403 Forbidden cannot identify reason

Status
Not open for further replies.
J

Jiz

Member
Mar 29, 2021
49
1
8
41
Hi,
My SIP trunk rejecting call with 403 Forbidden on fusionPBX. The same trunk works fine with 3CX and looking at the logs, cannot identify the reason .. can someone help ?
Below is the invite and the forbidden from the carrier

Code: 
INVITE sip:9847012345@kl.voip.ims.abcd.com SIP/2.0
Via: SIP/2.0/UDP 123.123.171.205:5080;rport;branch=z9hG4bK9mpg9ja6HKtHe
Max-Forwards: 69
From: "+919988778856" <sip:+919988778856@kl.voip.ims.abcd.com>;tag=ej4X809ce5a1H
To: <sip:9847012345@kl.voip.ims.abcd.com>
Call-ID: 191f2ec6-ac7e-123b-c794-e45f019350f2
CSeq: 56898872 INVITE
Contact: <sip:+919988778856@123.123.171.205:5080;transport=udp;gw=8bda3148-cfd4-4406-a508-ad89d9804411>
User-Agent: FreeSWITCH
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, PRACK, NOTIFY
Supported: 100rel, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 277
X-FS-Support: update_display,send_info
Remote-Party-ID: "+919988778856" <sip:+919988778856@kl.voip.ims.abcd.com>;party=calling;screen=yes;privacy=off
v=0
o=FreeSWITCH 1662882629 1662882630 IN IP4 123.123.171.205
s=FreeSWITCH
c=IN IP4 123.123.171.205
t=0 0
m=audio 22688 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=silenceSupp:off - - - -
a=ptime:20

Code: 
2022/09/11 15:08:48.942756 222.222.233.198:80 -> 192.168.1.253:5080
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 123.123.171.205:5080;branch=z9hG4bK9mpg9ja6HKtHe;rport
Call-ID: 191f2ec6-ac7e-123b-c794-e45f019350f2
From: "+919988778856"<sip:+919988778856@kl.voip.ims.abcd.com>;tag=ej4X809ce5a1H
To: <sip:9847012345@kl.voip.ims.abcd.com>;tag=sbc0508m4nnu1v2
CSeq: 56898872 INVITE
Content-Length: 0

3CX working invite is below to compare.

Code: 
    INVITE sip:9847012345@kl.voip.ims.abcd.com SIP/2.0
    Via: SIP/2.0/UDP 10.20.30.60:5060;branch=z9hG4bK-524287-1---cd719c6e86fbe479;rport
    Max-Forwards: 70
    Contact: <sip:+919988778856@123.123.41.182:5060>
    To: <sip:9847012345@kl.voip.ims.abcd.com>
    From: "+919988778856"<sip:+919988778856@kl.voip.ims.abcd.com>;tag=d1c89e14
    Call-ID: Q9I9e5eyWis16sLUeS4oKA..
    CSeq: 1 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE
    Content-Type: application/sdp
    Supported: replaces, timer
    User-Agent: 3CXPhoneSystem 18.0.2.314 (314)
    Remote-Party-ID: "+919988778856"<sip:+919988778856@kl.voip.ims.abcd.com>;party=calling
    Content-Length: 291
     
    v=0
    o=3cxPS 6957130682728448 21147106467119105 IN IP4 123.123.41.182
    s=3cxPS Audio call
    c=IN IP4 123.123.41.182
    t=0 0
    m=audio 9110 RTP/AVP 0 8 18 101
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:101 telephone-event/8000
    a=sendrecv

Thanks
 
hfoster

hfoster

Active Member
Jan 28, 2019
677
80
28
34
Have you added your carriers IP addresses into the Access Controls? There should be an access list called 'domains' or 'providers'. This allows them to send INVITES unauthenticated from those IP addresses.

Access Controls — FusionPBX Docs documentation

docs.fusionpbx.com docs.fusionpbx.com

Edit: I've just realised this is you sending an INVITE to them.... I'm just going to diff them now

Edit 2: I can't see an issue between those two invites, normally there's a problem with the format of the FROM or perhaps the contact, but these seem fine. Maybe the carrier themselves can indicate what's wrong?
 
Last edited:
  • Like
Reactions: henryd99
J

Jiz

Member
Mar 29, 2021
49
1
8
41
hfoster said:
Have you added your carriers IP addresses into the Access Controls? There should be an access list called 'domains' or 'providers'. This allows them to send INVITES unauthenticated from those IP addresses.

Access Controls — FusionPBX Docs documentation

docs.fusionpbx.com docs.fusionpbx.com

Edit: I've just realised this is you sending an INVITE to them.... I'm just going to diff them now

Edit 2: I can't see an issue between those two invites, normally there's a problem with the format of the FROM or perhaps the contact, but these seem fine. Maybe the carrier themselves can indicate what's wrong?
Click to expand...
Thank you.

The carrier cant help.
me either cant figure out the difference.. as soon as this trunk configured on 3CX , outbound works. May be the extra fields on contact header ? or anything on SDP ? How do i modify the contact header ?

This is how Wireshark diagram looks like for a 3cx working call

1662991941505.png
 
Adrian Fretwell

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,414
376
83
Assume carrier is using (your) IP address for authentication. Is 3CX sending from the same public IP as freeswitch?
 
hfoster

hfoster

Active Member
Jan 28, 2019
677
80
28
34
The carrier cant help.
Click to expand...

Not sure what else to suggest really. It used to be one of my jobs telling people how to adjust their headers, if they can't tell you why the call is failing then nobody can for definite, the true reason is just hidden behind a 403 error.
 
J

Jiz

Member
Mar 29, 2021
49
1
8
41
Adrian Fretwell said:
Assume carrier is using (your) IP address for authentication. Is 3CX sending from the same public IP as freeswitch?
Click to expand...
Yes, The same Public IP and even the same Raspberry pi box.( I have managed to install both 3cx and fusionPBX on the same box. The issue was there before 3cx installation).
 
J

Jiz

Member
Mar 29, 2021
49
1
8
41
hfoster said:
Not sure what else to suggest really. It used to be one of my jobs telling people how to adjust their headers, if they can't tell you why the call is failing then nobody can for definite, the true reason is just hidden behind a 403 error.
Click to expand...
Thank you.

I just assume it could be the Contact header which is not the way the carrier required. The purpose of this fusionPBX is to bridge the carrier to a remote 3CX because the trunk cannot be configured on remote 3CX due to IP restrictions. I have managed the goal by connecting the carrier from the remote 3CX itself through a VPN tunnel to source the allowed public IP and it works well now.
 
H

henryd99

New Member
Dec 20, 2021
16
0
1
27
hfoster said:
Have you added your carriers IP addresses into the Access Controls? There should be an access list called 'domains' or 'providers'. This allows them to send INVITES unauthenticated from those IP addresses.

Access Controls — FusionPBX Docs documentation

docs.fusionpbx.com docs.fusionpbx.com

Edit: I've just realised this is you sending an INVITE to them.... I'm just going to diff them now

Edit 2: I can't see an issue between those two invites, normally there's a problem with the format of the FROM or perhaps the contact, but these seem fine. Maybe the carrier themselves can indicate what's wrong?
Click to expand...
Adding the IP to access control worked, thanks!
 
Status
Not open for further replies.
Top Bottom