Hi,

Here is some more information about my problem.
I think that topos impacts challenge computing.
Do you have the same behaviour I observed? Do you need more information?

My tests were done with kamailio 5.4.3 on Centos7

Without topos activated (note that with topoh activated I have the same good behaviour):
CPE - INVITE -> SBC
CPE <- 407 ---- SBC
CPE - INVITE ->SBC (with proxy-authorization header)  -- INVITE --> PROXY (So in this case challenge is validated and INVITE is forwarded)

With topos activated:
CPE - INVITE -> SBC
CPE <- 407 ---- SBC
CPE - INVITE ->SBC (with proxy-authorization header)
CPE <-407 -----SBC

topos configuration:
loadmodule "ndb_redis.so"
loadmodule "topos.so"
loadmodule "topos_redis.so"

# ----- topos params -----
modparam("topos", "storage", "redis")
modparam("topos", "dialog_expire", 15000)

Code used:
# IP authorization and user authentication
route[AUTH] {
    xlog("L_DBG", "route[AUTH]\n");
#!ifdef WITH_IPAUTH
    if((!is_method("REGISTER")) && allow_source_address()) {
        # source IP allowed
        return;
    }
#!endif

#!ifdef WITH_AUTH
    if ((is_method("REGISTER")) || ($avp(need_auth) == "1")) { ####need_auth is equal to 1 in this case
        # authenticate requests
        $var(key)=$fU + "@" + $fd;
        if($sht(auth_cache=>$var(key))!=$null) {
            if (!pv_auth_check("$fd", "$sht(auth_cache=>$var(key))", "0", "1")) {
                auth_challenge("$fd", “1”); #################### we always go here with INVITE with proxy-authorization header and the return code is always -5 (AUTH_NO_CREDENTIALS)
                exit;
            }
        }
        else
        {
            if (!auth_check("$fd", "subscriber", "1")) {
                if ($rc == -1)
                {
                    append_to_reply("Retry-After: 10\r\n");
                    send_reply("503", "Authentication server error");
                    exit;
                }
                auth_challenge("$fd", "0");
                exit;
            }
            $sht(auth_cache=>$var(key)) = $avp(password);
        }
        # user authenticated - remove auth header
        consume_credentials(); ######## without topos we go here with INVITE with proxy-authorization header
    }
#!endif
    return;
}

Note that in this case (with topos) the return code of function pv_auth_check is always -5 (AUTH_NO_CREDENTIALS)


CASE OK:
Frame 3279: 545 bytes on wire (4360 bits), 545 bytes captured (4360 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.11
Transmission Control Protocol, Src Port: 5060, Dst Port: 60796, Seq: 1, Ack: 953, Len: 477
Session Initiation Protocol (407)
    Status-Line: SIP/2.0 407 Proxy Authentication Required
    Message Header
        Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK2df8e195D1847B94;rport=60796;received=192.168.1.11
        From: "6200" <sip:6200@entreprise-108.fr>;tag=B583B663-FBFBFCAA
        To: <sip:0900000000@entreprise-108.fr;user=phone>;tag=83518db21d5b2e9b777975024049f5a3.8f270000
        CSeq: 1 INVITE
        Call-ID: 9378ee27e6b7aea384a881c938de8138
        [Generated Call-ID: 9378ee27e6b7aea384a881c938de8138]
        Proxy-Authenticate: Digest realm="entreprise-108.fr", nonce="YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO"
            Authentication Scheme: Digest
            Realm: "entreprise-108.fr"
            Nonce Value: "YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO"
        Content-Length: 0

Frame 3285: 1259 bytes on wire (10072 bits), 1259 bytes captured (10072 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.11, Dst: 192.168.1.102
Transmission Control Protocol, Src Port: 60796, Dst Port: 5060, Seq: 1578, Ack: 478, Len: 1191
Session Initiation Protocol (INVITE)
    Request-Line: INVITE sip:0900000000@entreprise-108.fr;user=phone;transport=tcp SIP/2.0
    Message Header
        Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK827c83577BAADACE
        From: "6200" <sip:6200@entreprise-108.fr>;tag=B583B663-FBFBFCAA
            SIP Display info: "6200"
            SIP from address: sip:6200@entreprise-108.fr
            SIP from tag: B583B663-FBFBFCAA
        To: <sip:0900000000@entreprise-108.fr;user=phone>
            SIP to address: sip:0900000000@entreprise-108.fr;user=phone
        CSeq: 2 INVITE
        Call-ID: 9378ee27e6b7aea384a881c938de8138
        [Generated Call-ID: 9378ee27e6b7aea384a881c938de8138]
        Contact: <sip:6200@192.168.1.33;transport=tcp>
            Contact URI: sip:6200@192.168.1.33;transport=tcp
        Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
        User-Agent: PolycomVVX-VVX_500-UA/5.7.0.14430
        Accept-Language: fr-fr,fr;q=0.9,en;q=0.8
        Supported: replaces,100rel
        Allow-Events: conference,talk,hold
        Proxy-Authorization: Digest username="6200", realm="entreprise-108.fr", nonce="YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO", uri="sip:0900000000@entreprise-108.fr;user=phone;transport=tcp", response="3e0013cc3dc3855602ce1939af7e6f40", algorithm=MD5
            Authentication Scheme: Digest
            Username: "6200"
            Realm: "entreprise-108.fr"
            Nonce Value: "YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO"
            Authentication URI: "sip:0900000000@entreprise-108.fr;user=phone;transport=tcp"
            Digest Authentication Response: "3e0013cc3dc3855602ce1939af7e6f40"
            Algorithm: MD5
        Max-Forwards: 70
        Content-Type: application/sdp
        Content-Length: 270
    Message Body

Bad case (with topos activated):
Frame 9071: 545 bytes on wire (4360 bits), 545 bytes captured (4360 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.11
Transmission Control Protocol, Src Port: 5060, Dst Port: 43608, Seq: 1, Ack: 953, Len: 477
Session Initiation Protocol (407)
    Status-Line: SIP/2.0 407 Proxy Authentication Required
    Message Header
        Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK5c0a58f3707458FA;rport=43608;received=192.168.1.11
        From: "6200" <sip:6200@entreprise-108.fr>;tag=59191351-FD3B2D60
        To: <sip:0900000000@entreprise-108.fr;user=phone>;tag=83518db21d5b2e9b777975024049f5a3.8f270000
        CSeq: 1 INVITE
        Call-ID: 727c871081e29672abcb8bd05dde8138
        [Generated Call-ID: 727c871081e29672abcb8bd05dde8138]
        Proxy-Authenticate: Digest realm="entreprise-108.fr", nonce="YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/"
            Authentication Scheme: Digest
            Realm: "entreprise-108.fr"
            Nonce Value: "YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/"
        Content-Length: 0

Frame 9078: 1259 bytes on wire (10072 bits), 1259 bytes captured (10072 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.11, Dst: 192.168.1.102
Transmission Control Protocol, Src Port: 43608, Dst Port: 5060, Seq: 1578, Ack: 478, Len: 1191
Session Initiation Protocol (INVITE)
    Request-Line: INVITE sip:0900000000@entreprise-108.fr;user=phone;transport=tcp SIP/2.0
    Message Header
        Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bKbca400a5DCDB8264
        From: "6200" <sip:6200@entreprise-108.fr>;tag=59191351-FD3B2D60
            SIP Display info: "6200"
            SIP from address: sip:6200@entreprise-108.fr
            SIP from tag: 59191351-FD3B2D60
        To: <sip:0900000000@entreprise-108.fr;user=phone>
            SIP to address: sip:0900000000@entreprise-108.fr;user=phone
        CSeq: 2 INVITE
        Call-ID: 727c871081e29672abcb8bd05dde8138
        [Generated Call-ID: 727c871081e29672abcb8bd05dde8138]
        Contact: <sip:6200@192.168.1.33;transport=tcp>
            Contact URI: sip:6200@192.168.1.33;transport=tcp
        Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
        User-Agent: PolycomVVX-VVX_500-UA/5.7.0.14430
        Accept-Language: fr-fr,fr;q=0.9,en;q=0.8
        Supported: replaces,100rel
        Allow-Events: conference,talk,hold
        Proxy-Authorization: Digest username="6200", realm="entreprise-108.fr", nonce="YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/", uri="sip:0900000000@entreprise-108.fr;user=phone;transport=tcp", response="281d775e7166a96d5efe2e100df3df9a", algorithm=MD5
            Authentication Scheme: Digest
            Username: "6200"
            Realm: "entreprise-108.fr"
            Nonce Value: "YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/"
            Authentication URI: "sip:0900000000@entreprise-108.fr;user=phone;transport=tcp"
            Digest Authentication Response: "281d775e7166a96d5efe2e100df3df9a"
            Algorithm: MD5
        Max-Forwards: 70
        Content-Type: application/sdp
        Content-Length: 270
    Message Body

Regards,

Frederic