[SR-Users] Auth module with shared "secret"

Hi All, I am testing a scenario where we have 3 proxies and I'm trying to ensure that if a messages comes in to 1 proxy, which challenges the ua, is able to be auth'd successfully on one of the remaining 2 proxies if, for some reason the ua decides to send the response to one of the remaining two proxies. I am testing this using a seperate kamailio proxy which loadbalances messages across the 3 proxies that I am testing with. I have 1 ua (zoiper) which I tell to subscribe for mwi, the initial subscribe is sent to proxy 1, which sends a 407 back, the new subscribe with auth, from the ua, is sent to proxy 2, which deems the nonce as expired and rechallenges, this continues in a loop across the 3 proxies and never authenticates. I think I'm missing something in my settings that I just cannot put my finger on, and/or, I'm mis-understanding the documentation and how these settings interact with each other. My auth module settings are as follows: # # ----- auth params ----- # modparam("auth", "qop", "auth") modparam("auth", "nonce_count", 1) modparam("auth", "one_time_nonce", 1) modparam("auth", "nid_pool_no", 4) modparam("auth", "nc_array_size", 4194304) modparam("auth", "otn_in_flight_no", 8388608) modparam("auth", "auth_checks_no_dlg", 9) modparam("auth", "auth_checks_in_dlg", 15) modparam("auth", "auth_checks_register", 11) modparam("auth", "secret", "secret_32_char_str") I tried with one_time_nonce enabled and disabled but the result is the same, continous rechallenge. The documentation mentions that if nonce_count and one_time_nonce are enable, and a ua sends a response with nonce and qop in the auth header then one_time_nonce will not be used, one_time nonce will be used as a fallback in the case the ua does not support qop. My auth block in the routing logic looks like so: route[AUTH_CHECK]{ xlog("L_DBG", "route[AUTH_CHECK] : $rm : Performing authentication checks for '$var(creds_key)'"); $var(challenge_flags) = 1; if ( ! pv_auth_check("$fd", "$sht(creds=>$var(creds_key)::Password)", "20", "1") ) { switch($retcode) { case -1: xlog("L_DBG", "route[AUTH_CHECK] : $rm : Generic error occurred, no reply sent out."); break; case -2: xlog("L_DBG", "route[AUTH_CHECK] : $rm : Invalid password supplied, re-challenging client and removing from hash table."); sht_rm_name_re("creds=>$var(creds_key)"); break; case -4: xlog("L_DBG", "route[AUTH_CHECK] : $rm : Nonce has expired, re-challenging client."); $var(challenge_flags) = $var(challenge_flags) + 16; break; case -5: xlog("L_DBG", "route[AUTH_CHECK] : $rm : No credentials supplied, challenging client."); break; case -6: xlog("L_DBG", "route[AUTH_CHECK] : $rm : Nonce has already been used to auth a previous request, challenging client."); break; case -8: xlog("L_DBG", "route[AUTH_CHECK] : $rm : Auth user is different to From/To user, challenging client."); break; } xlog("L_INFO", "route[AUTH_CHECK] : $rm : auth_challenge will be called with '$fd' and '$var(challenge_flags)'"); auth_challenge("$fd", "$var(challenge_flags)"); exit; } consume_credentials(); } When I look at the logs I always see the proxies seeing the nonce as expired: oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE : auth_challenge will be called with 'example.com' and '17' oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE : auth_challenge will be called with 'example.com' and '17' oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE : auth_challenge will be called with 'example.com' and '17' oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE : auth_challenge will be called with 'example.com' and '17' oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE : auth_challenge will be called with 'example.com' and '17' oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE : auth_challenge will be called with 'example.com' and '17' I have checked: [1] that the proxies are all syncing time, and they are not out of sync, [2] The source address of the client doesnt change (in case auth_checks_no_dlg is failing), [3] The r-uri of the subscription dialog is the same (in case auth_checks_no_dlg is failing) I am using kamailio version 5.0.6: kamailio -V version: kamailio 5.0.6 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled on 15:57:47 Mar 5 2018 with gcc 4.8.5 Any thoughts on what I can look at or if I'm missing something fundamental here? All suggestions/criticisms are appreciated. Thanks for reading.