Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Remote Extension Outgoing Now Forbidden

Discussion in '3CX Phone System - General' started by RandyChev, Feb 17, 2014.

Thread Status:
Not open for further replies.
  1. RandyChev

    Joined:
    Nov 4, 2011
    Messages:
    15
    Likes Received:
    0
    I've had a 3CX system up and running for two years now without too many hitches. However all of a sudden our remote extensions can't make direct outgoing calls to other extensions or to an outside line. We've tried our iPhone app and our Cisco SPA phone and both are returned a "Forbidden" message.

    We CAN use 3CXMyphone to initiate calls for the extensions so we can work around this for awhile but its not very elegant.

    I've checked the extension settings and remote extensions should be allowed. I've tried with firewall and antivirus off… no change.

    3CX Ver 10 running on Windows 7.
    We made no changes to the host computer other than the Windows recommended updates at the beginning of February.
    Logs show "Authorization system can not identify source of … [invite]"

    I have the full log for the call attempt if it would help.

    Are there any changes Windows updates could make that would cause this problem?
    Are there any other "common" settings that might get changed that would cause this?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,097
    Likes Received:
    328
    Did this happen immediately after some changes/updates were done? Any changes at the remote end?

    Are the sets having the issue all at the same location? Simply behind a router, or using the 3CX Proxy server? Have you attempted calls from a different location?

    A post of the 3CX log, for a failed call would help. I assume that the extensions are able to register.
     
  3. RandyChev

    Joined:
    Nov 4, 2011
    Messages:
    15
    Likes Received:
    0
    I can't say IMMEDIATELY but it was I believe it was the next morning that I noticed the problem. I'm considering reverting the machine to a previous state if thats possible. … haven't checked yet.

    No changes at the remote end.

    I iliminated the remote router as the problem as I get the same results from the iPhone app while on cellular service. I can connect and dial out with the iPhone app with my "In LAN" profile while on our LAN over wifi. I turn off wifi, switch to the "Out of LAN" profile and the app registers but I get the "Forbidden" notice when dialing out. Oh, I can connect the iPhone to the host vpn and 3CX app will register and dial out in the "In LAN" profile.

    I have not had an opportunity to try the desk phone through another provider but the iPhone test seems to make that test worthless at this point.

    Yes, all remote extensions register without a hitch and answer without a problem. And as I said I can make outgoing calls using MyPhone app where I connect with the "MakeCall" function.

    Thanks for your help so far.

    Log:
    (Host IP and Phone numbers changed for security reasons)
    13:01:39.304|.\Authorization.cpp(1024)|Error1||evt::CheckIfAuthIsRequired::not_handled:[CM302001]: Authorization system can not identify source of: SipReq: INVITE 9181234567@211.11.31.161:5060 tid=PjKLBaVlXWikFedyK9-8DQ-P-x1M3OQ-Ce cseq=INVITE contact=102@166.137.122.184:46149 / 3396 from(wire)<br>
    13:01:39.304|.\Authorization.cpp(1028)|Log2||evt::CheckIfAuthIsRequired::not_handled:[CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    INVITE sip:9181234567@211.11.31.161:5060;transport=TCP SIP/2.0
    Via: SIP/2.0/UDP 166.137.122.184:46149;rport=48084;branch=z9hG4bKPjKLBaVlXWikFedyK9-8DQ-P-x1M3OQ-Ce
    Max-Forwards: 70
    Route: <sip:211.11.31.161:5060;lr>
    Contact: "3G-102"<sip:102@166.137.122.184:46149;ob>
    To: <sip:9181234567@211.11.31.161:5060>
    From: "3G-102"<sip:102@211.11.31.161:5060>;tag=.m6.lqEF44B1i40hivBz4KDqNUXxcEQx
    Call-ID: yg-QnXVmZi.u5.B7LcuO40k4yj72US8T
    CSeq: 3396 INVITE
    Session-Expires: 1800
    Min-SE: 90
    Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
    Supported: replaces, 100rel, timer, norefersub
    User-Agent: 3CXPhone for iPhone 1.1.5
    Content-Length: 0

    <br>
    13:01:39.518|.\CallLeg.cpp(143)|Log5||CallLeg::eek:nNewCall:[CM500002]: Info on incoming INVITE:
    INVITE sip:9181234567@211.11.31.161:5060;transport=TCP SIP/2.0
    Via: SIP/2.0/UDP 166.137.122.184:46149;rport=48084;branch=z9hG4bKPjer8QDDFXus27W2WUYnj4XKxBbef3qOLC
    Max-Forwards: 70
    Route: <sip:211.11.31.161:5060;lr>
    Contact: "3G-102"<sip:102@166.137.122.184:46149;ob>
    To: <sip:9181234567@211.11.31.161:5060>
    From: "3G-102"<sip:102@211.11.31.161:5060>;tag=.m6.lqEF44B1i40hivBz4KDqNUXxcEQx
    Call-ID: yg-QnXVmZi.u5.B7LcuO40k4yj72US8T
    CSeq: 3397 INVITE
    Session-Expires: 1800
    Min-SE: 90
    Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
    Proxy-Authorization: Digest username="102",realm="3CXPhoneSystem",nonce="414d535c0912ed9314:df2be3b4d9e674061852d4d1ddfe1e6b",uri="sip:9181234567@211.11.31.161:5060;transport=TCP",response="b5e82bde718eb3d869f1b40aea5bcce6",algorithm=MD5
    Supported: replaces, 100rel, timer, norefersub
    User-Agent: 3CXPhone for iPhone 1.1.5
    Content-Length: 0

    <br>
    13:01:39.520|.\CallCtrl.cpp(98)|Log2||CallCtrl::eek:nIncomingCall:[CM503013]: Call(75): Incoming call rejected, caller is unknown; msg=SipReq: INVITE 9181234567@211.11.31.161:5060 tid=Pjer8QDDFXus27W2WUYnj4XKxBbef3qOLC cseq=INVITE contact=102@166.137.122.184:46149 / 3397 from(wire)<br>
    13:01:39.520|.\CallCtrl.cpp(99)|Log2||CallCtrl::eek:nIncomingCall:[CM502001]: Source info: From: "3G-102"<sip:102@211.11.31.161:5060>;tag=.m6.lqEF44B1i40hivBz4KDqNUXxcEQx<sip:9181234567@211.11.31.161:5060><br>
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,097
    Likes Received:
    328
    That is the problem.

    [See...

    http://www.3cx.com/blog/docs/source-identification-issues/
     
  5. RandyChev

    Joined:
    Nov 4, 2011
    Messages:
    15
    Likes Received:
    0
    Thanks again for your help. I REALLY do appreciate it.

    However, I had already read that article. It only dealt with VOIP providers and we don't use a VOIP provider. We use POTS lines with a Patton SmartNode 4114 2JS2JO to interface them with 3CX. As far as I understand this means the fix in the article doesn't apply to us since we don't have any "Lines > Manage" settings that I can find.

    I've tried to find an old log file with a call from the remote extension when it worked but can't seem to find one for comparison.

    The one thing I know is that the invites says "Authorization system can not identify source of: SipReq:…….. cseq=INVITE contact=102@166.137.122.184:5060 / 101 from(wire)". I then check the Phones registered and find the remote phone registered as ext 102 at address 166.137.122.184:5060 telling me the Authorization system should know the source of the request since it is registered.

    BTW, I tied reverting to a previous system state before the problems started but that didn't resolve the issue.

    I've been going through this troubleshooting process http://www.3cx.com/blog/voip-howto/troubleshooting-direct-remote-extension/ . All items have been tried and eliminated as problems except for the 3CXPhone program. We don't use the 3CX Tunneling Protocol and I haven't been able to get this program to even register with the system.
     
  6. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    1
    Settings:Advanced:Settings for Direct SIP Calls: Local SIP domain.

    Likely a mismatch between what is there and what your handset is trying to register with. I first got that when firing up an AWS instance for 3CX. If they don't match (regardless if the checkbox to allow calls to/from..), the INVITE is rejected from the handset.

    Indeed, receiving calls or leveraging MakeCall otherwise worked fine because the other end (the PBX, or MakeCall) were initiating the INVITE.

    At least.. that was my experience. After I blinked, I identified the issue. See what you get with that.
     
  7. RandyChev

    Joined:
    Nov 4, 2011
    Messages:
    15
    Likes Received:
    0
    They do match but I checked the box although I don't believe that setting is needed in my situation.

    BUT I may have found the problem. I have quite an extensive BlackList and often just block the whole network of the offending IP (173.0.0.0 with mask 255.0.0.0). Well that specific network was blacklisted recently and it contains the IP of the US stun server. I MAY have made it impossible to initiate calls because I was blocking incoming stun services. I deleted 173.0.0.0 from the blacklist last night without an immediate fix, even after a reboot of the PBX host. However this morning I can now initiate outgoing calls so I suspect that was the fix.

    I always thought the blacklist was to keep actual extensions from registering but it seems this list blocks any interaction what so ever with a blacklisted IP.

    Thanks to everyone for helping me with this issue. You helped me confirm settings that could have been the problem and kept me on the hunt for the solution.
     
  8. juicesprepaid

    Joined:
    Feb 23, 2014
    Messages:
    1
    Likes Received:
    0
    Make sure that you backup your 3cx phone sys, then uninstall and intall again. That should help.
     
  9. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,097
    Likes Received:
    328
    I fail to understand how applying a backup you just made, would have helped, in a case such as this.
    Applying an older backup, before the IP was blacklisted, perhaps.
     
  10. Anonymous

    Anonymous Guest

    I've been looking at this for the last month. In my case it is not the blacklist and I think it may be 3cx service pack related as it had been working in the past.

    For my Public IP for provisioning (found in MC > Settings > Phone Provisioning > General > External / Public IP Address), I had been using a FQDN like 3cx.phonesalberta.ca instead of the ip address. It seems this value is used for the SIP server in the phone provisioning templates and 3CX will not authenticate INVITE requests that use a FQDN instead of an IP address.

    As soon as I reverted my Public IP for provisioning back to an IP address, done a save on the extension phone provisioning page (to rewrite the provisioning file for the phone) and reprovisioned the phone, I was able to make outbound calls again.

    I would prefer to use FQDN instead of IP addresses. 3CX, is this something that can be added to a bug/feature list?
     
  11. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,097
    Likes Received:
    328
    This would point to the FQDN, that the remote sets are registering to, NOT being set as ,or matching with, the Domain Name in 3CX.

    Settings/Advanced/Settings for Direct SIP Calls
     
Thread Status:
Not open for further replies.