Asterisk PJSIP: Registration Auth Failures (403/401) and How to Fix (Latest Versions)

SIP registration authentication failures are among the most common and frustrating problems in PJSIP-based Asterisk deployments.

Even when usernames and passwords appear correct, registration may still fail due to deeper issues involving:

• SIP digest authentication flow
• Provider realm or username mismatch
• NAT rewriting of contact headers
• Firewall or network packet loss
• Provider security restrictions or IP blocking

Understanding how SIP authentication truly works is essential for reliable outbound and inbound telecom connectivity.

How SIP Registration Authentication Works

SIP registration uses a challenge-response digest mechanism:

1. Asterisk sends initial REGISTER without credentials
2. Provider replies with 401 Unauthorized + nonce challenge
3. Asterisk hashes username, password, realm, and nonce
4. Asterisk resends REGISTER with Authorization header
5. Provider validates hash and returns 200 OK

Any mismatch in this chain causes registration failure.

Typical CLI Output of Failed Registration

pjsip show registrations

Possible states:

• Rejected → authentication failure
• No Response → firewall or NAT problem
• Forbidden → provider blocked account/IP

Most Common Authentication Failure Causes

1. Wrong Username vs Auth Username

Many providers use:

• SIP number as caller ID
• Different authentication username

Fix:

[provider-auth]
type=auth
auth_type=userpass
username=AUTH_USERNAME   ; not always same as DID
password=SECRET

2. Realm Mismatch

Some providers require matching authentication realm.

If realm differs, digest hash fails silently.

3. Provider Requires Outbound Proxy

Without correct proxy, REGISTER never reaches auth server.

outbound_proxy=sip:sip.provider.com\;lr

4. NAT Rewriting Contact Header

If provider sees private IP in REGISTER contact, authentication may succeed but inbound calls fail.

Enable Deep SIP Debugging

pjsip set logger on

Look for:

• Repeated 401 Unauthorized → credential or realm issue
• 403 Forbidden → account disabled or IP blocked
• No response after REGISTER → firewall/NAT problem

Packet-Level Verification Using tcpdump

sudo tcpdump -i any -s 0 -w registration_debug.pcap udp port 5060

Open in Wireshark and confirm:

• REGISTER leaves Asterisk
• 401 challenge returns from provider
• Second REGISTER includes Authorization header
• Final response is 200 OK

Missing any step reveals the real failure layer.

NAT Configuration Required for Stable Registration

[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0
local_net=192.168.0.0/16
external_media_address=PUBLIC_IP
external_signaling_address=PUBLIC_IP

Without correct NAT settings:

• Provider replies to private IP
• REGISTER appears unanswered
• Status shows No Response

Firewall Rules Needed for Registration

sudo ufw allow 5060/udp
sudo ufw allow 10000:20000/udp

SIP signaling and RTP media must both be reachable for full telecom operation.

Advanced Real-World Failure Scenarios

Infinite 401 Loop

• Wrong password
• Wrong auth username
• Incorrect realm handling

403 Forbidden After Correct Credentials

• Provider blocked public IP
• Account disabled or suspended

Registration OK but Inbound Calls Fail

• NAT contact mismatch
• Missing identify match IP

Production Debugging Workflow

1. Run pjsip show registrations
2. Enable SIP logger
3. Capture packets via tcpdump
4. Verify digest exchange in Wireshark
5. Confirm NAT and firewall configuration

This layered method isolates failures quickly in real systems.

MYLINEHUB Architecture Note

In MYLINEHUB telecom deployments:

• Stable SIP registration is mandatory before campaign dialing begins
• AMI-originated outbound calls depend on trunk registration health
• Voice AI flows via ARI still rely on working provider connectivity

Because of this, MYLINEHUB continuously monitors trunk state and prevents dialing when registration is unstable.

Key Takeaway

SIP registration failures are rarely just “wrong password” problems.

They usually involve deeper telecom layers:

• Digest authentication logic
• Provider security policy
• NAT and firewall routing
• Packet-level SIP exchange

Mastering these layers enables engineers to build stable, production-ready Asterisk telecom infrastructure.