403 communication auth_error ai_generated partial

SIP/2.0 403 Forbidden on REGISTER request

ID: communication/sip-403-forbidden-registration

Also available as: JSON · Markdown · 中文
75%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
RFC 3261 active
Kamailio 5.6 active
Asterisk 20 active
FreeSWITCH 1.10 active

Root Cause

SIP server rejects registration due to mismatched credentials, stale nonce, or IP-based access control.

generic

中文

SIP服务器因凭据不匹配、nonce过时或基于IP的访问控制而拒绝注册。

Official Documentation

https://datatracker.ietf.org/doc/html/rfc3261#section-21.4.4

Workarounds

  1. 70% success Regenerate the SIP digest credentials: delete the stored nonce and password hash on the client, then force a fresh REGISTER with the correct username and password. On Linphone, remove the account and re-add it. On a custom client, clear the cached credentials and call sip_register() again. 
    Regenerate the SIP digest credentials: delete the stored nonce and password hash on the client, then force a fresh REGISTER with the correct username and password. On Linphone, remove the account and re-add it. On a custom client, clear the cached credentials and call sip_register() again.
  2. 80% success Verify the SIP server's IP access control list (ACL). On Kamailio, check 'allow_trusted' and 'allow_source_address' settings. Add the client's public IP to the trusted list if needed. 
    Verify the SIP server's IP access control list (ACL). On Kamailio, check 'allow_trusted' and 'allow_source_address' settings. Add the client's public IP to the trusted list if needed.

中文步骤

  1. Regenerate the SIP digest credentials: delete the stored nonce and password hash on the client, then force a fresh REGISTER with the correct username and password. On Linphone, remove the account and re-add it. On a custom client, clear the cached credentials and call sip_register() again.
  2. Verify the SIP server's IP access control list (ACL). On Kamailio, check 'allow_trusted' and 'allow_source_address' settings. Add the client's public IP to the trusted list if needed.

Dead Ends

Common approaches that don't work:

  1. Re-enter the same SIP username and password in the client settings 60% fail

    Credentials may be correct but the nonce (challenge) is stale or the server requires digest authentication re-challenge

  2. Disable SIP ALG in the router to bypass firewall issues 80% fail

    403 is not a network traversal error; it's an authentication/authorization failure at the application layer

  3. Change the SIP transport from UDP to TCP 90% fail

    Transport protocol does not affect authentication validity; the 403 is generated after the transport handshake succeeds