407 Proxy Authentication Required - Phone through VPN

Discussion in '3CX Phone System - General' started by eQDoBBs, Jun 13, 2013.

Thread Status:
Not open for further replies.
  1. eQDoBBs

    Joined:
    Aug 14, 2012
    Messages:
    37
    Likes Received:
    3
    Hi,

    I have 3 home workers each with a site to site VPN connection. At each site is a PC and Grandstream phone (2000 or 2020). The VPN is running, the PC can connect through and I have confirmed that registration packets are hitting the 3CX server.

    One out of the 3 phones is working. It registers successfully and makes calls without issue. The other 2 have the same issue, where it does not do the second pass registration. The packet trace is showing that it just cycles through the registration request and 3CX responds with 407 Proxy Authentication Required.:

    Code:
    REGISTER sip:172.16.1.10 SIP/2.0
    Via: SIP/2.0/UDP 172.16.2.202:5060;branch=z9hG4bKf942e81e7b07a2ef
    From: "phone1" <sip:207@172.16.1.10>;tag=706d6ad0fd91f0a9
    To: <sip:207@172.16.1.10>
    Contact: <sip:207@172.16.2.202:5060;transport=udp>
    Supported: path
    Call-ID: efd10faaaef24f5d@172.16.2.202
    CSeq: 10001 REGISTER
    Expires: 3600
    User-Agent: Grandstream GXP2000 1.1.6.16
    Max-Forwards: 70
    Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE
    Content-Length: 0
    
    SIP/2.0 407 Proxy Authentication Required
    Via: SIP/2.0/UDP 172.16.2.202:5060;branch=z9hG4bKf942e81e7b07a2ef
    Proxy-Authenticate: Digest nonce="414d535c07ca174e45:40d788785283a4fe3b5c10e2be01c2af",algorithm=MD5,realm="3CXPhoneSystem"
    To: <sip:207@172.16.1.10>;tag=e853061e
    From: "phone1"<sip:207@172.16.1.10>;tag=706d6ad0fd91f0a9
    Call-ID: efd10faaaef24f5d@172.16.2.202
    CSeq: 10001 REGISTER
    User-Agent: 3CXPhoneSystem 11.0.28976.849 (28862)
    Content-Length: 0
    I have checked (quadruple checked) the Grandstream settings and they are configured exactly the same except for the User ID and passwords obviously. i have also got the user to install the android client on his phone and connect from home and using the same account settings is able to connect successfully.

    I am thinking this may be a natting issue, as the android has the Nat helper option.

    Any help is much appreciated.

    thanks

    Mark
     
  2. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    0
    NAT should not be an issue if the site-to-site is online.. can confirm by pinging the handset from the PBX.
    Unclear, but would expect a firewall's SIP ALG to "not" interfere if the destination is over the VPN.. aka the PBX's LAN address.
     
  3. eQDoBBs

    Joined:
    Aug 14, 2012
    Messages:
    37
    Likes Received:
    3
    Hi,

    To add to this, I have also tried the provision method and while the template gets picked up and processed (confirmed by the fact that the settings on the phone update, screen display changes etc.) it still fails with the same error.

    I do not believe it is related to the firewall, as another site works fine and on a site with a grandstream phone that fails an Android based client connects fine.

    This is why I have turned to these forums, as I am missing something (maybe very obvious) as to why these two phones are not registering.

    thanks

    Mark
     
  4. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,064
    Likes Received:
    58
    I don't know that the Android is a valid comparison. You did not mention if the Android is connecting via the cell carrier or if through a Wi-Fi and, if Wi-Fi, how the Wi-Fi integrates into or not with the VPN.

    If possible, you might take the working phone to one or both of the other locations and see how it reacts. If it works, then it tends to suggest that the VPN set-up is likely not the issue.

    You might also bring the (non-working) phones back to the local office and 1) ensure that they have updated firmware, 2) do a factory reset, and 3) provision them from 3CX while (not manually) local and ensure they work before moving back out remotely. Do this such that both of the phones having issues are connected at the same time and tested.

    Try the above and see. We made need to see more of the log and with both the working and non-working. At the moment, there is something about the credentials that 3CX does not like.
     
  5. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    825
    Likes Received:
    124
    I didn't see anyone else mention it, but did you confirm that for the two phones that are not working properly, you've cleared the 'Disallow use of extension outside of the LAN'?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. eQDoBBs

    Joined:
    Aug 14, 2012
    Messages:
    37
    Likes Received:
    3
    Yes, sorry I should have pointed out that this setting had been cleared.

    Rather oddly one of the phones is now working. All that I did was perform a factory reset and use the provision method (again). It didnt work immediately, but miraculously about an hour after the reset and provision it registered successfully. This in itself does not make any sense (at least to me).

    I have not had a chance to perform the same procedure on the other phone yet.
     
Thread Status:
Not open for further replies.