[jitsi-users] ICE failed


#1

Hello,

I tried to call (from work) my brother (at his home) through a Ejabberd2
server (at my home) using xmpp protocol (instant messaging works), but if I
initiate the call I get, after "ringing" message:

Call ended by remote side. Reason: failed-application. Error: Could not
establish connection (ICE failed)

If he calls me I get:

Error: Could not establish connection (ICE failed)

Have I to open some particular ports on my firewall at home?

Thanks,
  Matteo


#2

Hey Matteo,

Does your company firewall allow UDP?

You don't need to forward any ports but it would help if your server has a
Jimgle Nodes Relay. We maintain one at jit.si. You can try there.

Cheers,
Emil

--sent from my mobile

···

On Nov 28, 2012 11:04 AM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

**

Hello,

I tried to call (from work) my brother (at his home) through a Ejabberd2
server (at my home) using xmpp protocol (instant messaging works), but if I
initiate the call I get, after "ringing" message:

Call ended by remote side. Reason: failed-application. Error: Could not
establish connection (ICE failed)

If he calls me I get:

Error: Could not establish connection (ICE failed)

Have I to open some particular ports on my firewall at home?

Thanks,

Matteo


#3

Yes, it shoud, but I have to pass through 3 firewalls: my company, my home, my
brother's home. Which UDP ports have to be opened and where?

Thanks for nodes relay, but how does it works, in few words, normally and with
relay nodes?

Thanks,
  Matteo

---- Original Messagge ----

···

From: Emil Ivov <emcho@jitsi.org>
Sent: mercoledì 28 novembre 2012, 11:12
To: users@jitsi.java.net
Cc:
Subj: [jitsi-users] Re: ICE failed

Hey Matteo,

Does your company firewall allow UDP?

You don't need to forward any ports but it would help if your server has a
Jimgle Nodes Relay. We maintain one at jit.si. You can try there.

Cheers,
Emil

--sent from my mobile
On Nov 28, 2012 11:04 AM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

**

Hello,

I tried to call (from work) my brother (at his home) through a Ejabberd2
server (at my home) using xmpp protocol (instant messaging works), but if I
initiate the call I get, after "ringing" message:

Call ended by remote side. Reason: failed-application. Error: Could not
establish connection (ICE failed)

If he calls me I get:

Error: Could not establish connection (ICE failed)

Have I to open some particular ports on my firewall at home?

Thanks,

Matteo


#4

Yes, it shoud, but I have to pass through 3 firewalls: my company, my
home, my brother's home. Which UDP ports have to be opened and where?

Well again, you don't need to explicitly "open" any ports (in the sense
of mapping them to internal ones and allowing outside entities to
initiate connections). However, your firewall should at least allow you
to receive responses to the packets you send from your computer.

If it helps, Jitsi would tend to use ports in the range between 5000 and
6000, but again, we do not expert these ports to just be "blindly" open.

Thanks for nodes relay, but how does it works, in few words, normally
and with relay nodes?

The point of a relay is to provide a way for you and your partner to
exchange packets if direct communication is made impossible by your
NAT/firewall configuration.

The easiest way for you to test would be to just create an account at
jit.si and try with that. Openfire has an easy to enable nodes relay so
activating it there is a matter of a click.

I believe JN relays also exist for ejabberd but I haven't used one
personally so, if necessary, you should probably ask on their forums/lists.

Hope this helps,
Emil

···

On 28.11.12, 12:54, Matteo Calorio wrote:

Thanks,

Matteo

---- Original Messagge ----

From: Emil Ivov <emcho@jitsi.org>

Sent: mercoledì 28 novembre 2012, 11:12

To: users@jitsi.java.net

Cc:

Subj: [jitsi-users] Re: ICE failed

Hey Matteo,

Does your company firewall allow UDP?

You don't need to forward any ports but it would help if your server has a

Jimgle Nodes Relay. We maintain one at jit.si. You can try there.

Cheers,

Emil

--sent from my mobile

On Nov 28, 2012 11:04 AM, "Matteo Calorio" > <matteo.calorio@linux.ors-tech.it> > > wrote:

**

Hello,

I tried to call (from work) my brother (at his home) through a Ejabberd2

server (at my home) using xmpp protocol (instant messaging works), but

if I

initiate the call I get, after "ringing" message:

Call ended by remote side. Reason: failed-application. Error: Could not

establish connection (ICE failed)

If he calls me I get:

Error: Could not establish connection (ICE failed)

Have I to open some particular ports on my firewall at home?

Thanks,

Matteo

--
https://jitsi.org


#5

Is there any way to tell jitsi to use some cetrain portrange wich i have
forwarded to my computer?
Is there any way to tell jitsi wich ip i have at the moment, is there
any way to show me wich ip jitsi assumes me to have?

0x220B25CA.asc (3.84 KB)

···

Am 28.11.2012 16:50, schrieb Emil Ivov:

If it helps, Jitsi would tend to use ports in the range between 5000 and
6000, but again, we do not expert these ports to just be "blindly" open.

--
Yannik Völker


#6

Well again, you don't need to explicitly "open" any ports (in the sense
of mapping them to internal ones and allowing outside entities to
initiate connections). However, your firewall should at least allow you
to receive responses to the packets you send from your computer.

Ok, I'll check, thanks.

Cheers,
  Matteo


#7

Hey Yannik,

If it helps, Jitsi would tend to use ports in the range between 5000 and
6000, but again, we do not expert these ports to just be "blindly" open.

Is there any way to tell jitsi to use some cetrain portrange wich i have
forwarded to my computer?

You probably missed the end of the sentence as well as the text that was
just above, so here goes again: you DO NOT need to forward ports. Just
make sure that UDP traffic is allowed through your firewall and that of
your correspondent.

Is there any way to tell jitsi wich ip i have at the moment,

No and there is no need to.

is there
any way to show me wich ip jitsi assumes me to have?

Yes, have a look at the call info once a call has been established.

Hope this helps,
Emil

···

On 28.11.12, 19:56, Yannik Völker wrote:

Am 28.11.2012 16:50, schrieb Emil Ivov:

--
https://jitsi.org


#8

I added jit.si to "Jingle Nodes" in "ICE configuration" of my account, but the
error remains... Matteo

---- Original Messagge ----

···

From: Matteo Calorio <matteo.calorio@linux.ors-tech.it>
Sent: giovedì 29 novembre 2012, 09:51
To: users@jitsi.java.net
Cc: Emil Ivov <emcho@jitsi.org>
Subj: [jitsi-users] Re: ICE failed

Well again, you don't need to explicitly "open" any ports (in the sense
of mapping them to internal ones and allowing outside entities to
initiate connections). However, your firewall should at least allow you
to receive responses to the packets you send from your computer.

Ok, I'll check, thanks.

Cheers,
  Matteo


#9

You probably missed the end of the sentence as well as the text that was
just above, so here goes again: you DO NOT need to forward ports. Just
make sure that UDP traffic is allowed through your firewall and that of
your correspondent.

Actualy able to read, even if its quite suprising to hear that from
someone setting up linux-networks.
Putting that aside: jitsi redirects my traffic over another host to
create a connection between me and my partner which is completely
unnecessary because i do have some ports redirected to my computer, i
would like to change that

Yes, have a look at the call info once a call has been established.

I did, and thats why i asked the other question: jitsi shows my local
ip, stun seems to fail.

No and there is no need to.

Yes, there is a need to do so, i dont want to unnecessarily use up
resources of servers which could also help user who actually _need_ help
setting up a connection.

0x220B25CA.asc (3.84 KB)

···

Am 28.11.2012 21:07, schrieb Emil Ivov:

--
Yannik Völker


#10

Hey Matteo,

I added jit.si to "Jingle Nodes" in "ICE configuration" of my account,

I meant an XMPP account. jit.si itself is not a Jingle Relay Node. It
will indicate Jitsi what relay node to use but that would only work if
you have a jit.si account.

Cheers,
Emil

···

On 29.11.12, 15:29, Matteo Calorio wrote:

but the error remains... Matteo

---- Original Messagge ----

From: Matteo Calorio <matteo.calorio@linux.ors-tech.it>

Sent: giovedì 29 novembre 2012, 09:51

To: users@jitsi.java.net

Cc: Emil Ivov <emcho@jitsi.org>

Subj: [jitsi-users] Re: ICE failed

Well again, you don't need to explicitly "open" any ports (in the sense

of mapping them to internal ones and allowing outside entities to

initiate connections). However, your firewall should at least allow you

to receive responses to the packets you send from your computer.

Ok, I'll check, thanks.

Cheers,

Matteo

--
https://jitsi.org


#11

Hey Yannik,

You probably missed the end of the sentence as well as the text that was
just above, so here goes again: you DO NOT need to forward ports. Just
make sure that UDP traffic is allowed through your firewall and that of
your correspondent.

Actualy able to read, even if its quite suprising to hear that from
someone setting up linux-networks.
Putting that aside: jitsi redirects my traffic over another host to
create a connection between me and my partner which is completely
unnecessary because i do have some ports redirected to my computer, i
would like to change that

Jitsi would only do this if it fails to find a direct path between you
and your correspondent. So again the only thing you have to do is to
make sure that you NAT allows Jitsi to send UDP toward the Internet
and get responses there. If in addition to a call you also don't want
to use a relay then you have make sure that your NAT will perform
"endpoint independent mapping" or in other words, when Jitsi uses a
port to send packets toward the Internet, your NAT will create a
single binding and allocat a single public port regardless of the
destination Jitsi is trying to reach.

So again, no need to forward anything.

Yes, have a look at the call info once a call has been established.

I did, and thats why i asked the other question: jitsi shows my local
ip, stun seems to fail.

Not necessarily. Can we see the entire call info? Logs could also be helpful.

No and there is no need to.

Yes, there is a need to do so, i dont want to unnecessarily use up
resources of servers which could also help user who actually _need_ help
setting up a connection.

Please see above. We do not require port forwarding. Just make sure
your NAT allows UDP and does not behave as a symmetric one.

Emil

···

On Wed, Nov 28, 2012 at 9:54 PM, Yannik Völker <yannikv@yahoo.de> wrote:

Am 28.11.2012 21:07, schrieb Emil Ivov:


#12

As it seems not to be working my router at home is most likely not
advanced enough to do so, but i have forwarded every single port there
is to my computer. It still uses a relay.

0x220B25CA.asc (3.84 KB)

···

Am 28.11.2012 22:10, schrieb Emil Ivov:

when Jitsi uses a
port to send packets toward the Internet, your NAT will create a
single binding and allocat a single public port regardless of the
destination Jitsi is trying to reach.

--
Yannik Völker


#13

Hey Yannick

when Jitsi uses a
port to send packets toward the Internet, your NAT will create a
single binding and allocat a single public port regardless of the
destination Jitsi is trying to reach.

As it seems not to be working my router at home is most likely not
advanced enough to do so,

This is not a sophisticated feature. Most NATs would behave this way.
Some don't however and maybe yours is one of them. If it is then port
forwarding is not necessarily going to change anything.

If you want to know for sure, just examine your pcap logs.

but i have forwarded every single port there
is to my computer. It still uses a relay.

I am not sure how else to say this but port forwarding really isn't
what you are looking for. I am not going to insist any more and only
explain it one last time. Jitsi is not a server. It does not use a
well known port to always receive packets on. When doing calls Jitsi
will not blindly send packets to a specific port on your NAT that you
can then forward to an internal IP. This is simply never happening.
Jitsi will send packets back to the ports that it is getting packets
from.

In other words, when you make a call Jitsi will:

1. Allocate a port on your local host. This port would be between 5000
and 6000 although these numbers don't really matter.
2. This port will then be used to send packets outside of your network.
3. Your NAT will dynamically map a public port to that port.
4. The remote party will use the public port from step 3, the one they
see as source for incoming datagrams and send packets to it.

I've seen NATs where forwarding a port range to a specific internal IP
would actually cause the NAT to use ports outside of that range for
dynamic allocation.

One way or another, if you want to really know what's happening - have
a look at your pcaps.

Cheers,
Emil

···

On Wed, Nov 28, 2012 at 10:19 PM, Yannik Völker <yannikv@yahoo.de> wrote:

Am 28.11.2012 22:10, schrieb Emil Ivov: