# SIP/2.0 401 Unauthorized on INVITE request after multiple authentication attempts - **ID:** `communication/sip-401-unauthorized-credentials` - **Domain:** communication - **Category:** auth_error - **Error Code:** `401` - **Verification:** ai_generated - **Fix Rate:** 82% ## Root Cause SIP server rejects INVITE because the client's digest credentials (username/realm/nonce) are stale or misconfigured, often due to nonce expiration or incorrect password hash. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | RFC 3261 | active | — | — | | Asterisk 18.15.0 | active | — | — | | FreeSWITCH 1.10.9 | active | — | — | | Kamailio 5.6.0 | active | — | — | ## Workarounds 1. **Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart.** (85% success) ``` Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart. ``` 2. **Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches.** (80% success) ``` Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches. ``` 3. **Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com').** (75% success) ``` Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com'). ``` ## Dead Ends - **** — Resetting the SIP client's registration timer may cause repeated re-registrations without fixing the underlying credential mismatch, leading to infinite loops. (65% fail) - **** — Disabling authentication entirely (e.g., setting 'auth=no' in Asterisk) is a security risk and not supported in production environments where authentication is mandatory. (90% fail) - **** — Updating the SIP server version without verifying credential compatibility may introduce new digest algorithms (e.g., SHA-256 vs MD5) that the client doesn't support. (70% fail)