[Freeswitch-users] Issue (possibly with stale nonce) when redirecting INVITE to another FS

Dave Horton daveh at beachdognet.com
Tue Aug 25 22:49:45 MSD 2015


I have a setup where a session border controller is distributing calls across multiple FS servers.  Calls come from device —> SBC —> one of the FS servers, where they are challenged, and subsequently established.  The problem I have is that in some cases (when I determine a device already has an active call on a different FS server) I respond to the INVITE with a redirect request so that the SBC will redirect the INVITE to the server with the already-active call for that device.  

The problem is that before the redirect is sent by FS #1 it first sends a 407 Proxy Authorization - that goes back to the device which responds with the appropriate credentials.  My FS app then sends a 302 back to the intermediary SBC, which generates a new INVITE to FS #2.  That INVITE contains the same Proxy-Authorization header that was used to authenticate on FS #1, but FS #2 rejects it thusly:

2015-08-25 11:02:43.059928 [DEBUG] sofia_reg.c:1335 Send challenge for [5125265790 at 10.124.48.104]
2015-08-25 11:02:43.059928 [WARNING] sofia_reg.c:1339 SIP auth challenge (INVITE) on sofia profile 'device' for [5125265790 at 10.124.48.104] from ip 10.124.48.171

The second 407 goes back to the phone — this time from FS #2 — and the phone gives up at this point, and the call dies.

I actually wanted to bypass authentication on FS #2 entirely, so I redirected the call to a different profile (one used only for these special purpose redirections), and in that profile I set auth-calls=“false” and 'apply-inbound-acl’ to include the address of the SBC.  It seems, though, that by virtue of the Proxy-Authorization header being included, FS #2 is still trying to authenticate.  And then authentication fails, I believe because the nonce is designed to be a one-time thing (I see the sip_authentication.last_nc column in the table of nonces seems designed to declare the nonce stale if used more than once).

This seems a relatively common use case (redirection via an intermediary SBC or proxy) so I figured there must be a solution here somewhere?  Thanks in advance for any and all advice. (Note: I am using an older version of FS: FreeSWITCH Version 1.0.head (git-4192195 2011-08-16 19-39-06 -0400)

Dave




Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list