Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS

Hello Laurent, (you might want to anonymize your msg dumps bit on this public list) You probably did already this steps, but nevertheless some debugging ideas: - capture a longer network trace and compare the network data of a working against non-working case - try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices) - have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface - have a look to other network services that are using the same network infrastructure to see if they are also affected Cheers, Henning Am 29.08.19 um 10:58 schrieb Laurent Schweizer: Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING: <script>: auth error -2 username XXXX7011537 - src ip: 93.229.221.67 Aug 29 10:21:38 de5029 kamailio[22615]: ERROR: debugger [debugger_mod.c:581]: w_dbg_sip_msg(): CONFIG LINE 871 ------------------------- START OF SIP message debug -------------------------- REGISTER sip:pbxs.peoplefone.de:5060 SIP/2.0^M Via: SIP/2.0/TCP 192.168.2.113:5060;branch=z9hG4bK2816544140^M From: "11 - Juergen XXXX" <sip:XXXX7011537@pbxs.peoplefone.de:5060><mailto:sip:XXXX7011537@pbxs.peoplefone.de:5060>;tag=4042485072^M To: "11 - Juergen XXXX" <sip:XXXX7011537@pbxs.peoplefone.de:5060><mailto:sip:XXXX7011537@pbxs.peoplefone.de:5060>^M Call-ID: 0_228669251@192.168.2.113^M<mailto:0_228669251@192.168.2.113^M> CSeq: 3 REGISTER^M Contact: <sip:XXXX7011537@192.168.2.113:5060;transport=TCP><mailto:sip:XXXX7011537@192.168.2.113:5060;transport=TCP>^M Authorization: Digest username="XXXX7011537", realm="pbxs.peoplefone.de", nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn", uri="sip:pbxs.peoplefone.de:5060", response="XXXXXX7142356b40754f30e0dc6cd", algorithm=MD5^M Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M Max-Forwards: 69^M User-Agent: Yealink SIP-T42S 66.82.0.30^M Expires: 300^M Allow-Events: talk,hold,conference,refer,check-sync^M Content-Length: 0^M ^M ------------------------------ SIP header diffs ------------------------------- ------------------------------- SIP body diffs -------------------------------- -------------------------- END OF SIP message debug --------------------------- Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:165]: get_challenge_hf(): realm='pbxs.peoplefone.de' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:275]: get_challenge_hf(): auth: 'WWW-Authenticate: Digest realm="pbxs.peoplefone.de", nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn"^M From: sr-users <sr-users-bounces@lists.kamailio.org><mailto:sr-users-bounces@lists.kamailio.org> On Behalf Of Laurent Schweizer Sent: lundi, 26 août 2019 14:04 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org><mailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS Wireshark was missing . From: Laurent Schweizer Sent: lundi, 26 août 2019 10:25 To: 'Kamailio (SER) - Users Mailing List' <sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>> Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS Dear all, I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password …. We see this issue with different device, snom swyx, … and on UDP we have no issue. I can see that when the Register is rejected it’s with the error -2, so wrong password… # Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit; I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header) Any idea ? BR Laurent _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://skalatan.de/services