SIP Response Code

SIP 403 Forbidden

6 min read · Updated April 2026

SIP 403 Forbidden means the server understood your request and actively refuses it — not because of missing credentials, but because of a policy decision. It is a definitive rejection, not a challenge.

In this guide

01What SIP 403 Forbidden means 02403 vs 401 vs 407 03Common causes 04How to fix SIP 403 05Platform-specific fixes 06Diagnosing from a trace

1. What SIP 403 Forbidden means

RFC 3261 defines 403 as: the server understood the request but is refusing to fulfill it. Unlike 401 (challenge requiring credentials) or 404 (not found), 403 is a policy rejection — the server knows who you are or where you are coming from and has decided not to serve the request.

403 is a final response — there is no challenge to respond to, no retry that will help. The issue must be fixed on the server side or in the client configuration.

2. SIP 403 vs 401 vs 407

Code	Meaning	Next step
401	No credentials provided or credentials failed	Client should retry with credentials
407	Proxy requires authentication	Client should retry with proxy credentials
403	Server refuses the request as a policy decision	No retry will help — fix the policy

3. Common causes of SIP 403

Cause 01

IP not in allowlist

The server only accepts requests from authorized IP addresses and yours is not listed. Common with SIP trunk providers that use IP authentication instead of digest auth. Add your public IP to the provider portal or server allowlist.

Cause 02

IP blacklisted or rate limited

Your IP has been blocked by fail2ban, iptables, or the provider firewall due to too many failed authentication attempts or unusual traffic patterns. Check server fail2ban logs. Wait for the ban to expire or manually unban: fail2ban-client set asterisk unbanip YOUR_IP

Cause 03

Account suspended or zero balance

With SIP trunk providers, 403 often means your account is suspended, has zero credit, or has exceeded its call limit. Check your account status and balance in the provider portal before debugging technical issues.

Cause 04

Calling a restricted number or route

The called number is restricted on the trunk — international calling disabled, premium rate blocked, or geographic restrictions. Check your trunk calling permissions in the provider portal.

Cause 05

Wrong From/Contact domain

Some servers enforce that the From header domain matches the authenticated account domain. If your PBX sends From: sip:1001@192.168.1.100 (private IP) instead of From: sip:1001@yourdomain.com, the server may reject with 403.

Cause 06

Teams Direct Routing FQDN mismatch

Microsoft Teams returns 403 when the SBC FQDN in the INVITE From header does not match the SBC configured in Teams Admin Center. Check that your SBC sends its public FQDN, not IP address, in the Contact header.

4. How to fix SIP 403

IP allowlist issue: Log into your SIP provider portal and add your current public IP. Verify your IP hasn't changed — dynamic IPs change on router reboot. Consider using a static IP or configuring digest authentication instead of IP auth.

fail2ban ban:

; Check if your IP is banned
fail2ban-client status asterisk
fail2ban-client status sshd

; Unban your IP
fail2ban-client set asterisk unbanip 203.0.113.1

; Check iptables for manual blocks
iptables -L INPUT -n | grep YOUR_IP

Account/balance issue: Check provider portal for account status, credit balance, and call limits. Top up credit or contact provider support.

Restricted routes: In provider portal, enable international calling, remove geographic restrictions, or whitelist specific number ranges.

5. Platform-specific 403 fixes

Asterisk — check peer permissions

; Check if a peer is permitted to call
asterisk -r
sip show peer PEERNAME | grep -i permit
pjsip show endpoint ENDPOINTNAME | grep -i acl

; Check ACL configuration
; In pjsip.conf:
[myacl]
type=acl
permit=192.168.0.0/255.255.0.0
deny=0.0.0.0/0.0.0.0

Kamailio — check permissions module

; In kamailio.cfg - check address permissions
if (!allow_source_address("1")) {
    xlog("L_WARN", "[$ci] 403 - source IP $si not permitted
");
    sl_send_reply("403", "Forbidden");
    exit;
}

6. Diagnosing SIP 403 from a trace

In a SIP trace, 403 appears as an immediate final response — no 100 Trying, no challenge. Look at:

Reason header: Some servers include a Reason header with more detail, e.g., Reason: SIP;cause=403;text="IP not authorized"
Warning header: May contain the specific policy that rejected the request
Source IP in Via: Confirm the IP the server sees matches what you expect
From domain: Check if the From header domain matches server expectations

Frequently asked questions

What does SIP 403 Forbidden mean?

SIP 403 Forbidden means the server understood your request but actively refuses to process it as a policy decision. Unlike 401 (authentication challenge) or 404 (not found), 403 is a definitive rejection. Common causes are IP not in allowlist, IP blacklisted by fail2ban, account suspended or zero balance, calling a restricted number, or From header domain mismatch.

How do I fix SIP 403 on a SIP trunk?

To fix SIP 403 on a SIP trunk: check your account balance and status in the provider portal, verify your public IP is in the allowlist, check if your IP was banned by fail2ban (fail2ban-client status asterisk), confirm international or restricted calling is enabled, and verify your From header contains your account domain not a private IP.

What is the difference between SIP 401 and SIP 403?

SIP 401 is an authentication challenge — the server is asking you to prove your identity by resending with credentials. Retrying with correct credentials resolves it. SIP 403 is a policy rejection — the server knows who you are and refuses the request. Retrying will not help. You must fix the policy: add IP to allowlist, unban IP, top up account balance, or enable the restricted calling feature.

Getting SIP 403 Forbidden on your trunk?

Paste your SIP trace into SIPSymposium. The analyzer identifies 403 patterns, checks From header domains, and flags IP authorization issues.

Analyze my trace Create free account

Related guides