# SIP/2.0 403 Forbidden on REGISTER request - **ID:** `communication/sip-403-forbidden-registration` - **Domain:** communication - **Category:** auth_error - **Error Code:** `403` - **Verification:** ai_generated - **Fix Rate:** 75% ## Root Cause SIP server rejects registration due to mismatched credentials, stale nonce, or IP-based access control. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | RFC 3261 | active | — | — | | Kamailio 5.6 | active | — | — | | Asterisk 20 | active | — | — | | FreeSWITCH 1.10 | active | — | — | ## Workarounds 1. **Regenerate the SIP digest credentials: delete the stored nonce and password hash on the client, then force a fresh REGISTER with the correct username and password. On Linphone, remove the account and re-add it. On a custom client, clear the cached credentials and call sip_register() again.** (70% success) ``` Regenerate the SIP digest credentials: delete the stored nonce and password hash on the client, then force a fresh REGISTER with the correct username and password. On Linphone, remove the account and re-add it. On a custom client, clear the cached credentials and call sip_register() again. ``` 2. **Verify the SIP server's IP access control list (ACL). On Kamailio, check 'allow_trusted' and 'allow_source_address' settings. Add the client's public IP to the trusted list if needed.** (80% success) ``` Verify the SIP server's IP access control list (ACL). On Kamailio, check 'allow_trusted' and 'allow_source_address' settings. Add the client's public IP to the trusted list if needed. ``` ## Dead Ends - **Re-enter the same SIP username and password in the client settings** — Credentials may be correct but the nonce (challenge) is stale or the server requires digest authentication re-challenge (60% fail) - **Disable SIP ALG in the router to bypass firewall issues** — 403 is not a network traversal error; it's an authentication/authorization failure at the application layer (80% fail) - **Change the SIP transport from UDP to TCP** — Transport protocol does not affect authentication validity; the 403 is generated after the transport handshake succeeds (90% fail)