Not working for more than 2 people in the room

Hello everyone,

I know this has been discussed before, I have read all the posts here and in GitHub but still don’t get it to work for me.

With 2 participans, everything works. As soon as a third one joins in, audio and video drops

In the logs I see the errors:

JVB 2019-07-10 15:13:16.760 WARNUNG: [41] org.jitsi.videobridge.EndpointMessageTransport.log() SCTP connection with 89938190 not ready yet.

JVB 2019-07-10 15:13:16.761 WARNUNG: [41] org.jitsi.videobridge.EndpointMessageTransport.log() No available transport channel, can't send a message

I am running a Debian Stretch server in a virtual machine behind firewall and NAT

For external users my FQDN is jitsi.external-domain.com

In my internal DNS I have an external-domain.com zone, so when my internal users ask for jitsi.external-domain.com,it resolves to the internal IP and not the public one.

in my /etc/hosts file I have:

127.0.0.1       localhost
1.2.3.4    jitsiserver.internal-domain.org   jitsi-server
1.2.3.4    jitsi.external-domain.com        jitsi

Where 1.2.3.4 = internal IP

During the initial installation, I added my (non self generated) SSL certificates, that is not the problem (I think)

Here is a step by step of everything I did:

apt install dirmngr apt-transport-https

echo ‘deb https://download.jitsi.org stable/’ >> /etc/apt/sources.list.d/jitsi-stable.list

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -

apt update

apt install jitsi-meet

apt install prosody-modules

nano /etc/prosody/conf.d/ldap.cfg.lua

Added:

– Authentication configuration –
authentication = ‘ldap2’ – Indicate that we want to use LDAP for authentication
ldap = {
hostname = ‘My.AD.Server’, – LDAP server location
–use_tls = true,
bind_dn = ‘CN=ldapbind,OU=Dienste,OU=Benutzer,OU=MY,DC=INTERNAL-DOMAIN,DC=ORG’, – Bind DN for LDAP authentication (optional if anonymous bind is supported)
bind_password = ‘****************’, – Bind password (optional if anonymous bind is supported)
user = {
basedn = ‘OU=MY,DC=INTERNAL-DOMAIN,DC=ORG’,
filter = ‘(&(objectClass=User)(memberof=CN=LO00-Videokonferenz-Mitarbeiter,OU=videokonferenz,OU=Gruppen,OU=MY,DC=INTERNAL-DOMAIN,DC=ORG))’,
usernamefield = ‘sAMAccountname’,
namefield = ‘cn’,
},
}

nano /etc/prosody/conf.d/jitsi.external-domain.com.cfg.lua

Changed:

authentication = “anonymous”

to

authentication = “ldap2”

And added:

VirtualHost “guest.jitsi.external-domain.com
authentication = “anonymous”
c2s_require_encryption = false

nano /etc/prosody/prosody.cfg.lua

Added:

consider_bosh_secure = true

nano /etc/ldap/ldap.conf

Added:

TLS_REQCERT never

nano /etc/jitsi/meet/jitsi.external-domain.com-config.js

Changed:

// anonymousdomain: ‘guest.example.com’,

to

anonymousdomain: ‘guest.jitsi.external-domain.com’,

Changed:

// requireDisplayName: true,

to

requireDisplayName: true,

nano /etc/jitsi/jicofo/sip-communicator.properties

Added:

org.jitsi.jicofo.auth.URL=XMPP:jitsi.external-domain.com

nano /etc/jitsi/videobridge/sip-communicator.properties

Added:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=internal.IP

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=public.IP

service prosody restart && service jicofo restart

And these are the open ports in the server:

What is the error you see in the js console when 3rd one joins?

Hi @damencho what do you mean with js console?

This is the log from jicofo when a thir one joins in:

Jicofo 2019-07-11 09:46:11.042 INFORMATION: [79] org.jitsi.jicofo.xmpp.FocusComponent.handleConferenceIq().401 Focus request for room: testa@conference.jitsi.external-domain.com
Jicofo 2019-07-11 09:46:11.159 INFORMATION: [38] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Chat room event ChatRoomMemberPresenceChangeEvent[type=MemberJoined sourceRoom=org.jitsi.impl.protocol.xmpp.ChatRoomImpl@6a344b49 member=ChatMember[testa@conference.jitsi.external-domain.com/1d2e8ccd, jid: null]@1703705875]
Jicofo 2019-07-11 09:46:11.159 INFORMATION: [38] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Member testa@conference.jitsi.external-domain.com/1d2e8ccd joined.
Jicofo 2019-07-11 09:46:11.160 INFORMATION: [38] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Added participant jid= testa@conference.jitsi.external-domain.com/1d2e8ccd, bridge=jitsi-videobridge.jitsi.external-domain.com
Jicofo 2019-07-11 09:46:11.160 INFORMATION: [38] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Region info, conference=ff3bd7 octo_enabled= false: [[null, null, null, null]]
Jicofo 2019-07-11 09:46:11.485 INFORMATION: [105] org.jitsi.jicofo.AbstractChannelAllocator.log() Using jitsi-videobridge.jitsi.external-domain.com to allocate channels for: Participant[endpointId=1d2e8ccd]
Jicofo 2019-07-11 09:46:11.486 INFORMATION: [61] org.jitsi.jicofo.Bridge.log() Adding 5 video streams on jitsi-videobridge.jitsi.external-domain.com video streams: 0 diff: 9 (estimated: 9)
Jicofo 2019-07-11 09:46:12.402 INFORMATION: [38] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Received session-accept from 1d2e8ccd with accepted sources:Sources{ video: [ssrc=2538313622 ssrc=2940431790 ssrc=1084753274 ssrc=3930977322 ssrc=3629269733 ssrc=4037977989 ] audio: [ssrc=304689151 ] }@727334793
Jicofo 2019-07-11 09:46:12.404 INFORMATION: [38] org.jitsi.protocol.xmpp.AbstractOperationSetJingle.sendAddSourceIQ().478 Notify add SSRC testa@conference.jitsi.external-domain.com/dc810e6e SID: dd88grq2s1ltl Sources{ video: [ssrc=2538313622 ssrc=2940431790 ssrc=1084753274 ssrc=3930977322 ssrc=3629269733 ssrc=4037977989 ] audio: [ssrc=304689151 ] }@835201321 source_Groups{ video:[ SourceGroup(FID)[ ssrc=2538313622 ssrc=2940431790 ]SourceGroup(FID)[ ssrc=1084753274 ssrc=3629269733 ]SourceGroup(FID)[ ssrc=3930977322 ssrc=4037977989 ]SourceGroup(SIM)[ ssrc=2538313622 ssrc=1084753274 ssrc=3930977322 ] ] }@296129562
Jicofo 2019-07-11 09:46:12.407 INFORMATION: [38] org.jitsi.protocol.xmpp.AbstractOperationSetJingle.sendAddSourceIQ().478 Notify add SSRC testa@conference.jitsi.external-domain.com/1dbf5f9a SID: 8804vobe6rrbc Sources{ video: [ssrc=2538313622 ssrc=2940431790 ssrc=1084753274 ssrc=3930977322 ssrc=3629269733 ssrc=4037977989 ] audio: [ssrc=304689151 ] }@835201321 source_Groups{ video:[ SourceGroup(FID)[ ssrc=2538313622 ssrc=2940431790 ]SourceGroup(FID)[ ssrc=1084753274 ssrc=3629269733 ]SourceGroup(FID)[ ssrc=3930977322 ssrc=4037977989 ]SourceGroup(SIM)[ ssrc=2538313622 ssrc=1084753274 ssrc=3930977322 ] ] }@296129562

I just realize about something else.

So far the way I was testing was:

  • 2 computers in my internal network

  • 1 computer in a different internet line to test the external users’s access

In that scenario, I had the problem.

Now I put the 3 computers in the internal network and everything works.

So I think is a firewall problem. But, in my firewall I only have the NAT rule for the jitsi and for test purposes I have no port rule, I am allowing everything to go in and another rule allowing the jitsi server to communicate with and ipv4 and ipv6 on the internet, on any port.

If I go to https://ping.eu/port-chk/ and test the open listening ports on my server, they all show OPEN with the exception of port 10000

Check the quick install guide, the advances section for port forwarding and public/private addresses you need to configure. https://jitsi.org/qi

Hi @damencho.

yes I did configure https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md#advanced-configuration

Ok I think I found the problem. and it was precisely setting up:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=y.y.y.y

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=x.x.x.x

I shouldn’t have set that up, because my server doesn’t have 2 IP addresses, only one (the internal one)

The public IP interface is connected to m firewall.

Thanks @damencho

Yep, that is the reason you need to configure it in jvb, so jvb can announce it in the signalling.

@damencho sorry I didnt understand.

Ok so, it doesnt matter that my Jitsi server doesnt have two interfaces, as long as It is behind a NAT, I have to set:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=y.y.y.y

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=x.x.x.x

Yep, that is correct.
If it has the two interfaces you do not have NAT and jvb can see the ip addresses and will use them, and you do not need any port forwarding, just firewall to open the needed ports.

Still doesn’t work :frowning: if someone is connecting from outside and someone from inside, the video and audio drops

Have you done the port forwarding on the firewall?

Yes, and right now I am forwarding everything just to be sure.

But I now think it is definetly a firewall problem.

By opening chrome://webrtc-internals before the conference you can check the last setRemoteDescription in a peer connection tab and check whether you see the bridge public address, if so jvb is configured correctly and it is firewall/port forwarding issue.

Hi @damencho,

I do not see the the bridge public IP:

type: answer, sdp: v=0
o=- 1923518516 2 IN IP4 0.0.0.0
s=-
t=0 0
a=group:BUNDLE audio video
m=audio 1 RTP/SAVPF 111 103 104 9 0 8 106 105 13 110 112 113 126
c=IN IP4 0.0.0.0
a=rtpmap:111 opus/48000/2
a=rtpmap:103 ISAC/16000
a=rtpmap:104 ISAC/32000
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:106 CN/32000
a=rtpmap:105 CN/16000
a=rtpmap:13 CN/8000
a=rtpmap:110 telephone-event/48000
a=rtpmap:112 telephone-event/32000
a=rtpmap:113 telephone-event/16000
a=rtpmap:126 telephone-event/8000
a=fmtp:111 minptime=10; useinbandfec=1
a=rtcp:1 IN IP4 0.0.0.0
a=rtcp-fb:111 transport-cc
a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=extmap:2 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
a=setup:passive
a=mid:audio
a=sendrecv
a=ice-ufrag:F5bB
a=ice-pwd:Cu70cWmDRQkaSo6fcaF70Vgt
a=fingerprint:sha-256 74:79:23:F3:B1:9C:43:F0:63:3B:28:A7:6C:0C:B9:3F:E8:BB:D7:B7:57:2C:8E:75:20:E8:89:18:A7:BD:A9:18
a=ssrc:2425464916 cname:J3vRb5FeXuc5RQ0Q-1
a=ssrc:2425464916 msid:742ff182-37f9-4fbf-b65e-4326aba8aa63-1 4cda505c-fff0-4774-a320-b276c29aeaeb-1
a=ssrc:2425464916 mslabel:742ff182-37f9-4fbf-b65e-4326aba8aa63-1
a=ssrc:2425464916 label:4cda505c-fff0-4774-a320-b276c29aeaeb-1
a=rtcp-mux
m=video 1 RTP/SAVPF 102 96 97 98 99 100 101 122 127 121 125 107 108 109 124 120 123 119 114 115 116
c=IN IP4 0.0.0.0
a=rtpmap:102 H264/90000
a=rtpmap:96 VP8/90000
a=rtpmap:97 rtx/90000
a=rtpmap:98 VP9/90000
a=rtpmap:99 rtx/90000
a=rtpmap:100 VP9/90000
a=rtpmap:101 rtx/90000
a=rtpmap:122 rtx/90000
a=rtpmap:127 H264/90000
a=rtpmap:121 rtx/90000
a=rtpmap:125 H264/90000
a=rtpmap:107 rtx/90000
a=rtpmap:108 H264/90000
a=rtpmap:109 rtx/90000
a=rtpmap:124 H264/90000
a=rtpmap:120 rtx/90000
a=rtpmap:123 H264/90000
a=rtpmap:119 rtx/90000
a=rtpmap:114 red/90000
a=rtpmap:115 rtx/90000
a=rtpmap:116 ulpfec/90000
a=fmtp:102 level-asymmetry-allowed=1; packetization-mode=1; profile-level-id=42001f
a=fmtp:97 apt=96
a=fmtp:98 profile-id=0
a=fmtp:99 apt=98
a=fmtp:100 profile-id=2
a=fmtp:101 apt=100
a=fmtp:122 apt=102
a=fmtp:127 level-asymmetry-allowed=1; packetization-mode=0; profile-level-id=42001f
a=fmtp:121 apt=127
a=fmtp:125 level-asymmetry-allowed=1; packetization-mode=1; profile-level-id=42e01f
a=fmtp:107 apt=125
a=fmtp:108 level-asymmetry-allowed=1; packetization-mode=0; profile-level-id=42e01f
a=fmtp:109 apt=108
a=fmtp:124 level-asymmetry-allowed=1; packetization-mode=1; profile-level-id=4d0032
a=fmtp:120 apt=124
a=fmtp:123 level-asymmetry-allowed=1; packetization-mode=1; profile-level-id=640032
a=fmtp:119 apt=123
a=fmtp:115 apt=114
a=rtcp:1 IN IP4 0.0.0.0
a=rtcp-fb:102 goog-remb
a=rtcp-fb:102 transport-cc
a=rtcp-fb:102 ccm fir
a=rtcp-fb:102 nack
a=rtcp-fb:102 nack pli
a=rtcp-fb:96 goog-remb
a=rtcp-fb:96 transport-cc
a=rtcp-fb:96 ccm fir
a=rtcp-fb:96 nack
a=rtcp-fb:96 nack pli
a=rtcp-fb:98 goog-remb
a=rtcp-fb:98 transport-cc
a=rtcp-fb:98 ccm fir
a=rtcp-fb:98 nack
a=rtcp-fb:98 nack pli
a=rtcp-fb:100 goog-remb
a=rtcp-fb:100 transport-cc
a=rtcp-fb:100 ccm fir
a=rtcp-fb:100 nack
a=rtcp-fb:100 nack pli
a=rtcp-fb:127 goog-remb
a=rtcp-fb:127 transport-cc
a=rtcp-fb:127 ccm fir
a=rtcp-fb:127 nack
a=rtcp-fb:127 nack pli
a=rtcp-fb:125 goog-remb
a=rtcp-fb:125 transport-cc
a=rtcp-fb:125 ccm fir
a=rtcp-fb:125 nack
a=rtcp-fb:125 nack pli
a=rtcp-fb:108 goog-remb
a=rtcp-fb:108 transport-cc
a=rtcp-fb:108 ccm fir
a=rtcp-fb:108 nack
a=rtcp-fb:108 nack pli
a=rtcp-fb:124 goog-remb
a=rtcp-fb:124 transport-cc
a=rtcp-fb:124 ccm fir
a=rtcp-fb:124 nack
a=rtcp-fb:124 nack pli
a=rtcp-fb:123 goog-remb
a=rtcp-fb:123 transport-cc
a=rtcp-fb:123 ccm fir
a=rtcp-fb:123 nack
a=rtcp-fb:123 nack pli
a=extmap:14 urn:ietf:params:rtp-hdrext:toffset
a=extmap:13 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
a=extmap:3 urn:3gpp:video-orientation
a=extmap:2 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
a=extmap:5 http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
a=extmap:6 http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
a=extmap:7 http://www.webrtc.org/experiments/rtp-hdrext/video-timing
a=extmap:8 http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07
a=extmap:9 http://www.webrtc.org/experiments/rtp-hdrext/color-space
a=setup:passive
a=mid:video
a=sendrecv
a=ice-ufrag:F5bB
a=ice-pwd:Cu70cWmDRQkaSo6fcaF70Vgt
a=fingerprint:sha-256 74:79:23:F3:B1:9C:43:F0:63:3B:28:A7:6C:0C:B9:3F:E8:BB:D7:B7:57:2C:8E:75:20:E8:89:18:A7:BD:A9:18
a=ssrc:3564884020 cname:J3vRb5FeXuc5RQ0Q-1
a=ssrc:3564884020 msid:8508419a-b340-4a2b-bf22-43ccb4be55e8-1 735cdf5d-725b-4176-b59c-7996a41009ac-1
a=ssrc:3564884020 mslabel:8508419a-b340-4a2b-bf22-43ccb4be55e8-1
a=ssrc:3564884020 label:735cdf5d-725b-4176-b59c-7996a41009ac-1
a=ssrc:2126961287 cname:J3vRb5FeXuc5RQ0Q-1
a=ssrc:2126961287 msid:8508419a-b340-4a2b-bf22-43ccb4be55e8-1 735cdf5d-725b-4176-b59c-7996a41009ac-1
a=ssrc:2126961287 mslabel:8508419a-b340-4a2b-bf22-43ccb4be55e8-1
a=ssrc:2126961287 label:735cdf5d-725b-4176-b59c-7996a41009ac-1
a=ssrc-group:FID 3564884020 2126961287
a=rtcp-mux

Make sure you are checking setRemoteDescripotion and on that page there are several tabs, if you have one meeting open in chrome you will have two tabs there one for the p2p PeerConnection and one for the jvb PeerConnection, chack jvb’s one(I know it is jvb by seeing the addresses). Even if there is a problem you will see at least the internal address from the network interface that jvb can discover by itself. If you have two tabs open in chrome you will have 4 entries and so on.

Yes, I don’t see the IP address.

I see only IP4 0.0.0.0

You are looking at the wrong place. Here is how it looks on meet.jit.si:

Sorry for that,

it is advertizing the internal IP address:

a=candidate:1 1 ssltcp 2130706431 10.75.240.78 443 typ host generation 0
a=candidate:2 1 udp 2130706431 10.75.240.78 10000 typ host generation 0