Outbound and inbound not working - 403 forbidden

Discussion in '3CX Phone System - General' started by meppy, Oct 30, 2010.

Thread Status:
Not open for further replies.
  1. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    Newbie in need of some help, I have setup 3CX on Win Web Server 2008 and it seems to register ok with my VOIP service (iiNET), and the two phones register and can call each other. When I go to make a call it comes up forbidden, and inbound calls just go to my VOIP provider VM service.

    I have switched from a working CISCO SPA9000 system so I know the service should work. I have a dual WAN router so I was careful to make sure SIP traffic is going to the right WAN port and have set a fixed IP and turned off STUN.

    I have followed details on this forum from people that have got it working, so I must have misconfigured something or not read enough of the manual yet perhaps?

    I have an inbound rule with DDI set to my external number and diverted to my extension. The outbound rule does not have any prefix set and looks for 10 digit numbers

    Here are some log entries from restart of services, trunk and handset registration and then attempt at outbound calls. (132200 came back as invalid as the outbound rule had 10 digits set which I have since removed)

    EDIT: yes the external IP looks invalid, I changed it for privacy/security

    18:48:46.599 [CM503020]: Normal call termination. Reason: Forbidden
    18:48:46.599 [CM503016]: Call(3): Attempt to reach <sip:0287993299@192.168.1.2> failed. Reason: Forbidden
    18:48:46.599 [CM503003]: Call(3): Call to sip:0287993299@sip.vic.iinet.net.au:5060 has failed; Cause: 403 Forbidden; from IP:203.666.666.123:5060
    18:48:46.521 [CM503025]: Call(3): Calling VoIPline:0287993299@(Ln.10000@iiNet)@[Dev:sip:0390008000@sip.vic.iinet.net.au:5060]
    18:48:46.458 [CM503004]: Call(3): Route 1: VoIPline:0287993299@(Ln.10000@iiNet)@[Dev:sip:0390008000@sip.vic.iinet.net.au:5060]
    18:48:46.458 [CM503010]: Making route(s) to <sip:0287993299@192.168.1.2>
    18:48:46.458 [CM505001]: Ext.800: Device info: Device Identified: [Man: Linksys;Mod: SPA Series;Rev: General] Capabilities:[reinvite, no-replaces, able-no-sdp, recvonly] UserAgent: [Linksys/SPA942-6.1.5(a)] PBX contact: [sip:800@192.168.1.2:5060]
    18:48:46.458 [CM503001]: Call(3): Incoming call from Ext.800 to <sip:0287993299@192.168.1.2>
    18:48:26.567 [CM503020]: Normal call termination. Reason: Not found
    18:48:26.567 [CM503016]: Call(2): Attempt to reach <sip:132200@192.168.1.2> failed. Reason: Not Found
    18:48:26.567 [CM503014]: Call(2): No known route to target: <sip:132200@192.168.1.2>
    18:48:26.552 [CM503010]: Making route(s) to <sip:132200@192.168.1.2>
    18:48:26.552 [CM505001]: Ext.800: Device info: Device Identified: [Man: Linksys;Mod: SPA Series;Rev: General] Capabilities:[reinvite, no-replaces, able-no-sdp, recvonly] UserAgent: [Linksys/SPA942-6.1.5(a)] PBX contact: [sip:800@192.168.1.2:5060]
    18:48:26.552 [CM503001]: Call(2): Incoming call from Ext.800 to <sip:132200@192.168.1.2>
    18:48:00.661 [CM504001]: Ext.800: new contact is registered. Contact(s): [sip:800@192.168.1.112:5060/800]
    18:47:42.333 [CM504002]: Ext.800: a contact is unregistered. Contact(s): []
    18:47:18.614 [CM503020]: Normal call termination. Reason: Not found
    18:47:18.614 [CM503016]: Call(1): Attempt to reach <sip:132200@192.168.1.2> failed. Reason: Not Found
    18:47:18.614 [CM503014]: Call(1): No known route to target: <sip:132200@192.168.1.2>
    18:47:18.614 [CM503010]: Making route(s) to <sip:132200@192.168.1.2>
    18:47:18.614 [CM505001]: Ext.800: Device info: Device Identified: [Man: Linksys;Mod: SPA Series;Rev: General] Capabilities:[reinvite, no-replaces, able-no-sdp, recvonly] UserAgent: [Linksys/SPA942-6.1.5(a)] PBX contact: [sip:800@192.168.1.2:5060]
    18:47:18.583 [CM503001]: Call(1): Incoming call from Ext.800 to <sip:132200@192.168.1.2>
    18:46:07.880 [CM504001]: Ext.MakeCall: new contact is registered. Contact(s): [sip:MakeCall@127.0.0.1:40600;rinstance=0fd6d1d29ae3edf4/MakeCall]
    18:46:07.880 [CM504001]: Ext.IVRForward: new contact is registered. Contact(s): [sip:IVRForward@127.0.0.1:40600;rinstance=0a665acec87d2f4c/IVRForward]
    18:46:07.880 [CM504001]: Ext.EndCall: new contact is registered. Contact(s): [sip:EndCall@127.0.0.1:40600;rinstance=ae7061be2f35cfb8/EndCall]
    18:46:07.833 [CM504001]: Ext.999: new contact is registered. Contact(s): [sip:999@127.0.0.1:40600;rinstance=2ca95c8d7fbc698a/999]
    18:46:04.189 [CM504004]: Registration succeeded for: 10000@iiNet
    18:46:03.912 [CM504003]: Sent registration request for 10000@iiNet
    18:46:03.798 IP(s) added:[192.168.1.2]
    18:46:03.796 [CM504001]: Ext.SP9: new contact is registered. Contact(s): [sip:SP9@127.0.0.1:40000;rinstance=71595777169df00a/SP9]
    18:46:03.795 [CM504001]: Ext.SP8: new contact is registered. Contact(s): [sip:SP8@127.0.0.1:40000;rinstance=360a3cc3df63f05e/SP8]
    18:46:03.794 [CM504001]: Ext.SP7: new contact is registered. Contact(s): [sip:SP7@127.0.0.1:40000;rinstance=24c003f1f7a877d5/SP7]
    18:46:03.794 [CM504001]: Ext.SP6: new contact is registered. Contact(s): [sip:SP6@127.0.0.1:40000;rinstance=fb65277eb34751eb/SP6]
    18:46:03.793 [CM504001]: Ext.SP5: new contact is registered. Contact(s): [sip:SP5@127.0.0.1:40000;rinstance=4e97380ec609439f/SP5]
    18:46:03.793 [CM504001]: Ext.SP4: new contact is registered. Contact(s): [sip:SP4@127.0.0.1:40000;rinstance=137045bb07cb2028/SP4]
    18:46:03.792 [CM504001]: Ext.SP3: new contact is registered. Contact(s): [sip:SP3@127.0.0.1:40000;rinstance=442bb174d2e816e2/SP3]
    18:46:03.792 [CM504001]: Ext.SP2: new contact is registered. Contact(s): [sip:SP2@127.0.0.1:40000;rinstance=07f684b78be4aac1/SP2]
    18:46:03.780 [CM504001]: Ext.SP1: new contact is registered. Contact(s): [sip:SP1@127.0.0.1:40000;rinstance=074d48320a2a72e7/SP1]
    18:46:03.752 [CM504001]: Ext.SP0: new contact is registered. Contact(s): [sip:SP0@127.0.0.1:40000;rinstance=9f921a71b3a65925/SP0]
    18:46:03.722 [CM504001]: Ext.*1: new contact is registered. Contact(s): [sip:*1@127.0.0.1:40000;rinstance=de5fb90c73f560ec/*1]
    18:46:03.682 [CM504001]: Ext.*0: new contact is registered. Contact(s): [sip:*0@127.0.0.1:40000;rinstance=9fc005c92599bc08/*0]
    18:46:03.643 [CM504001]: Ext.*777: new contact is registered. Contact(s): [sip:*777@127.0.0.1:40000;rinstance=c6f62ce9c0101417/*777]
    18:46:02.304 [CM504001]: Ext.704: new contact is registered. Contact(s): [sip:704@127.0.0.1:40300;rinstance=47567522a0e7188c/704]
    18:46:02.304 [CM504001]: Ext.703: new contact is registered. Contact(s): [sip:703@127.0.0.1:40300;rinstance=1a36a4a3435f6348/703]
    18:46:02.304 [CM504001]: Ext.702: new contact is registered. Contact(s): [sip:702@127.0.0.1:40300;rinstance=7e66b5f305011372/702]
    18:46:02.288 [CM504001]: Ext.701: new contact is registered. Contact(s): [sip:701@127.0.0.1:40300;rinstance=89c0dc29a443bb15/701]
    18:46:02.273 [CM504001]: Ext.700: new contact is registered. Contact(s): [sip:700@127.0.0.1:40300;rinstance=dc6992a9113a08d5/700]
    18:45:57.322 [CM504008]: Fax Service: registered as sip:888@192.168.1.2:5060 with contact sip:888@192.168.1.2:5100;user=phone
    18:45:57.260 [EC200002]: Media server is connected: application:VOIPSERVER01:0/MediaServer local:127.0.0.1:5482 remote:127.0.0.1:62425
    18:45:57.213 [EC200005]: Parking Orbit server is connected: application:VOIPSERVER01:0/3CXParkOrbit local:127.0.0.1:5482 remote:127.0.0.1:62424
    18:45:56.900 [EC200004]: IVR server is connected: application:VOIPSERVER01:0/IVRServer local:127.0.0.1:5482 remote:127.0.0.1:62423
    18:45:56.666 [CM504004]: Registration succeeded for: 10000@iiNet
    18:45:56.275 [CM504003]: Sent registration request for 10000@iiNet
    18:45:55.463 [EC200006]: Conference server is connected: application:VOIPSERVER01:0/3CXConferenceRoom local:127.0.0.1:5482 remote:127.0.0.1:62418
    18:45:53.744 [CM506005]: Public IP=203.206.142.102 is used for WAN communications through local interface with IP=192.168.1.2
    18:45:53.729 Failed to obtain short path name for [C:\ProgramData\3CX\Bin\Cert]
    18:45:53.729 [CM501006]: Default Local IP address: [192.168.1.2]
    18:45:53.729 [CM501007]: *** Started Calls Controller thread ***
    18:45:53.729 [CM501002]: Version: 9.0.14474.0
    18:45:53.729 [CM501001]: Start 3CX PhoneSystem Call Manager
    18:45:53.572 [EC200001]: Configuration server is connected: application:VOIPSERVER01:5485/DBProvider local:127.0.0.1:62415 remote:127.0.0.1:5485
    18:45:53.572 [CM501009]: License Info: Loaded Succeeded
     
  2. RichardCrabb1

    RichardCrabb1 New Member

    Joined:
    Mar 7, 2009
    Messages:
    196
    Likes Received:
    0
    Hi,
    I noted that extension 800 is used as an extension. Extension numbers 800 onwards are used by 3CX to assign ring group numbers, so should not be used as ordinary extensions.

    I suggest you make a number of test calls to the provider. Usually they have test numbers that you can call as well.

    After a quick search I found another post that might help you. Have a look at that and see if it applies to you. http://www.3cx.com/forums/3cx-configuration-for-iinet-11184.html

    Please let us know how you get on.

    Richard Crabb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    Thanks I have changed the extension to 200, however I still get the same problem.

    That iiNet post was the first one I read (I have done a bit of searching and reading before I posted), but it didn't seem to help me.
     
  4. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    A quick test of the 3CX softphone shows that if I configure it to directly connect to my VOIP provider it works fine for inbound and outbound calls. So I will dig deeper into the firewall settings and the server settings that the PBX is running on to see if there is something amiss.

    One thing I am curious about, can 3CX say the VOIP connection is registered and idle but for it to actually not be connected properly?
     
  5. RichardCrabb1

    RichardCrabb1 New Member

    Joined:
    Mar 7, 2009
    Messages:
    196
    Likes Received:
    0
    Hello Meppy,
    Certainly this seems strange. Being in the UK i have not tried connecting to iinet! Given that the softphone works, then it does seem to be down to some strange interaction between 3CX and iinet. As you have static port forwarding configured, it may be worth removing the outbound proxy on the voip provider setup. Also, make sure that you are using the right contact IP address.

    Other than that, there may be some scope in doing a wire shark test - but what may be more useful is working with iinet to find out what is happening from their end.

    I am very surprised that you are having problems in this way. Sometimes it is down to a silly config error - but I bet you have combed through it many times.

    Kind regards
    Richard Crabb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    I presume WireShark lets me see the SIP packets and helps with troubleshooting, will look for it and download now.

    I just installed the soft-phone on the server to make sure it is not a specific issue with this virtual server, but it works fine so must be 3CX. Today I learned that the VOIP service also works via the other WAN connection, previously I thought I had to connect to the service via the ISP that provides it. This is good to know as I can use my VOIP phone from anywhere in the world which is good to know!

    I am sure I will get it working, it's just frustrating not knowing enough about VOIP and SIP to figure it out myself.
     
  7. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    I ran WireShark and captured both 3CX and the softphone to compare. The only difference my untrained eye could spot was that the Soft Phone had a different contact URI. It had the local IP and a from port number, whereas the 3CX server had the external IP and port 5060.

    I have tried changing the HOST Contact information for outbound calls but this is not making any difference, 3CX seems to ignore that change, if I just set the internal IP it gives an invalid number instead of forbidden.
     
  8. RichardCrabb1

    RichardCrabb1 New Member

    Joined:
    Mar 7, 2009
    Messages:
    196
    Likes Received:
    0
    Hi Meppy,
    Was there any note of the contact domain? ie VoIP SIP domain: iinetphone.iinet.net.au within wireshark? I have a suspicion that this might be the problem. I can have a look at the wireshark info if you like. You can email it to me at rc at dorsetphonesystems.com. I could simulate it on my system if you like.

    Also, at the same time please let me have the sip provider settings that are configured. Do incoming calls work?

    Richard Crabb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    I don't think so, will check tomorrow, but I didn't configure that anywhere so not sure how it would. Where should I set that?
     
  10. RichardCrabb1

    RichardCrabb1 New Member

    Joined:
    Mar 7, 2009
    Messages:
    196
    Likes Received:
    0
    I was just interested in the comparison on wireshark for now between 3CX and the softphone

    Richard
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    My VOIP provider lent me a hand and found that the invite messages are coming from a different port than 3CX registered from.

    This is what he said:

    How do I fix this specific issue? I had a look but unsure what setting to change or where.
     
  12. RichardCrabb1

    RichardCrabb1 New Member

    Joined:
    Mar 7, 2009
    Messages:
    196
    Likes Received:
    0
    Are you sure that the ports really are mapped correctly? Have you run the 3CX firewall test? This is essential to prove the mapping. In any case it would seem that there is still an issue. Are you able to change the router, and set up the port mapping and try again?

    Richard Crabb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    The firewall is not a basic adsl modem that I can just swap out it is a proper dual WAN UTM firewall so it is more likely that I need to check and tweak the firewall rules. I will check that and see what the problem might be, but I still don't understand if that is the case why other voip software or hardware works and and just 3cx has problems.

    SIP uses UDP so should be pretty straightforward for the router, but of course my dual public IPs on different ISP networks is a complication that may be getting in the way (although all traces show the traffic going via the one public connection)

    Will run that test and see what I can tweak and report back.
     
  14. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    Every test passes with warnings, eg.

    CX Firewall Checker, v1.0. Copyright (C) 3CX Ltd. All rights reserved.

    <10:45:34>: Phase 1, checking servers connection, please wait...
    <10:45:34>: Stun Checker service is reachable. Phase 1 check passed.
    <10:45:34>: Phase 2a, Check Port Forwarding to UDP SIP port, please wait...
    <10:45:40>: UDP SIP Port is set to 5060. Response received WITH TRANSLATION 49996::5060. Phase 2a check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

    <10:45:40>: Phase 2b. Check Port Forwarding to TCP SIP port, please wait...
    <10:45:41>: TCP SIP Port is set to 5060. Response received WITH TRANSLATION 49996::5060. Phase 2b check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

    <10:45:41>: Phase 3. Check Port Forwarding to TCP Tunnel port, please wait...
    <10:45:41>: TCP TUNNEL Port is set to 5090. Response received WITH TRANSLATION 29546::5090. Phase 3 check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

    <10:45:41>: Phase 4. Check Port Forwarding to RTP external port range, please wait...
    <10:45:54>: UDP RTP Port 9000. Response received WITH TRANSLATION 29600::9000. Phase 4-01 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
    <10:45:54>: UDP RTP Port 9001. Response received WITH TRANSLATION 37793::9001. Phase 4-02 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

    etc

    it ends with code 53 whaterver that means. The blog pages that it mentions is not much help as there are no error or warning codes on any of the lines and 53 is not mentioned (only goes up to 15).

    Not sure why there are warnings or what to do about them?
     
  15. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    OK so I figured that this means I had no inbound ports open for 3CX (couldn't see the need if only using it internally for now). So I opened all those up and the firewall test passed with flying colours.

    Still no outbound calls though. So something is not working correctly. I will try and redirect everything through the other WAN port and see what happens.
     
  16. meppy

    Joined:
    Oct 28, 2010
    Messages:
    15
    Likes Received:
    0
    Just an update that this problem was caused by a FortiGate router not handling SIP properly. The router has been removed and 3CX is working as expected.
     
  17. antler

    Joined:
    May 8, 2011
    Messages:
    40
    Likes Received:
    0
    Hallo meppy,

    Did you ever resolve this issue which is similar to the problem I am experiencing.

    Thanks in advance,

    Antler.

    Ok, just seen your posting for January, thnx. A.
     
  18. smb1

    smb1 New Member

    Joined:
    Mar 18, 2009
    Messages:
    104
    Likes Received:
    0
    Are you certain you have all ports open and statically mapped to the pbx?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. smb1

    smb1 New Member

    Joined:
    Mar 18, 2009
    Messages:
    104
    Likes Received:
    0
    Are you certain you have all The required ports open and statically mapped to the pbx inbound and outbound?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.