We do not receive all TCP (srflx) candidates when a user joins a meeting. This results in that user with UDP blocked being able to join the meeting without any media (audio/video).

This occurs only when we run the Videobridge in a Docker container within an EC2 instance. This bug does not occur when ran locally in also Docker Container. When ran locally, we observe that we receive all TCP (srflx) and (host) candidates verified from the videobridge logs and also in chrome://webrtc-internals.

**Locally Ran VIdeobridge logs**

videobridge_1 | 21:54:19.605 FINEST: [22] sun.net.www.protocol.http.HttpURLConnection.plainConnect() Proxy used: DIRECT
videobridge_1 | 21:54:19.615 FINE: [79] org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.debug() Reverse transform for SSRC 1851702603 SeqNo=23513 s_l=23512 seqNumSet=true guessedROC=0 roc=0
videobridge_1 | 21:54:19.618 FINE: [68] org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.debug() Reverse transform for SSRC 1186699033 SeqNo=20696 s_l=20695 seqNumSet=true guessedROC=0 roc=0
videobridge_1 | 21:54:19.639 FINE: [68] org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.debug() Reverse transform for SSRC 1186699033 SeqNo=20697 s_l=20696 seqNumSet=true guessedROC=0 roc=0
videobridge_1 | 21:54:19.654 INFO: [89] org.jitsi.videobridge.IceUdpTransportManager.info() Initializing static harvesters....
videobridge_1 | 21:54:19.654 INFO: [89] org.jitsi.videobridge.IceUdpTransportManager.info() Adding TCP Candidate Harvester: org.ice4j.ice.harvest.MultiplexingTcpHostHarvester@49d44a2
videobridge_1 | 21:54:19.654 INFO: [89] org.jitsi.videobridge.IceUdpTransportManager.info() Will append a NAT harvester for XXX.XX.X.XXX:9/udp=>YYY.YYY.YY.YYY:9/udp
videobridge_1 | 21:54:19.655 FINE: [89] org.ice4j.ice.Agent.createMediaStream() Create media stream for data
videobridge_1 | 21:54:19.655 INFO: [89] org.ice4j.ice.Agent.gatherCandidates() Gather candidates for component data.RTP
videobridge_1 | 21:54:19.655 FINEST: [89] org.ice4j.ice.harvest.HostCandidateHarvester.createDatagramSocket() just bound to: /XXX.XX.X.XXX:10005
videobridge_1 | 21:54:19.656 INFO: [30] org.ice4j.ice.harvest.CandidateHarvesterSetElement.harvest() Harvest is called in CandidateHarvesterSetElement
videobridge_1 | 21:54:19.657 FINE: [89] org.ice4j.ice.Agent.gatherCandidates() Candidate count in first harvest: 4
videobridge_1 | 21:54:19.657 INFO: [89] org.ice4j.ice.Agent.createComponent() 	XXX.XX.X.XXX:10005/udp (host)
videobridge_1 | 21:54:19.657 INFO: [89] org.ice4j.ice.Agent.createComponent() 	XXX.XX.X.XXX:4444/tcp (host)
videobridge_1 | 21:54:19.658 INFO: [89] org.ice4j.ice.Agent.createComponent() 	YYY.YYY.YY.YYY:4444/tcp (srflx)
videobridge_1 | 21:54:19.658 INFO: [89] org.ice4j.ice.Agent.createComponent() 	YYY.YYY.YY.YYY:10005/udp (srflx)
videobridge_1 | 21:54:19.660 FINE: [68] org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.debug() Reverse transform for SSRC 1186699033 SeqNo=20698 s_l=20697 seqNumSet=true guessedROC=0 roc=0
videobridge_1 | 21:54:19.663 FINEST: [22] sun.net.www.protocol.http.HttpURLConnection.plainConnect() Proxy used: DIRECT

**EC2 Ran Videobridge logs**

videobridge_1 | 19:58:17.277 FINEST: [19] sun.net.www.protocol.http.HttpURLConnection.plainConnect() Proxy used: DIRECT
videobridge_1 | 19:58:17.278 FINE: [19] sun.net.www.protocol.http.HttpURLConnection.writeRequests() sun.net.www.MessageHeader@1543938e5 pairs: {GET /latest/meta-data/public-ipv4 HTTP/1.1: null}{User-Agent: Java/1.7.0_75}{Host: 169.254.169.254}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
videobridge_1 | 19:58:17.279 FINEST: [19] sun.net.www.protocol.http.HttpURLConnection.logFinest() KeepAlive stream used: http://169.254.169.254/latest/meta-data/public-ipv4
videobridge_1 | 19:58:17.283 FINE: [19] sun.net.www.protocol.http.HttpURLConnection.getInputStream() sun.net.www.MessageHeader@78c5a8a9 pairs: {null: HTTP/1.0 200 OK}{Content-Type: text/plain}{Accept-Ranges: bytes}{ETag: "1794169453"}{Last-Modified: Thu, 26 Mar 2015 16:29:42 GMT}{Content-Length: 12}{Connection: keep-alive}{Date: Fri, 10 Apr 2015 19:58:37 GMT}{Server: EC2ws}
videobridge_1 | 19:58:17.283 INFO: [19] org.ice4j.ice.harvest.AwsCandidateHarvester.obtainEC2Addresses() Detected AWS local IP: XX.X.X.XX:9/udp
videobridge_1 | 19:58:17.284 INFO: [19] org.ice4j.ice.harvest.AwsCandidateHarvester.obtainEC2Addresses() Detected AWS public IP: YY.YY.YY.YYY:9/udp
videobridge_1 | 19:58:17.284 INFO: [19] org.jitsi.videobridge.IceUdpTransportManager.info() EC2 local address: 10.0.0.80 and public address: ZZ.ZZ.ZZ.ZZZ
videobridge_1 | 19:58:17.284 INFO: [19] org.jitsi.videobridge.IceUdpTransportManager.info() Adding TCP Candidate Harvester: org.ice4j.ice.harvest.MultiplexingTcpHostHarvester@37fead5c
videobridge_1 | 19:58:17.285 INFO: [19] org.jitsi.videobridge.IceUdpTransportManager.info() Appending an AWS harvester to the ICE agent. org.ice4j.ice.harvest.AwsCandidateHarvester@31278fbc
videobridge_1 | 19:58:17.286 INFO: [19] org.jitsi.videobridge.IceUdpTransportManager.info() Will append a NAT harvester for AAA.AA.A.AAA:9/udp=>YY.YY.YY.YYY:9/udp
videobridge_1 | 19:58:17.288 FINE: [19] org.ice4j.ice.Agent.createMediaStream() Create media stream for stream
videobridge_1 | 19:58:17.305 INFO: [19] org.ice4j.ice.Agent.gatherCandidates() Gather candidates for component stream.RTP
videobridge_1 | 19:58:17.308 FINEST: [19] org.ice4j.ice.harvest.HostCandidateHarvester.createDatagramSocket() just bound to: /AAA.AA.A.AAA:10000
videobridge_1 | 19:58:17.322 INFO: [29] org.ice4j.ice.harvest.CandidateHarvesterSetElement.harvest() Harvest is called in CandidateHarvesterSetElement
videobridge_1 | 19:58:17.325 INFO: [30] org.ice4j.ice.harvest.CandidateHarvesterSetElement.harvest() Harvest is called in CandidateHarvesterSetElement
videobridge_1 | 19:58:17.326 FINE: [19] org.ice4j.ice.Agent.gatherCandidates() Candidate count in first harvest: 3
videobridge_1 | 19:58:17.326 INFO: [19] org.ice4j.ice.Agent.createComponent() 	AAA.AA.A.AAA:10000/udp (host)
videobridge_1 | 19:58:17.327 INFO: [19] org.ice4j.ice.Agent.createComponent() 	AAA.AA.A.AAA:4444/tcp (host)
videobridge_1 | 19:58:17.327 INFO: [19] org.ice4j.ice.Agent.createComponent() 	YY.YY.YY.YYY:10000/udp (srflx)
videobridge_1 | 19:58:17.329 FINEST: [20] sun.net.www.protocol.http.HttpURLConnection.plainConnect() Proxy used: DIRECT

We don't currently support automatically detecting the public address for TCP. You can workaround this by setting it up manually. The relevant properties are:
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS

We have tried setting both NAT_HARVESTER_PUBLIC_ADDRESS to the public IP address of EC2 and NAT_HARVESTER_LOCAL_ADDRESS to the private IP addresses without success. Might there be anything else we can try?

Sounds like this could be a bug. Is there anything different in the logs with these properties set?

You could try to disable the AWS harvester (you don't need it if you set NAT_HARVESTER manually). I don't understand why the problem occurs, so I don't know if this will help. I will try and look into it in detail when I get a chance, but probably not until at least next week.

We have actually solved the issue. We had thought we knew all of the ports that the Videobridge uses but it seems like we missed exposing something in Docker. After running it in HOST network mode in Docker, it looks like we are receiving all the UDP and TCP candidates. Thank you!

Glad to hear that you got it to work. Keeping this open, because we should probably implement automatically creating the mapping for TCP when we detect we're on EC2.

Closed #64.

Should be fixed with ice4j r505 in https://github.com/jitsi/jitsi-videobridge/commit/9a5bf253243683a3705b05585029fc60cc96d383