SIP Accounts
Manage SIP authentication credentials for test endpoints, including adding accounts individually or in bulk, account pools, and rotation strategies.
SIP accounts store the username and password credentials that test endpoints use to register with a SIP server. Each account belongs to a single registrar and represents one set of SIP authentication credentials. Before running a test, you need enough SIP accounts to cover all the endpoints in your test configuration.
What Is a SIP Account?
When a SIP endpoint registers with a registrar, it must authenticate using a username and password (via SIP Digest authentication, as defined in RFC 3261). A SIP account in CallMeter stores these credentials and makes them available to endpoints during test execution.
Each SIP account consists of:
| Field | Description | Example |
|---|---|---|
| Username | The SIP authentication username (auth-user) | 1001, test-user-01, sip.alice |
| Password | The SIP authentication password | A strong password matching your PBX configuration |
| Realm | The authentication realm (optional, auto-detected if omitted) | sip.example.com |
Username vs. Extension
The SIP authentication username is not always the same as the extension or phone number. Some PBX systems use a separate auth-user field. Check your SIP server configuration to determine the correct username format.
Understanding the Realm Field
The realm is the authentication domain your SIP server presents in its 401/407 challenge (the WWW-Authenticate or Proxy-Authenticate header). It tells the client which set of credentials to use.
When to leave it blank (auto-detection): If your SIP server uses a single realm (the most common case), leave the realm field empty. CallMeter reads the realm from the server's authentication challenge and uses it automatically. This works correctly for most Asterisk, FreeSWITCH, and Kamailio deployments.
When to set it explicitly:
- Your SIP server uses a realm that differs from its hostname or IP address (e.g., the server is at
10.0.1.50but the realm issip.company.com) - You are testing through a SIP proxy that rewrites authentication headers
- Auto-detection produces registration failures because the realm changes between challenges (rare, but possible with load-balanced SIP proxies)
Domain vs. IP in realms: Some PBX systems set the realm to a domain name (e.g., asterisk.local), others use the server's IP address (e.g., 192.168.1.100). The realm must match exactly what your server sends in its challenge. If you are unsure, capture a SIP trace (tcpdump, sngrep, or ngrep) and inspect the realm= parameter in the 401/407 response.
Adding SIP Accounts
Adding Accounts Individually
- Open a registrar from the Registrars page in your project
- Navigate to the SIP Accounts tab
- Click Add Account
- Enter the Username and Password
- Optionally enter the Realm (leave blank for auto-detection)
- Click Save
Repeat for each account you need.
Bulk Import
For large-scale tests requiring hundreds or thousands of accounts, use the bulk import feature:
- Open the registrar's SIP Accounts tab
- Click Bulk Add
- Enter one account per line in the format:
username:password - Click Import
Example bulk input:
test-user-001:P@ssw0rd123
test-user-002:P@ssw0rd124
test-user-003:P@ssw0rd125
test-user-004:P@ssw0rd126
test-user-005:P@ssw0rd127The system validates each line before importing and reports errors for any malformed entries. Lines that fail validation are skipped while valid entries are imported.
Validation rules:
- Each line must contain exactly one colon separating username and password
- Usernames must not be empty or contain whitespace
- Passwords must not be empty
- Duplicate usernames within the same import batch are rejected
- Usernames that already exist on this registrar are skipped with a warning
Tips for preparing bulk imports:
- Generate your account list in a text editor or spreadsheet and paste it into the bulk add field
- If your PBX uses sequential extensions, a simple shell loop can generate the list:
for i in $(seq -w 001 500); do echo "cm-test-$i:$(openssl rand -base64 12)"; done - Review the import summary after submission -- it reports how many accounts were created, how many were skipped (duplicates), and how many failed validation
Duplicate usernames
Each username must be unique within a registrar. If you attempt to import a username that already exists, the import skips that entry and reports a warning. Usernames are case-sensitive.
How Many Accounts Do You Need?
The number of SIP accounts required depends on your test configuration. Every endpoint in a test needs its own unique SIP account for proper registration.
| Test Configuration | Accounts Needed | Calculation |
|---|---|---|
| 1 caller, 1 callee | 2 | Each side of the call needs credentials |
| 10 concurrent calls (intra-group) | 20 | 10 callers + 10 callees |
| 50 endpoints calling external URI | 50 | Only the callers need accounts |
| 100 endpoints across 2 groups | 100 | Each endpoint registers independently |
| 200 concurrent calls (cross-group) | 200 | 100 in Group A + 100 in Group B |
Key rules:
- Each endpoint requires exactly one SIP account
- Accounts are not shared between concurrent endpoints
- When endpoints call each other within a group or across groups, both caller and callee sides consume accounts
- When endpoints call an external URI (e.g., a phone number or SIP URI outside CallMeter), only the caller side needs an account
Account Assignment During Tests
When a test run starts, the platform assigns SIP accounts to endpoints in the following order:
- The test identifies which registrar each group uses
- Available (unassigned) SIP accounts for that registrar are retrieved
- Accounts are distributed to endpoints sequentially -- the first endpoint gets the first available account, and so on
- Each endpoint uses its assigned account for the entire duration of the test run
After the test run completes, all accounts are released and become available for the next run.
Insufficient accounts
If a group has more endpoints than the registrar has available SIP accounts, the test run fails at allocation time with an error indicating insufficient SIP credentials. Always ensure your registrar has at least as many accounts as the total endpoint count across all groups using it.
Account Rotation Strategy
For ongoing testing, consider how you manage your account pool:
Dedicated Account Pools
Create a dedicated set of SIP accounts on your PBX specifically for CallMeter testing. This avoids conflicts with production users and ensures accounts are always available for test runs.
Recommendations:
- Naming convention: Use a consistent prefix like
cm-test-001,cm-test-002for easy identification - Range allocation: Reserve a block of extensions (e.g., 8000-8999) for testing
- Password policy: Use strong, unique passwords for each account. Avoid reusing passwords across accounts
Account Pool Sizing
Plan your account pool based on your maximum test size:
| Testing Pattern | Recommended Pool Size |
|---|---|
| Small tests (up to 10 endpoints) | 20 accounts |
| Medium tests (up to 50 endpoints) | 100 accounts |
| Large load tests (up to 500 endpoints) | 1000 accounts |
| Enterprise stress tests (1000+ endpoints) | 2x your maximum endpoint count |
Having more accounts than your typical test size gives you headroom for running multiple tests or increasing endpoint count without re-provisioning.
Credential Security
How CallMeter Protects Your Credentials
SIP account passwords are handled with care at every stage:
- Passwords are stored encrypted at rest in the database
- Passwords are transmitted to workers only during test execution over encrypted channels
- Passwords are never displayed in the UI after creation -- only the username is visible
- Workers discard credentials from memory after the test run completes
- API responses never include password fields
Best Practices for SIP Account Security
Use dedicated test accounts. Never reuse production user credentials for testing. Create a separate pool of accounts on your PBX specifically for CallMeter. This way, if test credentials are ever compromised, your production users are unaffected.
Use strong, unique passwords. Each SIP account should have its own password. Avoid patterns like testuser001/password001. SIP digest authentication transmits a hash, not the plaintext password, but weak passwords are still vulnerable to offline brute-force attacks if an attacker captures your SIP traffic.
Rotate credentials periodically. For long-running test environments, rotate SIP account passwords on your PBX and in CallMeter at regular intervals. Delete the old accounts in CallMeter and re-import with new passwords.
Restrict account permissions on your PBX. Configure your test accounts with minimal dial plan access. They should only be able to call the destinations your tests target. Do not grant international dialing, toll numbers, or emergency service access to test accounts.
Use IP-based access control. If your PBX supports it, restrict test account registration to the IP addresses of your CallMeter workers (cloud worker IPs or your Docker worker IPs). This prevents the accounts from being used by unauthorized devices.
Password management
If you need to update a password, delete the existing account and create a new one with the updated credentials. There is no in-place password edit to prevent accidental credential exposure in the UI.
Managing Accounts
Viewing Accounts
The SIP Accounts tab on a registrar shows all configured accounts with their usernames. Passwords are never displayed.
Deleting Accounts
- Open the registrar's SIP Accounts tab
- Select the accounts to delete
- Click Delete
- Confirm the deletion
Deleting accounts does not affect completed test runs -- historical data is preserved. However, any future test runs using this registrar must have enough remaining accounts for their endpoint count.
Checking Account Usage
Before running a test, the platform shows a warning if the selected registrar does not have enough SIP accounts for the configured endpoint count. This check runs during test creation and before each test run.
Troubleshooting Account Issues
| Problem | Cause | Solution |
|---|---|---|
| Registration fails with 401/407 | Wrong username or password | Verify credentials match your PBX config exactly (case-sensitive) |
| Registration fails with 403 | Account disabled or IP not whitelisted | Enable the account on your PBX and whitelist worker IPs |
| Registration fails with 404 | Username does not exist on the registrar | Verify the account is provisioned on your PBX; check for typos |
| "Insufficient SIP accounts" error | More endpoints than accounts | Add more accounts or reduce endpoint count |
| Some endpoints fail while others succeed | Account already registered elsewhere | Ensure accounts are not in use by production phones or softphones |
| Realm mismatch | Auto-detected realm differs from PBX config | Explicitly set the realm field; capture a SIP trace to find the correct realm |
| Registration succeeds but calls fail | Dial plan restrictions on the account | Verify the account has permission to dial the target number or URI |
| Intermittent 401 during test | PBX rate-limiting authentication attempts | Increase your PBX's auth rate limit or stagger endpoint registration timing |
| Registration timeout (no 401/407 received) | Firewall blocking SIP, wrong port, or wrong transport | Check firewall rules, verify the registrar port, and confirm the transport protocol matches |
Debugging SIP Registration Failures
When accounts fail to register and the error is not immediately obvious:
- Check the test run details -- CallMeter displays per-endpoint SIP status codes and error messages in the test run results. Look at the SIP response code for the failing endpoints.
- Capture a SIP trace on your server -- Use
sngrep,ngrep, ortcpdumpon your SIP server to see the exact REGISTER exchange. Look for theWWW-Authenticaterealm, the response code, and any error headers. - Verify the auth username -- Some PBXes distinguish between the SIP URI username (the
Fromheader) and the authentication username (theAuthorizationheader). Make sure your CallMeter account uses the auth username, not the extension number, if they differ. - Check for NAT issues -- If your SIP server is behind NAT or your workers are behind NAT, registration may succeed but subsequent SIP messages may be misrouted. See Transport Protocols for NAT traversal guidance.
Next Steps
- Adding a Registrar -- Set up the registrar these accounts belong to
- Transport Protocols -- Choose the right protocol for your SIP server
- Creating a Test -- Use your registrar and accounts in a test