Extensions keep getting {407 Proxy Authentication REq. and Rejected by acl "domains". Falling back to Digest auth.}

[etsiot]

Hello,

Been struggling with this for days now, reading the forums but no scenario seems to work.

Have upgraded to 4.4.3, using only internal extensions in a local subnet - same as FusionPBX
Domains ACL default deny with allow for:
- Domain 192.168.0.xx allow (server)
- CIDR 192.168.0.yy (PSTN gateway)

Phones have registered OK, however in the Registrations screen it shows under Status: Registered(UDP)(unknown)

I have also created an acl list to allow with CIDR of the local network and have used this one in the internal SIP profile in local-network-acl param but no change.
Even when calling a local extension I get 407 Proxy Authentication Required.

Any hints would be appreciated.


Sample Log below:
6f366a3d-479f-4082-b8e8-fccb08870237 2019-01-06 13:22:40.164180 [DEBUG] sofia.c:7301 Remote SDP:
6f366a3d-479f-4082-b8e8-fccb08870237 2019-01-06 13:22:40.164180 [DEBUG] sofia.c:7291 Channel sofia/internal/101@192.168.0.xx:5060 entering state [received][100]
2019-01-06 13:22:40.144152 [DEBUG] sofia.c:10263 IP 192.168.0.201 Rejected by acl "domains". Falling back to Digest auth.
6f366a3d-479f-4082-b8e8-fccb08870237 2019-01-06 13:22:40.144152 [DEBUG] sofia.c:10092 sofia/internal/101@192.168.0.xx:5060 receiving invite from 192.168.0.201:11950 version: 1.8.4 -5-749a6e108b 64bit
2019-01-06 13:22:40.144152 [DEBUG] sofia.c:2522 Re-attaching to session 6f366a3d-479f-4082-b8e8-fccb08870237
2019-01-06 13:22:40.104342 [DEBUG] sofia.c:2413 detaching session 6f366a3d-479f-4082-b8e8-fccb08870237
6f366a3d-479f-4082-b8e8-fccb08870237 2019-01-06 13:22:40.104342 [DEBUG] switch_core_state_machine.c:603 (sofia/internal/101@192.168.0.xx:5060) State NEW

 

[goose2600]

I am new to Fusionpbx, but your problem could be related to ACL, which (I think) should be used just for providers, in order to let them to send inbound call without authentication.

 

[etsiot]

Yes, I am sure it is ACL related.
Started with a clean install & using the one-line install script, then adding local extensions this 407 proxy auth has consistently been there...

 

[DigitalDaz]

Basically, from a clean install, do not touch the acl, you should be able to call extension to extension. There will be an auth challenge to the extension doing the calling, that is perfectly normal.

 

[etsiot]

The only addition I had to do was to add the PSTN g/w:
- CIDR 192.168.0.yy (PSTN gateway)

But I am pretty sure I was getting 407 and reverting to digest auth even before that, when I had just added 2-3 devices and their extensions.
Is there a way to explicitly add an ACL for the local net/24?
Is the "unknown" directive normal in the Registrations screen?

 

[goose2600]

The only addition I had to do was to add the PSTN g/w:
- CIDR 192.168.0.yy (PSTN gateway)

Can you try deleting in ACL/domains any LAN IPs?
I have in ACL/domains only the providers IPs (I mean the public IP of the external providers), your PSTN gw should register to Fusionpbx like a normal extension.

Is the "unknown" directive normal in the Registrations screen?

Yes (I think), the mine looks like this:

Registered(UDP-NAT)(unknown)
exp(2019-01-07 16:35:52) expsecs(1638)