401 communication auth_error ai_generated true

SIP/2.0 401 Unauthorized on INVITE request after multiple authentication attempts

ID: communication/sip-401-unauthorized-credentials

Also available as: JSON · Markdown · 中文
82%Fix Rate
85%Confidence
1Evidence
2023-09-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
RFC 3261 active
Asterisk 18.15.0 active
FreeSWITCH 1.10.9 active
Kamailio 5.6.0 active

Root Cause

SIP server rejects INVITE because the client's digest credentials (username/realm/nonce) are stale or misconfigured, often due to nonce expiration or incorrect password hash.

generic

中文

SIP 服务器拒绝 INVITE 请求,因为客户端的摘要凭据(用户名/域/随机数)已过期或配置错误,通常是由于随机数过期或密码哈希错误。

Official Documentation

https://wiki.asterisk.org/wiki/display/AST/SIP+Configuration

Workarounds

  1. 85% success Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart. 
    Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart.
  2. 80% success Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches. 
    Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches.
  3. 75% success Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com'). 
    Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com').

中文步骤

  1. Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart.
  2. Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches.
  3. Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com').

Dead Ends

Common approaches that don't work:

  1. 65% fail

    Resetting the SIP client's registration timer may cause repeated re-registrations without fixing the underlying credential mismatch, leading to infinite loops.

  2. 90% fail

    Disabling authentication entirely (e.g., setting 'auth=no' in Asterisk) is a security risk and not supported in production environments where authentication is mandatory.

  3. 70% fail

    Updating the SIP server version without verifying credential compatibility may introduce new digest algorithms (e.g., SHA-256 vs MD5) that the client doesn't support.