I’m managing several BYOC-P trunks across our APAC regions and we’ve hit a wall with a specific carrier. We are seeing intermittent 403 Forbidden responses on outbound calls. After a deep dive into the PCAP logs, I’ve noticed that these failures only occur when the P-Asserted-Identity (PAI) header is present but differs slightly from the From header (e.g., when we’re trying to send a specific CLI that isn’t the primary trunk number).
It seems the carrier is strictly validating the PAI against the authenticated trunk ID. Is there a way in the Genesys Cloud Trunk settings to either suppress the PAI header entirely for specific outbound routes or to force it to always match the From header? I’ve tried tweaking the ‘Calling Party’ settings but haven’t found the right combination to satisfy this carrier’s SIP profile.
This sounds like a classic SIP identity mismatch. In many APAC markets, carriers are tightening their anti-spoofing rules. Have you looked at the ‘Protocol’ tab in the Trunk configuration? There is a setting for ‘Asserted Identity’ where you can choose between PAI, RPID, or None. Setting it to ‘None’ should prevent the header from being sent, though some carriers might then reject the call for missing identity information.
I’ve dealt with this for our accessibility-focused hotlines where the CLI must be consistent. Another option is to use an ‘External Trunk’ transformation rule. You can create a rule that matches the INVITE and replaces the PAI value with the one from the From header. It’s a bit more complex to maintain, but it gives you surgical control over the headers without affecting your global trunk settings. Just make sure your Edge servers are on the latest firmware, as some older versions had issues with header regex transforms on outbound calls.