[Spce-user] 403 Forbidden to outbound calls
Marco Capetta
mcapetta at sipwise.com
Thu Feb 6 02:40:33 EST 2020
Hello,
the INVITE is coming from port 11000, but you defined PBX Kazoo with
port 5060.
This is probably why you receive the 403 Forbidden message.
Regards
Marco
On 2/5/20 9:27 PM, Guilherme Lacerda wrote:
> Hello Matthias,
>
> I've configured inbound rule as equal as in handbook and link this
> below. I tried insert domain, inbound IPs, outbound IPs and again
> receive 403.
>
> I think Sipwise don't rewrite nether process inbound rule.
>
> Any ideas?
>
> MariaDB [provisioning]> select * from
> provisioning.voip_peer_inbound_rules;
> +----+----------+----------+---------+-------------+---------------+----------+---------+
> | id | group_id | field | pattern | reject_code | reject_reason |
> priority | enabled |
> +----+----------+----------+---------+-------------+---------------+----------+---------+
> | 8 | 1 | ruri_uri | .* | NULL | NULL |
> 50 | 1 |
> +----+----------+----------+---------+-------------+---------------+----------+---------+
> 1 row in set (0.000 sec)
>
> --
> --
> Guilherme Lacerda
> http://about.me/lacerdaguilherme
>
> <http://about.me/lacerdaguilherme?promo=email_sig>
>
>
>
> Em qua., 5 de fev. de 2020 às 16:41, Matthias Hohl
> <matthias.hohl at telematica.at <mailto:matthias.hohl at telematica.at>>
> escreveu:
>
> Hello.
>
> It is very simple... see your logs:
>
> „No matching inbound peer rule in any peering group, rejecting call“
>
> You have peering groups without inbound rules, so no call will be
> proceeded over your peering...
>
> Just read the handbook how to setup peerings right... you forget
> about the peering rules.
>
> Btw: your rewrite rules are also not setup right..., sipwise needs
> e164 format internally, but you dont rewrite your +55....
>
>> Am 05.02.2020 um 19:12 schrieb Guilherme Lacerda
>> <lacerdaguilherme at gmail.com <mailto:lacerdaguilherme at gmail.com>>:
>>
>>
>> Hi,
>>
>> When a Customer PBX is registered with Sipwise as a regular
>> subscriber in SIP Trunking domain. When a customer dials PSTN
>> number, they receive following response from Sipwise - Call
>> Failed: 403 Forbidden. I’m not sure what I’m forgetting or how do
>> I troubleshoot this problem. Customer PBX is based on 2600hz Kazoo
>>
>> My setup:
>> NGCP mr7.5.2 on AWS EC2 (NAT)
>>
>> Callflow: Kazoo PBX => NGCP => GW/Termination(Thinq.com)
>>
>> Kazoo PBX = 169.169.169.169
>> Internal IP NGCP = 172.31.37.142
>> External IP NGCP = 54.54.54.54
>>
>>
>> MariaDB [provisioning]> select * from provisioning.voip_peer_groups;
>> +----+------------+----------+-------------+---------------------+-------------------+-------------+
>> | id | name | priority | description | peering_contract_id
>> | has_inbound_rules | time_set_id |
>> +----+------------+----------+-------------+---------------------+-------------------+-------------+
>> | 1 | Kazoo Peer | 1 | | 3 |
>> 0 | NULL |
>> +----+------------+----------+-------------+---------------------+-------------------+-------------+
>> 1 row in set (0.000 sec)
>>
>> MariaDB [provisioning]> select * from provisioning.voip_peer_hosts;
>> +----+----------+-------------+---------------+------------------------+------+-----------+--------+-----------+--------+---------+-------+
>> | id | group_id | name | ip | host
>> | port | transport | weight | via_route | via_lb | enabled
>> | probe |
>> +----+----------+-------------+---------------+------------------------+------+-----------+--------+-----------+--------+---------+-------+
>> | 1 | 1 | Thinq_Kazoo | 72.15.219.140 | NULL
>> | 5060 | 1 | 1 | NULL | 0 | 1 |
>> 0 |
>> | 2 | 1 | PBX Kazoo | 169.169.169.169 |
>> sip3.phonetrack.com.br <http://sip3.phonetrack.com.br> | 5060 |
>> 1 | 1 | NULL | 0 | 1 | 0 |
>> +----+----------+-------------+---------------+------------------------+------+-----------+--------+-----------+--------+---------+-------+
>> 2 rows in set (0.000 sec)
>>
>> MariaDB [provisioning]> select * from
>> provisioning.voip_peer_inbound_rules;
>> +----+----------+----------+---------+-------------+---------------+----------+---------+
>> | id | group_id | field | pattern | reject_code |
>> reject_reason | priority | enabled |
>> +----+----------+----------+---------+-------------+---------------+----------+---------+
>> | 8 | 1 | ruri_uri | .* | NULL | NULL |
>> 50 | 1 |
>> +----+----------+----------+---------+-------------+---------------+----------+---------+
>> 1 row in set (0.000 sec)
>>
>>
>>
>> SNGREP output
>>
>> │SIP/2.0 403 Forbidden
>> 169.169.169.169:11000 <http://169.169.169.169:11000>
>> 172.31.37.142:5060 <http://172.31.37.142:5060> 127.0.0.1:5060
>> <http://127.0.0.1:5060> 127.0.0.1:5062 <http://127.0.0.1:5062>
>> │Via: SIP/2.0/UDP
>> 127.0.0.1;branch=z9hG4bK89d3.f6eb3ac078dc260c2d661673e4f6c55f.0
>> ──────────┬───────── ──────────┬─────────
>> ──────────┬───────── ──────────┬─────────│Via: SIP/2.0/UDP
>> 169.169.169.169:11000;received=169.169.169.169;rport=11000;branch=z9hG4bK63B
>> 17:53:50.061111 │ INVITE (SDP) │
>> │ │ │j583UBcg
>> +0.000458 │ ──────────────────────────> │ │
>> │ │From: "PhoneTrack SBC3"
>> <sip:6685 at 169.169.169.169
>> <mailto:sip%3A6685 at 169.169.169.169>>;tag=ZXvHUr7N0Fv0B
>> 17:53:50.061569 │ 100 Trying │
>> │ │ │To:
>> <sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>>;tag=95c37a12bff1a2c36d72bf8333176544.7855
>> +0.000064 │ <────────────────────────── │ │
>> │ │Call-ID:
>> 7a263420-4840-11ea-a287-d574145c6a81
>> 17:53:50.061633 │ │ │
>> INVITE (SDP) │ │CSeq: 15908825 INVITE
>> +0.000299 │ │ │
>> ──────────────────────────> │ │P-Out-Socket:
>> udp:172.31.37.142:5060 <http://172.31.37.142:5060>
>> 17:53:50.061932 │ │ │
>> 100 Trying │ │P-NGCP-Auth-IP: 169.169.169.169
>> +0.002908 │ │ │
>> <────────────────────────── │ │P-NGCP-Auth-UA: 2600hz
>> 17:53:50.064840 │ │ │
>> 403 Forbidden │ │P-NGCP-Caller-Info:
>> <sip:<null>@<null>>;ip=169.169.169.169;port=11000
>> +0.000080 │ │ │
>> <────────────────────────── │ │Server: Sipwise NGCP Proxy 7.X
>> 17:53:50.064920 │ │ │ ACK
>> │ │Content-Length: 0
>> +0.000122 │ │ │
>> ──────────────────────────> │ │
>> 17:53:50.065042 │ 403 Forbidden │
>> │ │ │
>> +0.005994 │ <────────────────────────── │ │
>> │ │
>> 17:53:50.071036 │ ACK │
>> │ │ │
>> │ ──────────────────────────> │ │
>> │ │
>> │ │ │
>> │ │
>> │ │ │
>> │ │
>>
>>
>>
>> LOGS Proxy
>>
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: NOTICE: <script>:
>> New request on proxy - M=INVITE R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> F=«sip:6685 at 169.169.169.169 <mailto:sip%3A6685 at 169.169.169.169>»
>> T=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> IP=«169.169.169.169»:«11000» («127.0.0.1»:«5060»)
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> DESTIP=«127.0.0.1»:«5062»
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: NOTICE: <script>:
>> Sending reply S=100 Trying fs='«127.0.0.1»:«5062»'
>> du='«127.0.0.1»:«5060»' - R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: INFO: <script>:
>> Load domain preferences for callee -
>> R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: INFO: <script>:
>> Clean domain preferences for callee -
>> R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: INFO: <script>:
>> +++++++++++++++ find caller - R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: NOTICE: <script>:
>> Call from PSTN - R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: NOTICE: <script>:
>> No matching inbound peer rule in any peering group, rejecting
>> call - R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: INFO: <script>:
>> Adding reply P-NGCP-Caller-Info
>> '<sip:«<null>»@«<null>»>;ip=«169.169.169.169»;port=«11000»«»«»' -
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: NOTICE: <script>:
>> Sending reply S=403 Forbidden fs='«127.0.0.1»:«5062»'
>> du='«127.0.0.1»:«5060»' - R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>»
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='2600hz'
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10792]: INFO: <script>:
>> Runtime for request INVITE was 2415 usec -
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81»
>> Feb 5 17:47:41 ip-172-31-37-142 proxy[10778]: NOTICE: <script>:
>> New request on proxy - M=ACK R=«sip:+5541998970007 at 54.54.54.54
>> <mailto:sip%3A%2B5541998970007 at 54.54.54.54>» F=«<null>»
>> T=«<null>» IP=«<null>»:«<null>» («127.0.0.1»:«5060»)
>> ID=«9e51f47a-483f-11ea-a241-d574145c6a81» UA='<null>'
>> DESTIP=«127.0.0.1»:«5062»
>> --
>> --
>> Guilherme Lacerda
>> http://
>>
>> <http://about.me/lacerdaguilherme?promo=email_sig>
>>
>
--
*Marco Capetta *
VoIP Developer
Sipwise GmbH <http://www.sipwise.com> , Campus 21/Europaring F15
AT-2345 Brunn am Gebirge
Phone: +43(0)1 301 2044 <tel:+4313012044>
Email: mcapetta at sipwise.com <mailto:mcapetta at sipwise.com>
Website: www.sipwise.com <http://www.sipwise.com>
Particulars according Austrian Companies Code paragraph 14
"Sipwise GmbH" - Europaring F15 - 2345 Brunn am Gebirge
FN:305595f, Commercial Court Vienna, ATU64002206
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20200206/2c1187d2/attachment-0002.html>
More information about the Spce-user
mailing list