Fix SIP Registration Failures (401/403/408)

Diagnose and resolve SIP trunk and endpoint registration failures in Asterisk with detailed debugging techniques

HomeAsterisk Solutions› SIP Registration Failures

Understanding SIP Registration

SIP registration is the process where an endpoint (phone, trunk, gateway) tells Asterisk “I'm here at this IP address, please send calls for me to this location.” When registration fails, inbound calls cannot reach the endpoint and outbound calls may be rejected by the provider.

Error CodeMeaningCommon Cause
401UnauthorizedWrong username or password; missing authentication credentials
403ForbiddenIP not allowed, account disabled, or ACL rejection
404Not FoundUsername/extension does not exist on the registrar
408Request TimeoutNetwork issue, DNS failure, firewall blocking, registrar unreachable
407Proxy Auth RequiredProxy requires authentication; credentials not provided
503Service UnavailableProvider/registrar is down or overloaded

Step-by-Step Debugging

Step 1: Check Current Registration Status

# For chan_sip:
asterisk -rx "sip show registry"
asterisk -rx "sip show peers"

# For PJSIP:
asterisk -rx "pjsip show registrations"
asterisk -rx "pjsip show endpoints"
asterisk -rx "pjsip show contacts"

Look for the State column. It should show Registered. If it shows Rejected, Request Sent, or Timeout, there is a problem.

Step 2: Enable SIP Debug Mode

# For chan_sip - enable full SIP message logging:
asterisk -rx "sip set debug on"

# For PJSIP:
asterisk -rx "pjsip set logger on"

# Watch the Asterisk console for REGISTER messages
# Look for the response code (401, 403, 408, etc.)

# When done debugging:
asterisk -rx "sip set debug off"
asterisk -rx "pjsip set logger off"

Step 3: Capture Network Traffic

# Capture SIP traffic on port 5060
tcpdump -i eth0 -n -s0 port 5060 -w /tmp/sip-capture.pcap

# View live SIP messages
tcpdump -i eth0 -n -A port 5060 | grep -E "SIP/2.0|REGISTER|Contact|Authorization"

# Analyze the pcap with Wireshark or sngrep
sngrep -I /tmp/sip-capture.pcap

Step 4: Verify DNS Resolution

# Check if the SIP provider hostname resolves
dig sip.provider.com
nslookup sip.provider.com

# Check for SRV records (some providers use these)
dig _sip._udp.provider.com SRV
dig _sip._tcp.provider.com SRV

# If DNS is unreliable, use IP address directly in config

Fixing 401 Unauthorized

The 401 error means authentication failed. This is usually a credentials mismatch.

chan_sip Configuration:

; Outbound trunk registration in sip.conf [general] section:
register => username:password@sip.provider.com/inbound_did

; Or with auth user different from registration user:
register => username:password:authuser@sip.provider.com/inbound_did

[my-trunk]
type=peer
host=sip.provider.com
username=your_username
secret=your_password
; If provider gives separate auth username:
; defaultuser=auth_username
fromuser=your_username
fromdomain=sip.provider.com
insecure=port,invite

PJSIP Configuration:

[my-trunk]
type=registration
transport=transport-udp
outbound_auth=my-trunk-auth
server_uri=sip:sip.provider.com
client_uri=sip:your_username@sip.provider.com
retry_interval=60
forbidden_retry_interval=300
expiration=3600

[my-trunk-auth]
type=auth
auth_type=userpass
username=your_username
password=your_password

[my-trunk-endpoint]
type=endpoint
transport=transport-udp
context=from-trunk
disallow=all
allow=ulaw,alaw
outbound_auth=my-trunk-auth
aors=my-trunk-aor
from_user=your_username
from_domain=sip.provider.com

[my-trunk-aor]
type=aor
contact=sip:sip.provider.com
qualify_frequency=60

[my-trunk-identify]
type=identify
endpoint=my-trunk-endpoint
match=sip.provider.com
Common Mistakes:
  • Spaces or special characters in the password (escape them or quote the password)
  • Using the wrong username field (some providers use account ID, not SIP username)
  • auth_type should be userpass not md5 unless provider specifies MD5
  • Swapping username and defaultuser in chan_sip

Fixing 403 Forbidden

A 403 error means the server understood the request but refuses to authorize it. Common causes:

  • IP whitelisting: Your server's IP is not authorized by the provider. Contact them to whitelist your IP.
  • Account suspended: Check with your SIP provider if the account is active.
  • ACL mismatch: If you have ACLs configured in Asterisk, verify they allow the provider's IP.
  • Exceed registration limit: Some providers limit the number of simultaneous registrations.
  • Geographic restriction: Some providers block registrations from certain countries/IPs.
# Check Asterisk ACL settings
asterisk -rx "acl show"

# In pjsip.conf, check for ACL restrictions:
[my-trunk-endpoint]
type=endpoint
; Remove or adjust ACL if too restrictive:
; acl=my-acl

# Verify your public IP matches what the provider expects
curl -4 ifconfig.me

Fixing 408 Request Timeout

A 408 timeout means the REGISTER request was sent but no response was received. This is a connectivity issue.

Checklist:

  1. DNS resolution: Can the server resolve the provider hostname? Use dig or nslookup.
  2. Network connectivity: Can you reach the provider on port 5060? Use nc -zvu provider.com 5060.
  3. Firewall: Is outbound UDP/TCP port 5060 allowed? Some restrictive firewalls block outbound SIP.
  4. SIP ALG: Is a router mangling the REGISTER packets? Disable SIP ALG on the router.
  5. Wrong port: Some providers use non-standard ports (5080, 5160, etc.). Verify with the provider.
  6. TCP vs UDP: If UDP is unreliable, try TCP transport instead.
# Test connectivity to provider
nc -zvu sip.provider.com 5060

# Send a SIP OPTIONS probe
sipvicious svmap sip.provider.com

# Or use sipsak (SIP Swiss Army Knife)
sipsak -vv -s sip:sip.provider.com

# Check if outbound SIP is being blocked
tcpdump -i eth0 -n port 5060

# Increase registration timeout in chan_sip:
[general]
registertimeout=40
registerattempts=0  ; 0 = keep trying forever

# In PJSIP:
[my-trunk]
type=registration
retry_interval=60
max_retries=0

TLS Registration Issues

If using TLS/SIPS for secure registration, additional issues can arise:

  • Certificate mismatch: The provider's certificate CN does not match the hostname
  • Expired certificates: Check both client and server certificate validity
  • Missing CA bundle: Asterisk needs the CA certificate to verify the provider
  • Wrong TLS port: TLS typically uses port 5061, not 5060
# Verify TLS connectivity
openssl s_client -connect sip.provider.com:5061

# PJSIP TLS transport:
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.pem
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/ssl/certs/ca-certificates.crt
method=tlsv1_2

Quick Fix Checklist

  1. Double-check credentials — copy-paste from provider, watch for trailing spaces
  2. Verify DNS — use dig to confirm the provider hostname resolves
  3. Test connectivity — ensure UDP/TCP 5060 is reachable to/from the provider
  4. Enable SIP debug — read the actual SIP messages for the specific error
  5. Check firewall — both inbound AND outbound on port 5060
  6. Disable SIP ALG — on any router between Asterisk and the internet
  7. Try IP instead of hostname — if DNS is suspect, use the provider's IP directly
  8. Reload after changesasterisk -rx "sip reload" or asterisk -rx "pjsip reload"
← Back to All Asterisk Solutions|Asterisk Complete Guide →