<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Yes, you’re absolutely right.<div class=""><br class=""></div><div class="">It turned out that the Asterisk has this uncommon way of handling ACL.</div><div class="">Asterisk assumes “permit”, then runs down the ACL, and changes the status to either “deny” or “permit” based on each matching trunk entry, but the last matching entry of ACL determines the final state.</div><div class="">This seems opposite to linux iptables way, which usually starts with "deny all”, apply each rule, and stops at the first “permit” rule that matches the packet.</div><div class="">We just need to change the deny/permit around according to the Asterisk way. </div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 25, 2016, at 2:28 AM, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
Hello,<br class="">
<br class="">
parameters in the Via header have nothing to do with authentication.
It seems that the key log messages are in Asterisk:<br class="">
<br class="">
<div class="">[Jan 21 23:13:20] NOTICE[20785][C-00000001] acl.c: SIP Peer
ACL: Rejecting '10.0.1.30' due to a failure to pass ACL
'(BASELINE)'</div>
<div class="">[Jan 21 23:13:20] NOTICE[20785][C-00000001] chan_sip.c: Failed
to authenticate device <<a moz-do-not-send="true" href="mailto:sip%3A95678@10.0.1.35" class="">sip:95678@10.0.1.35</a>>;tag=as4028dabf<br class="">
<br class="">
</div>
Is the 10.0.1.30 in the IP ACL white list for Asterisk?<br class="">
<br class="">
Cheers,<br class="">
Daniel<br class="">
<br class="">
<div class="moz-cite-prefix">On 22/01/16 16:15, DING MA wrote:<br class="">
</div>
<blockquote cite="mid:CAFYJHAA__mL=-u+fA2d8s3vO6_3CQg=tBsSgfUBpBu31Mfwjsg@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">Hi, all</div>
<div class=""><br class="">
</div>
<div class="">We're trying to build a system that consists of pbx,
kamailio and asterisk in the following configuration.</div>
<div class=""><br class="">
</div>
<div class="">pbx (sip trunk) --- kamailio --- asterisk</div>
<div class=""><br class="">
</div>
<div class="">The kamailio and asterisk are integrated with same
database. The outgoing calls to pbx works. But there is a
problem with incoming calls from pbx.</div>
<div class="">If we make a consecutive calls from the same pbx user to
the same user registered with kamailio. The first would go
through, but the second call would be rejected by asterisk. We
have insecure=invite set on the trunk/peer, so asterisk is not
supposed to auth the invite from kamailio. But the pbx user
(from in this case) is not in the database.</div>
<div class=""><br class="">
</div>
<div class="">The asterisk log says:</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">[Jan 21 23:13:19] VERBOSE[20785] chan_sip.c: --- (16
headers 13 lines) ---</div>
<div class="">[Jan 21 23:13:19] VERBOSE[20785] chan_sip.c: Sending to <a moz-do-not-send="true" href="http://10.0.1.30:5061/" class="">10.0.1.30:5061</a>
(no NAT)</div>
<div class="">[Jan 21 23:13:19] VERBOSE[20785][C-00000001] chan_sip.c:
Sending to <a moz-do-not-send="true" href="http://10.0.1.30:5061/" class="">10.0.1.30:5061</a> (no NAT)</div>
<div class="">[Jan 21 23:13:19] VERBOSE[20785][C-00000001] chan_sip.c:
Using INVITE request as basis request - <a moz-do-not-send="true" href="http://4aaa2dce75c60e8546994c3501dae9e7@10.0.1.35:5061/" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:4aaa2dce75c60e8546994c3501dae9e7@10.0.1.35:5061">4aaa2dce75c60e8546994c3501dae9e7@10.0.1.35:5061</a></div>
<div class="">[Jan 21 23:13:20] NOTICE[20785][C-00000001] acl.c: SIP
Peer ACL: Rejecting '10.0.1.30' due to a failure to pass ACL
'(BASELINE)'</div>
<div class="">[Jan 21 23:13:20] NOTICE[20785][C-00000001] chan_sip.c:
Failed to authenticate device <<a moz-do-not-send="true" href="mailto:sip%3A95678@10.0.1.35" class="">sip:95678@10.0.1.35</a>>;tag=as4028dabf</div>
<div class="">[Jan 21 23:13:20] VERBOSE[20785][C-00000001] chan_sip.c:</div>
<div class=""><--- Reliably Transmitting (no NAT) to <a moz-do-not-send="true" href="http://10.0.1.30:5061/" class="">10.0.1.30:5061</a>
---></div>
<div class="">SIP/2.0 403 Forbidden^M</div>
<div class="">Via: SIP/2.0/TLS
10.0.1.30:5061;branch=z9hG4bK9c8e.5cd2c05f6a572312c7793abf5fe1183c.0;i=2;received=10.0.1.30^M</div>
<div class="">Via: SIP/2.0/TLS
10.0.1.35:5061;received=10.0.1.35;branch=z9hG4bK249855c1;rport=59929^M</div>
<div class="">From: <<a moz-do-not-send="true" href="mailto:sip%3A95678@10.0.1.35" class="">sip:95678@10.0.1.35</a>>;tag=as4028dabf^M</div>
<div class="">To: <<a moz-do-not-send="true" href="mailto:sip%3A16317@10.0.1.30" class="">sip:16317@10.0.1.30</a>>;tag=as35f47241^M</div>
<div class="">Call-ID: <a moz-do-not-send="true" href="http://4aaa2dce75c60e8546994c3501dae9e7@10.0.1.35:5061/" class="">4aaa2dce75c60e8546994c3501dae9e7@10.0.1.35:5061</a>^M</div>
<div class="">CSeq: 102 INVITE^M</div>
<div class="">Server: Asterisk PBX 13.6.0^M</div>
<div class="">Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER,
SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE^M</div>
<div class="">Supported: replaces, timer^M</div>
<div class="">Content-Length: 0^M</div>
</div>
<div class=""><br class="">
</div>
<div class="">Comparing the two invites from kamailio to asterisk, it
seems the only difference is that the second invite has an
"i=2" in the Via header while the first one has "i=1". Not
sure what the "i=1" is for. Would appreciate some insights on
how kamailio is adding/handling the "i=#" in Via header.</div>
<div class=""><br class="">
</div>
Thanks.
<div class=""><br clear="all" class="">
<div class="">
<div class="gmail_signature">
<div dir="ltr" class="">Ding Ma
<div class="">SPG, Motorola Solutions</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Book: SIP Routing With Kamailio - <a class="moz-txt-link-freetext" href="http://www.asipto.com/">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://miconda.eu/">http://miconda.eu</a></pre>
</div>
_______________________________________________<br class="">SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br class=""><a href="mailto:sr-users@lists.sip-router.org" class="">sr-users@lists.sip-router.org</a><br class="">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users<br class=""></div></blockquote></div><br class=""></div></div></body></html>