Connection lost

Hello;

I recently installed jitsi meet on my server (debian 10) using the Self-Hosting Guide, unfortunately the connection is lost between participants in the room after a few seconds and that in case:

  • More than 3 participants in the room
  • Using 3g, 4g connection
  • With 2 participants one on PC other in phone (wifi connection)

for now only two combinations work and that:

  • When 2 participants using a PC
  • 2 participants using a phone with wifi connection

note: all required ports (443,4443,10000,80,5347) are open.

Logs:
jicofo.log.txt (86.5 KB)
jvb.log.txt (148.2 KB)
prosody.log.txt (6.1 KB)

jitsi versions:
ii jitsi-meet 2.0.5390-3 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.4628-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-turnserver 1.0.4628-1 all Configures coturn to be used with Jitsi Meet
ii jitsi-meet-web 1.0.4628-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.4628-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge2 2.1-416-g2f43d1b4-1 all WebRTC compatible Selective Forwarding Unit (SFU)

your jicofo is working fine, in spite of error messages that ultimatly mean only that start is not well managed.
Your jvb however is failing to establish a session, leading to meeting participants bailing out after a timeout.
The key message is:
local_ufrag=np9u1f1v4l9mb] ConnectivityCheckClient$PaceMaker.run#922: Pair failed: x.x.x.x:10000/udp/host → x.x.x.x:60341/udp/relay (stream-78e24a68.RTP)
it means that probably your connectivity for port 10000/UDP is not established. Check it using:

(server)
sudo systemctl stop jitsi-videobridge2
nc -l 10000 -u
(workstation)
echo "123" | nc -u (your public address) 10000

Additionally your coturn server is not working (since when port 10000 is not working TCP connection should relay it at a performance cost), but that’s a secondary concern.

sir,
think you for you response.
echo “123” | nc -u (your public address) 10000 is working with private address not the public address
i did this before:

(root)
root@meet:/# ngrep -q ‘is accessable’ port 10000
interface: ens192 (10.250.7.84/255.255.255.252)
filter: ( port 10000 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: is accessable

U private_ip:60425 → public_ip:10000 #1
yes, it is accessable.

(user)

aaa_user@meet:~$ echo ‘yes, it is accessable’ | nc -u meet.mydomain.com 10000

it means that your connectivity is not working. If you have a firewall on your server check its settings. If not, check with your hoster there is probably a firewall at this level. Hosters such as AWS, Ionos are known to manage a firewall for their customers.

i have already checked with my hoster, and he confirmed that the port is open.
in my case i used ufw firewall to give it access.
this is ufw status:
To Action From


Nginx Full ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
22 ALLOW Anywhere
3386 ALLOW public address
8000 ALLOW Anywhere
22/tcp ALLOW Anywhere
5349/tcp ALLOW Anywhere
3478/udp ALLOW Anywhere
10000/udp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
5281/tcp ALLOW Anywhere
4443/tcp ALLOW Anywhere
5222/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
3478/tcp ALLOW Anywhere
3386/tcp ALLOW Anywhere
5280/tcp ALLOW Anywhere
5347/tcp ALLOW Anywhere
Nginx Full (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
8000 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
5349/tcp (v6) ALLOW Anywhere (v6)
3478/udp (v6) ALLOW Anywhere (v6)
10000/udp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
5281/tcp (v6) ALLOW Anywhere (v6)
4443/tcp (v6) ALLOW Anywhere (v6)
5222/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
3478/tcp (v6) ALLOW Anywhere (v6)
3386/tcp (v6) ALLOW Anywhere (v6)
5280/tcp (v6) ALLOW Anywhere (v6)
5347/tcp (v6) ALLOW Anywhere (v6)

that’s a mystery then. Maybe your computer has a firewall ? or your network router is blocking it ?

i am using VPS.
i don’t understand why it’s not working, i have made all configurations even advance configuration.
i have checked that all ports are open with my hoster and allow traffic.
Even port 10000 :
aaa@meet:/# nc -z -v -u private_address 10000
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to private_address:10000.
Ncat: Connection refused.
aaa@meet:/# nc -z -v -u public_address 10000
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to public_address:10000.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.02 seconds.

right, you are not using the same version of nc. Read this
At this point it’s easier to just use tcpdump or tshark. On the server

sudo tcpdump -i ens192 port 10000

and look at what happens when the third user enters the room. If you see UDP packets connecticity is not the problem.

This is what the commend show when a third user enters the room:

sudo tcpdump -i ens192 port 10000

08:53:49.933799 IP private_address.65043 > meet.mydomain.com.10000: UDP, length 104
08:53:50.085296 IP private_address.55541 > meet.mydomain.com.10000: UDP, length 104
08:53:50.089432 IP private_address.54203 > meet.mydomain.com.10000: UDP, length 104
08:53:50.093483 IP private_address.65043 > meet.mydomain.com.10000: UDP, length 104
08:53:50.175545 IP private_address.55541 > meet.mydomain.com.10000: UDP, length 104
08:53:50.187726 IP private_address.54203 > meet.mydomain.com.10000: UDP, length 104
08:53:50.237148 IP private_address.65043 > meet.mydomain.com.10000: UDP, length 104
08:53:50.339089 IP private_address.55541 > meet.mydomain.com.10000: UDP, length 104
08:53:50.343123 IP private_address.54203 > meet.mydomain.com.10000: UDP, length 104
08:53:50.379270 IP private_address.65043 > meet.mydomain.com.10000: UDP, length 104
08:53:50.474608 IP private_address.55541 > meet.mydomain.com.10000: UDP, length 104
08:53:50.480656 IP private_address.54203 > meet.mydomain.com.10000: UDP, length 104

And when i stop the commend it’s show:

978 packets captured
978 packets received by filter
0 packets dropped by kernel

So, i think that the problem is not in connectivity?

the problem is indeed that Jvb is not replying - is it actually running (sudo systemctl status jitsi-videobridge2) and is it actually listening (sudo ss -tapnu | grep 10000) ? (note that unfortunately videobridge does not start to listen before being asked to join a meeting) and there should be some error messages in jvb.log.

jitsi-Videobridge2 is running.
sudo ss -tapnu | grep 10000 give the following result:
aaa@meet:~# sudo ss -tapnu | grep 10000
udp UNCONN 0 0 [::ffff:private_address]:10000 : users:((“java”,pid=31338,fd=153))
root@meet:~# sudo ss -tapnu | grep 10000
udp UNCONN 0 0 [::ffff:private_address]:10000 : users:((“java”,pid=31338,fd=153))

no errors in jvb logs then ?

this is my jvb log
jvb.txt (2.5 MB)

I have this configuration of jvb in my nginx.
*should i open the port 9090 ?

  • is it normal that i have no configuration for JVB2?

colibri (JVB) websockets for jvb1

location ~ ^/colibri-ws/default-id/(.*) {
    proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    tcp_nodelay on;
}

emphasized text

Pair failed: private_ip:10000/udp/host → private_ip:55070/udp/relay (stream-86f72a3b.RTP)

seems you are using a server behind NAT. You did actually change placeholders in existing doc such as ‘private_ip’ by the actual private IP address right ?

yes i have replaced the actual private ip with ‘private_ip’

you mean that in a post on the public Internet you have actually replaced the private IP address by ‘private_ip’ ? is that right ?

anyway, the line ‘pair failed’ is a sure sign that there is something wrong in your NAT Jitsi-meet configuration, that is, either the private IP part or the public IP part is wrong. There is no more than I can say - if you want to hide these information, that’s your call but I can’t have any idea on what could be wrong you will have to figure it out yourself.

well there is no point in going on further then - try to get correct values for NAT configuration in your config file, at some point your videobridge will start to reply. Good luck.

One last question,
i closed port 10000 in my firewall using ufw delete allow 10000/udp.
but i still get this answer with
sudo tcpdump -i ens192 port 10000

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
15:09:58.483254 IP 10.150.6.78.52641 > meet.conceptcademy.com.10000: UDP, length 104
15:09:58.489106 IP 10.150.6.78.56237 > meet.conceptcademy.com.10000: UDP, length 104
15:09:58.743225 IP 10.150.6.78.52641 > meet.conceptcademy.com.10000: UDP, length 104
15:09:58.747938 IP 10.150.6.78.56237 > meet.conceptcademy.com.10000: UDP, length 104
15:09:58.776854 IP 10.150.6.78.52641 > meet.conceptcademy.com.10000: UDP, length 104

that’s an UFW question, not a Jitsi-meet one. Try to run
sudo ufw status | grep 10001

and BTW, given what you are displaying you should have in your sip-communicator.properties:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.150.6.78
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=197.140.11.70