• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Authentication error because of using same nonce by 3CX

Status
Not open for further replies.

mhariri

Customer
Intermediate Cert.
Joined
Nov 21, 2018
Messages
7
Reaction score
0
Hello,

This is the second time over a period of one month that I am experiencing periods of authentication reject messages while registering to a DIDLogic SIP trunk we are using and the reason for that is same nonces in register messages sent to trunk provider. The problem is that the SIP provider is sending a 200 OK message for the first and second registration attempt and after 108 seconds that the next registration attempt is made, it is still with the same nonce as the previous and the provider obviously rejects it and causes the trunk to intermittently go offline.

below are the three requests and responses that I captured:

Code:
2018-11-21 14:19:51 -0600 : 192.168.xx.xx:5060 -> 206.191.159.247:5060
REGISTER sip:sip.nyc.didlogic.net:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.xx.xx:5060;branch=z9hG4bK-524287-1---276f913231489e10;rport Max-Forwards: 70 Contact: <sip:[email protected]:5060;rinstance=cd3db630fa0809ea> To: <sip:[email protected]:5060> From: <sip:[email protected]:5060>;tag=c1f4556b Call-ID: FVA7-prJh05gvGStXAjk7Q.. CSeq: 1664 REGISTER Expires: 120 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE Supported: replaces, timer User-Agent: 3CXPhoneSystem 15.5.15502.6 (15502) Authorization: Digest username="xxxxx",realm="sip.nyc.didlogic.net",nonce="W/W+p1v1vXtWhaB285OsPes3xWxLrTJ9IG5cSIA=",uri="sip:sip.nyc.didlogic.net:5060",response="2f38e6dfef60ec5b4bd436d7047c5769",cnonce="cc3ae743d10f0b362c62c0a50a1f0cb4",nc=00000002,qop=auth,algorithm=MD5 Content-Length: 0



Code:
2018-11-21 14:21:39 -0600 : 206.191.159.247:5060 -> 192.168.xx.xx:5060
SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.xx.xx:5060;branch=z9hG4bK-524287-1---a706c1035a4e6730;rport=5060;received=xx.xx.xx.xx To: <sip:[email protected]:5060>;tag=b27e1a1d33761e85846fc98f5f3a7e58.534f From: <sip:[email protected]:5060>;tag=c1f4556b Call-ID: FVA7-prJh05gvGStXAjk7Q.. CSeq: 1665 REGISTER Contact: <sip:[email protected]:5060;rinstance=cd3db630fa0809ea>;expires=120;received="sip:xx.xx.xx.xx:5060" Content-Length: 0



Code:
2018-11-21 14:21:39 -0600 : 192.168.xx.xx:5060 -> 206.191.159.247:5060
REGISTER sip:sip.nyc.didlogic.net:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.xx.xx:5060;branch=z9hG4bK-524287-1---a706c1035a4e6730;rport Max-Forwards: 70 Contact: <sip:[email protected]:5060;rinstance=cd3db630fa0809ea> To: <sip:[email protected]:5060> From: <sip:[email protected]:5060>;tag=c1f4556b Call-ID: FVA7-prJh05gvGStXAjk7Q.. CSeq: 1665 REGISTER Expires: 120 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE Supported: replaces, timer User-Agent: 3CXPhoneSystem 15.5.15502.6 (15502) Authorization: Digest username="xxxxx",realm="sip.nyc.didlogic.net",nonce="W/W+p1v1vXtWhaB285OsPes3xWxLrTJ9IG5cSIA=",uri="sip:sip.nyc.didlogic.net:5060",response="4c3b9f2874674672e5ff37adbf8625f7",cnonce="0f100eb935aa29aa58260dbc85b35efe",nc=00000003,qop=auth,algorithm=MD5 Content-Length: 0


Code:
2018-11-21 14:21:39 -0600 : 206.191.159.247:5060 -> 192.168.xx.xx:5060
SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.xx.xx:5060;branch=z9hG4bK-524287-1---a706c1035a4e6730;rport=5060;received=xx.xx.xx.xx To: <sip:[email protected]:5060>;tag=b27e1a1d33761e85846fc98f5f3a7e58.534f From: <sip:[email protected]:5060>;tag=c1f4556b Call-ID: FVA7-prJh05gvGStXAjk7Q.. CSeq: 1665 REGISTER Contact: <sip:[email protected]:5060;rinstance=cd3db630fa0809ea>;expires=120;received="sip:xx.xx.xx.xx:5060" Content-Length: 0


Code:
2018-11-21 14:23:27 -0600 : 192.168.xx.xx:5060 -> 206.191.159.247:5060
REGISTER sip:sip.nyc.didlogic.net:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.xx.xx:5060;branch=z9hG4bK-524287-1---b3b25a6073330a3b;rport Max-Forwards: 70 Contact: <sip:[email protected]:5060;rinstance=cd3db630fa0809ea> To: <sip:[email protected]:5060> From: <sip:[email protected]:5060>;tag=c1f4556b Call-ID: FVA7-prJh05gvGStXAjk7Q.. CSeq: 1666 REGISTER Expires: 120 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE Supported: replaces, timer User-Agent: 3CXPhoneSystem 15.5.15502.6 (15502) Authorization: Digest username="xxxxx",realm="sip.nyc.didlogic.net",nonce="W/W+p1v1vXtWhaB285OsPes3xWxLrTJ9IG5cSIA=",uri="sip:sip.nyc.didlogic.net:5060",response="605b6074e203e2631adaccee49f53dbd",cnonce="8d0da32f48bf2efc43652734184c61b8",nc=00000004,qop=auth,algorithm=MD5 Content-Length: 0


Code:
2018-11-21 14:23:27 -0600 : 206.191.159.247:5060 -> 192.168.xx.xx:5060
SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 192.168.xx.xx:5060;branch=z9hG4bK-524287-1---b3b25a6073330a3b;rport=5060;received=xx.xx.xx.xx To: <sip:[email protected]:5060>;tag=b27e1a1d33761e85846fc98f5f3a7e58.29c8 From: <sip:[email protected]:5060>;tag=c1f4556b Call-ID: FVA7-prJh05gvGStXAjk7Q.. CSeq: 1666 REGISTER WWW-Authenticate: Digest realm="sip.nyc.didlogic.net", nonce="W/W/61v1vr/SRidWzsDW9/gii4uTP4K0IHYM8YA=", qop="auth" Content-Length: 0

I have contacted DIDLogic regarding this and I think they are now accompanying with accepting more than one similar nonces but 3CX just does not stop using the same nonce until it receives a reject message and a new nonce...

Please help me get past this bug.

Thanks,
 
Not sure if it's a bug as I'm not a SIP expert but I imagine if it was a bug in 3CX there'd be more complaints about it both with DIDLogic and other providers if it was something in 3CX which leads me to believe it's a problem with DIDLogic. Having not used DIDLogic before how are you specifying the server/proxy? I see sip.nyc.didlogic.net in your post. Perhaps you can try another server to see if it has the same behavior? Do you happen to have an Edgewater or something else between your 3CX instance and DIDLogic?
 
Last edited:
Hello @mhariri

Please note that the "nonce" value is generated by the server which in this scenario is the Provider. The PBX will use the same value until the provider challenges the registration with a "401 Unauthorized" message which must include a new nonce value. The PBX must then send a new register message containing the new nonce value. This will not cause the Trunk to un-register as this communication takes place before the Registration expiry. From RFC 3261:
When the originating UAC receives the 401 (Unauthorized), it SHOULD,
if it is able, re-originate the request with the proper credentials.
The UAC may require input from the originating user before
proceeding. Once authentication credentials have been supplied
(either directly by the user, or discovered in an internal keyring),
UAs SHOULD cache the credentials for a given value of the To header
field and "realm" and attempt to re-use these values on the next
request for that destination. UAs MAY cache credentials in any way
they would like.
You posted the SIP signalling up to the point where the provider challenges the request but not the next Register message which should contain the correct nonce in the Registration message. Is that the case? What happens after the challenge?
From experience i know that we do not face any issues using this method with other providers, however if DIDLogic is using some other RFC then we would like to look into it.
 
Hi YiannisH_3CX

Sorry, it took me a while to answer. The problem never happened again. I once saw that 3CX was still stuck with the previous nonce and sending out AUTH messages once every couple of secs. Fortunately, I kept the logs of the one time it happened.
upload_2018-11-28_11-17-36.png
I will post here when I saw this behavior again.

Hello @mhariri
You posted the SIP signalling up to the point where the provider challenges the request but not the next Register message which should contain the correct nonce in the Registration message. Is that the case? What happens after the challenge?

You are right. The normal behavior with DIDLogic proxy is to send a new nonce with a 401 response and 3CX will use this onward in proposed intervals by UACs which then receives a 200 OK.

Thanks,
 
Glad to see you are no longer experiencing the issue. From the posted configuration, what i think happens is that the PBX keeps sending Register messages because there is no reply so it keeps trying. It will send requests and increase the intervals between the requests. Let us know if you face any more issues.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.