06, 2007 7:37 am

any help? any idea of how to have MySipSwitch registered to this provider?

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Post by Aaron » Thu Sep 06, 2007 12:05 pm

Hi,

The Forbidden response is coming back immediately on the first register request and this normally indicates the userid is not recognised. However as you have successfully registered with the same details elsewhere that is probably not the case here.

I've had a look at the register request being sent and it is seemingly correct. When I get a chance I'll play around a bit with some different parts of the register request to see if I cna get a 401 response back instead.

Regards,

Aaron

wilsonhlacerda
Posts: 11
Joined: Thu Aug 30, 2007 10:02 pm
Location: Sao Paulo - Brazil

Post by wilsonhlacerda » Thu Sep 06, 2007 8:50 pm

Hi Aaron, thank you! Hope to hear from you soon!

I'm pretty sure that user/pass are ok. I've double checked them.

My current pass have some special character (like @). Can this be the root cause of the problem? Well....at least at the VSP side it is not because I can register to it the other 4 ways like I wrote above.

By the way, in the VSP FAQ they say:
If you have an statefull firewall you should configure 2 acess rules:
- SIP signaling: port 5060 TCP/UDP
- RTP audio: ports from 10000 till 30000 UDP
If it is an stateless firewall do the same above and also access rules for inbound network traffic.


If you need any additional info or help please just let me know.

Thanks in advance,
Wilson

wilsonhlacerda
Posts: 11
Joined: Thu Aug 30, 2007 10:02 pm
Location: Sao Paulo - Brazil

Post by wilsonhlacerda » Fri Sep 07, 2007 1:57 am

Hi again Aaron.

As I'm using my account in my ATA now and in order to make it easy for us to debug I've just created a new account in this VSP and configured it in MySipSwitch this way:

Username: 10000579
Password: <pass - this one have only letters>
Server: 200.170.136.196
Domain/Realm [optional]: 200.170.136.196
Expiry Seconds (60 to 3600): 3600
Contact: 945766@213.200.94.182

And now I'm getting in the monitoring tool: "Registration failed for 10000579 on 200.170.136.196."

Just as the other one, this account in eyeBeam can register with no problem.

Thanks,
Wilson

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Post by Aaron » Mon Sep 10, 2007 7:22 am

Hi Wilson,

I discovered the main problem with the registrations to the tudomais server and it was down to a bug in the sipswitch SIP stack. A SIP header that starts with a white space should be treated as a continuation of the previous header. The sipswitch SIP stack was written to take into account of that but it had been circumvented. It's fixed now.

Another problem though is that the tudomais server is not behaving that well either. I've attached the full trace at the bottom of this post but in a nutshell it's not coping with hostnames in the contact and more critically for the sipswitch it is not preserving the contact parameters which is the only way the sipswitch has of identifying its own contacts. Some examples of whats happening:

Contact sent to tudomais: <sip:user@sip.mysipswitch.com>
Contact recorded by tudomais: <sip:user@0.0.0.0:5060;user=phone>

Contact sent to tudomais: <sip:user@213.200.94.182;switchtag=abcde>
Contact recorded by tudomais: <sip:user@213.200.94.182:5060;user=phone>

The last example is the problem now. If the switchtag parameter is not recorded then the sipswitch will never recognise the contact as registered. The SIP standard does mandate that the contact header parameters should be preserved so the tudomais SIP Registrar is non-conformant to the SIP standard: RFC 3621.

Code: Select all

10 Sep 2007 08:12:35:375
REGISTER sip:200.170.136.196 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.102:9532;branch=z9hG4bK5d10e0f71b7d49b18a05e3e5f8e4a48e
To: <sip:10000579@200.170.136.196>
From: <sip:10000579@200.170.136.196>;tag=7553752500
Call-ID: f4baf8c4fa08430f8921f98a2a0b3814
CSeq: 1 REGISTER
Contact: <sip:945767@213.200.94.182;switchtag=abcdef>
Max-Forwards: 70

10 Sep 2007 08:12:35:844
SIP/2.0 401 Unauthorized
From: <sip:10000579@200.170.136.196>;tag=7553752500
To: <sip:10000579@200.170.136.196>;tag=97bbad3d
CSeq: 1 REGISTER
Call-ID: f4baf8c4fa08430f8921f98a2a0b3814
Via: SIP/2.0/UDP 192.168.1.102:9532;branch=z9hG4bK5d10e0f71b7d49b18a05e3e5f8e4a48e;received=124.168.235.200;rport=11210
Server: Huawei SoftX3000 R006B03D
WWW-Authenticate: Digest realm="huawei",
 nonce="58080536aa935d0b3ccbac0a93779225",domain="sip:huawei.com",
 stale=false,algorithm=MD5
Content-Length: 0

10 Sep 2007 08:12:35:890
REGISTER sip:200.170.136.196 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.102:9532;branch=z9hG4bK36ed8a1db5244a6d93702e9572436710
To: <sip:10000579@200.170.136.196>
From: <sip:10000579@200.170.136.196>;tag=7558908750
Call-ID: f4baf8c4fa08430f8921f98a2a0b3814
CSeq: 2 REGISTER
Contact: <sip:945767@213.200.94.182;switchtag=abcdef>
Max-Forwards: 70
Authorization: Digest realm="huawei",nonce="58080536aa935d0b3ccbac0a93779225",username="10000579",response="2a50c5937908c533d5be359a15b581c8",uri="sip:200.170.136.196",algorithm=md5
Proxy-Authorization: Digest realm="huawei",nonce="58080536aa935d0b3ccbac0a93779225",username="10000579",response="2a50c5937908c533d5be359a15b581c8",uri="sip:200.170.136.196",algorithm=md5

10 Sep 2007 08:12:36:422
$:3E0,kf%<SIP/2.0 200 OK
From: <sip:10000579@200.170.136.196>;tag=7558908750
To: <sip:10000579@200.170.136.196>;tag=c5789067
CSeq: 2 REGISTER
Call-ID: f4baf8c4fa08430f8921f98a2a0b3814
Via: SIP/2.0/UDP 192.168.1.102:9532;branch=z9hG4bK36ed8a1db5244a6d93702e9572436710;received=124.168.235.200;rport=11210
Expires: 3600
Server: Huawei SoftX3000 R006B03D
Contact: <sip:10000579@213.200.94.182:5060;user=phone>;expires=3600
Content-Length: 0
Regards,

Aaron

wilsonhlacerda
Posts: 11
Joined: Thu Aug 30, 2007 10:02 pm
Location: Sao Paulo - Brazil

Post by wilsonhlacerda » Tue Sep 11, 2007 12:28 pm

Hi Aaron, thank you very much for your help. I'll check carefully your reply and then I'll let you know how I'll manage it.

What's weird is that I can register to the VSP the other ways. Seems that CounterPath, Linksys and others are not tightly compliant to SIP (what I really don't know if is good or bad :roll: in general).

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Post by Aaron » Tue Sep 11, 2007 1:43 pm

wilsonhlacerda wrote:Hi Aaron, thank you very much for your help. I'll check carefully your reply and then I'll let you know how I'll manage it.

What's weird is that I can register to the VSP the other ways. Seems that CounterPath, Linksys and others are not tightly compliant to SIP (what I really don't know if is good or bad :roll: in general).
Hi Wilson,

No I wouldn't say that at all. If anything Counterpath and Linksys are likely to be a lot more compliant than the SIP stack we've got in the sipswitch. However the SIP stack in the Huwaei server which is in use by tudomias looks to be not that great and although it can be coped with by the softphones and ATAs it's not so easy for the sipswitch. The sipswitch has a more challenging job when it comes to registrations since there can be a large number of registrations needing to be maintained for each registrar so it needs some way to indentify which register response and contact is which. To do this it uses the switchtag parameter and thats the one the tudomias server is discarding thus preventing the sipswitch from doing its job properly.

That being said the sipswitch is managing to maintain the registration of your tudomais account it just doesn't recognise it is doing so because of the missing switchtag parameter. You'll probably find incoming calls for that account do get into and out of the sipswitch properly.

Regards,

Aaron

Post Reply