WebRTC issue: Error 1007: ICE negotiation failed

[Richard Yap]

Hi There,

I'm running BBB on EC2 c3.xlarge server.  I've followed the instructions as given in the 1.0 Beta installation doc.  I get WebRTC issue Error 1007 when running BBB.  I've also openned up ports in EC2 based on the instructions given.

I'm new to linux, is there anything wrong with my BBB server's UDP ports below?

# netstat -au

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

udp        0      0 ip-172-31-22-215.:44910 ip-172-31-16-1.ap-:5351 ESTABLISHED

udp        0      0 *:bootpc                *:*

udp        0      0 ip-172-31-22-215.ap:sip *:*

udp        0      0 ip-172-31-22-215.a:5090 *:*

udp        0      0 *:6430                  *:*

udp6       0      0 [::]:8357               [::]:*

udp6       0      0 ip6-localhost:sip       [::]:*

udp6       0      0 [::]:5070               [::]:*

udp6       0      0 ip6-localhost:5090      [::]:*

Thanks for helping!!!

[Fred Dixon]

Hi Richard,

> I'm new to linux, is there anything wrong with my BBB server's UDP ports below?

It's not the ports on the EC2 instance that you need to modify; rather, it's the security group for your EC2 instance.

For more information see

  http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Regards,.. Fred

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-s...@googlegroups.com.
To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Richard Yap]

My apologies Fred, I forgot to mention that there is already a Security Group for my EC2 instance which has been set as follows:

HTTP	TCP	80	0.0.0.0/0
Custom UDP Rule	UDP	16384 - 32768	0.0.0.0/0
Custom TCP Rule	TCP	1935	0.0.0.0/0
SSH	TCP	22	0.0.0.0/0
Custom TCP Rule	TCP	9123	0.0.0.0/0
HTTPS	TCP	443	0.0.0.0/0

Should I be making changes to the settings?

Thanks & best regards,

Richard

To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Chad Pilkey]

I think if you are installing on EC2 you need to follow these steps as well, http://docs.bigbluebutton.org/1.0/10install.html#audio-not-working. The install will use your internal address by default and the additional "Audio not working" steps will the modify various configuration files to use your external address instead.

[HostBBB.com]

for webrtc  also open 5066 TCP or 7443 TCP depending on http or https: config.

the test is you should be able to telnet x.x.x.x. 5066 and connect.

regards,

Stephen

hostbbb.com

On Sunday, February 14, 2016 at 9:49:54 PM UTC-5, Richard Yap wrote:

[Richard Yap]

Dear Stephen and Chad,

Thank you so much for steering me in the right direction.  Yes, it works perfectly now!

Best regards,

Richard

[Del Simmons]

I'm running into this error (1007) as well.. A few things about my setup:

• BBB 1.1-beta is running on the Google Compute Engine (GCE) on Ubuntu 16.04 TLS
• The GCE VM I'm running on has both an external and an internal IP address
• The service is accessible on a static external IP address with a FQD Type A record resolving properly
• Let's Encrypt was used to get my SSL setup and it is current receiving a grade of "A" on my https config when using the test page at ssllabs.com
• I also have Greenlight up and running properly now.
• Everything seems to be working great with the exception of this one error coming up which forces the user to use the Flash audio approach instead. 
• I double checked all my firewall rules, based on the install instructions and they all look fine to me, at least. For the record, here is what I have opened on the firewall:
  
• tcp:1935
• tcp: 5066 (is this needed if I have SSL/HTTPS enabled?)
• tcp:7443
• udp:16384-32768

I must admit, I don't understand why 1935 is mentioned in the instructions. I don't see that in the config files, but I've probably just missed it somewhere. Can anyone clarify for my what is listening on 1935?

I also realize from reading this thread and the install instructions that I don't likely need both ports 5066 and 7443 open. In my case, since I am using SSL/HTTPS successfully, it seems like only 7443 is needed, right? 

That having been said, the thing that confuses me is whether or not FreeSWITCH needs to listen on both internal and external IPs, instead of just on the external one. I'm understanding that this error is usually due to FreeSWITCH listening somewhere the client can't reach. Is that correct? Is there any harm in setting all the IP addresses in the FreeSWITCH config files to the external IP address, whether or not they are labeled as "internal" or not in the config file?

Thanks for any guidance you can give me!

Del Simmons

[MrSimmonsSr]

Also, when I run "bbb-conf check", this is what I get for the potential problems output:

** Potential problems described below **

# IP does not match:

#                           IP from ifconfig: 10.142.0.3

#   /etc/nginx/sites-available/bigbluebutton: bigbluebutton.mojoski.com

# Warning: API URL IPs do not match host:

#

#                                IP from ifconfig: 10.142.0.3

#  /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp: bigbluebutton.mojoski.com

# Warning: The setting of 35.185.34.23 for proxy_pass in

#

#    /etc/bigbluebutton/nginx/sip.nginx

#

# does not match the local IP address (10.142.0.3).

# (This is OK if you've manually changed the values)

# Warning: The setting of  for local_ip_v4 in

#

#    /opt/freeswitch/etc/freeswitch/vars.xml

#

# does not match the local IP address (10.142.0.3).

# (This is OK if you've manually changed the values)

# Warning: The API demos are installed and accessible from:

#

#    https://bigbluebutton.mojoski.com/demo/demo1.jsp

#

# These API demos allow anyone to access your server without authentication

# to create/manage meetings and recordings. They are for testing purposes only.

# If you are running a production system, remove them by running:

#

#    sudo apt-get purge bbb-demo

# Warning: The client self check is installed and accessible from:

#

#    https://bigbluebutton.mojoski.com/check

#

The 10. address is obviously my internal IP, and the 35. is my external IP.. Also curious about that first warning. Is there something about the base BBB app I should be configuring on my external IP as well that I haven't?

Thanks!

MrSimmonsSr 

[Fred Dixon]

Hi,

> I must admit, I don't understand why 1935 is mentioned in the instructions. I don't see that in the config files, but I've probably just missed it somewhere. Can anyone clarify for my what is listening on 1935?

That's the port for real-time message protocol (RTMP) that is used by the BigBlueButton client to community with the server.

> I also realize from reading this thread and the install instructions that I don't likely need both ports 5066 and 7443 open. In my case, since I am using SSL/HTTPS successfully, it seems like only 7443 is needed, right? 

You only need 7443.

> That having been said, the thing that confuses me is whether or not FreeSWITCH needs to listen on both internal and external IPs, instead of just on the external one. 

FreeSWITCH should be listening on the external IP for incoming RTP traffic.  In the section

 http://docs.bigbluebutton.org/1.1/install.html#updating-freeswitch-configuration

you configure FreeSWITCH to listen to the external IP address in the settings

    <param name="rtp-ip" value="$${local_ip_v4}"/>

    <param name="sip-ip" value="$${local_ip_v4}"/>

    <param name="ext-rtp-ip" value="$${external_rtp_ip}"/>

    <param name="ext-sip-ip" value="$${external_sip_ip}"/>

It might be that the firewall on GCE does not support hairpin NAT.  See

   http://docs.bigbluebutton.org/1.1/install.html#configure-a-dummy-nic-if-required

Try the above and let us know if that gets you past the 1007 error.

Regards,... Fred

--

You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebutton-setup@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[MrSimmonsSr]

That is the way I have FreeSWITCH configured, per the instructions and my machine passed the hairpin NAT test.. Still not sure why it isn't working..

I had also deleted the line that included the definition of $local_ip_v4 at the top of that file, per the instructions as well.

Also, I did update my firewall rule to remove port 5066. Thanks for confirming.

Any other ideas?

Del

--

[MrSimmonsSr]

Here is the complete output from my "bbb-conf --check" command:

----

BigBlueButton Server 1.1.0-beta (516)

                    Kernel version: 4.8.0-46-generic

                      Distribution: Ubuntu 16.04.2 LTS (64-bit)

                            Memory: 7658 MB

/var/www/bigbluebutton/client/conf/config.xml (bbb-client)

  Port test (tunnel): bigbluebutton.mojoski.com

                              red5: bigbluebutton.mojoski.com

              useWebrtcIfAvailable: true

/opt/freeswitch/etc/freeswitch/sip_profiles/external.xml (FreeSWITCH)

                    websocket port: 7443

                    WebRTC enabled: true

/etc/nginx/sites-available/bigbluebutton (nginx)

                       server name: bigbluebutton.mojoski.com

                              port: 80, [::]:80

                              port: 443 ssl

                    bbb-client dir: /var/www/bigbluebutton

/var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties (bbb-web)

                      bbb-web host: bigbluebutton.mojoski.com

/var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp (API demos)

                               url: bigbluebutton.mojoski.com

/var/www/bigbluebutton/check/conf/config.xml (client check)

                      client check: bigbluebutton.mojoski.com

/usr/share/red5/webapps/bigbluebutton/WEB-INF/red5-web.xml (red5)

                  voice conference: FreeSWITCH

/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml (record and playback)

                     playback host: bigbluebutton.mojoski.com

----

[MrSimmonsSr]

I can't help but wonder if this warning isn't the root of my issue. What do you think, Fred?

# Warning: The setting of  for local_ip_v4 in

#

#    /opt/freeswitch/etc/freeswitch/vars.xml

#

# does not match the local IP address (10.142.0.3).

# (This is OK if you've manually changed the values)

Is it OK for the app to be telling me that?

MrSimmonsSr

On Tuesday, April 18, 2017 at 7:03:01 PM UTC-4, Fred Dixon wrote:

To post to this group, send email to bigbluebu...@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[MrSimmonsSr]

I tried forcing the value of local_ip_v4 to my actual IP, as described here:

https://wiki.freeswitch.org/wiki/Global_Variable_local_ip_v4

It did get rid of that warning in the startup output, but I still get the Error 1007 issue..

Things that make you go, "Hmm.."

[Chad Pilkey]

Your issue is that FreeSWITCH is sending 10.142.0.3 for its candidate.

What line do you have for your "wss-binding" parameter in /opt/freeswitch/conf/sip_profiles/external.xml?

[MrSimmonsSr]

Thanks for the help, Chad..

Currently I have this:

<param name="wss-binding" value=":7443"/>

I have also tried it with an IP address in it as well, although I can't remember now whether is was the external or internal. If I need an IP in there, which one should it be?

Thanks!

Del

[Chad Pilkey]

That's your issue right there. Try it with a value of "35.185.34.23:7443" as mentioned in this section of the docs http://docs.bigbluebutton.org/1.1/install.html#updating-freeswitch-configuration

[MrSimmonsSr]

Well I had tried that before and I've done it again now just to confirm, I got the following message on server startup via "sudo bbb-conf --clean".

# Error: Could not detect FreeSWITCH listening on port 5060

Additionally, when I try to connect to the room with audio, I very quickly get "Error 1002: Could not make a WebSocket connection" and even the fallback to Flash option won't connect to the echo test..

I have confirmed that you had the correct external IP address..

MrSimmonsSr

[Chad Pilkey]

Is "35.185.34.23" an IP assigned to to an ethernet adapter on your server or is that the IP for an external firewall? If it's the IP for an external firewall you will need to follow the section here about creating a dummy NIC so that FreeSWITCH can bind to "35.185.34.23".

[Del Simmons]

It is the external adapter, and I have already done the hairpin test and passed with no issues..

--
You received this message because you are subscribed to a topic in the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bigbluebutton-setup/f5PAyDFgEZQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bigbluebutton-s...@googlegroups.com.

[Fred Dixon]

Hi Del,

Thanks for giving us access to your server for few minutes.  We found the issue was in /opt/freeswitch/conf/sip_profiles/external.xml, it had

    <param name="ext-rtp-ip" value="$${external_ip_v4}"/>

    <param name="ext-sip-ip" value="$${external_ip_v4}"/>

    

but it should have been 

    <param name="ext-rtp-ip" value="$${external_rtp_ip}"/>

    <param name="ext-sip-ip" value="$${external_rtp_ip}"/>

    

We also took this opportunity to make a few more edits to the install documentation for configuring BigBlueButton 1.1-beta behind a firewall, see

 

  http://docs.bigbluebutton.org/1.1/install.html#configuring-bigbluebutton-behind-a-firewall

This was a good test as your server was on Google Compute Cloud, which is a good test of running BigBlueButton in that environment.

Don't hesitate to reach out if you encounter any more problems.

Regards,... Fred

To unsubscribe from this group and all its topics, send an email to bigbluebutton-setup+unsub...@googlegroups.com.
To post to this group, send email to bigbluebutton-setup@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebutton-setup@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Антон Мацюк]

Hi, Fred, hi Chad! :)

I can see after this long time bbb have mature version (not 0.x, I mean, now its major digit is 1).

I was asked to try a new version because of polling module. Also I had seen a bunch of new features, so I agreed to try to upgrade.

I installed it on another VM, played a lot, but had different issues.

Last time I tried to purge all and start from scratch, and it helped a lot. :)

I have:

1) A "firewall" - just a router with NAT enabled :)

2) Dynamic IP, and use DynDNS Standard.

3) "Dedicated NGINX" on VM.

4) "Dedicated BBB" on VM.

3 and 4 have static IPs which are LAN IPs (VMs configured to use bridged network module).

I've configured router to forward ports 80 and 443 to my NGINX VM.

There I configured my bbb domain, and proxying to BBB VM nginx.

bbb vm nginx use self-signed cert, configured 443 port (was this needed at all?).

On the NGINX VM I've configured some locations, proxied them to BBB VM IP on corresponding port.

/ws location i've proxied directly to https://EXTERNAL-DNS-NAME:7443.

I can paste somewhere my NGINX VM bbb nginx config to check it, maybe it have some issues.

After last try I've obtained mostly working BBB.

Thing, which I can't fix now, is a FreeSWITCH.

I'm talking about WebRTC. Can't figure out, whats the reason.

WebRTC Echo test says 1007.

WebRTC Socket test says nothing, but error.

I've read a lot of info about installation...

I've checked hairpin:

user@usrv-bbb-1604:~$ curl --trace-ascii - -k https://bbb.denixx.net:443/bigbluebutton/api
== Info:   Trying 46.98.26.243...
== Info: Connected to bbb.denixx.net (46.98.26.243) port 443 (#0)
== Info: found 173 certificates in /etc/ssl/certs/ca-certificates.crt
== Info: found 692 certificates in /etc/ssl/certs
== Info: ALPN, offering http/1.1
...
<= Recv data, 86 bytes (0x56)
0000: 4b
0004: <response><returncode>SUCCESS</returncode><version>1.1</version>
0044: </response>
0051: 0
0054:
<response><returncode>SUCCESS</returncode><version>1.1</version></response>== Info: Connection #0 to host bbb.denixx.net left intact

so, my router is superbest :)

Can't figure out, what's wrong.

https://bbb.denixx.net/check/

It still says that remote candidate is a LAN IP of BBB VM.

I'm tired of wandering from link to link of installing guide.

May you help me with this small issue with WebRTC?

I may add a section "What to do if I already have an nginx installed?" to docs after that. :)

[Chad Pilkey]

One of the first lines in the install doc specifically mentions "use a fresh install" to avoid some of these issues. If you really want to use a different nginx installation you're going to need to duplicate all (or most) of the nginx definitions in /etc/nginx/sites-available/bigbluebutton and /etc/bigbluebutton/nginx/*.nginx. Note that one of the locations is the root of port 80 so if you have something else already sitting there on your outside nginx install you're likely going to have a conflict.

You're also missing forwards for 1935 and the UDP ports 16384 - 32768.

For WebRTC to work you're going to need to follow the steps here (http://docs.bigbluebutton.org/install/install.html#configuring-bigbluebutton-behind-a-firewall) and you're going to need to use whatever your most external IP is. Because you've got so many layers (many more than a typical setup) you're almost assuredly going to need the dummy NIC step also and then dummy NIC is going to need to be the same external IP. If your external IP is not static you've also got another complication because any time that external IP changes you'll need to change the dummy NIC and FreeSWITCH settings to match the new IP.

You also might run into complications if you're using a self-signed certificate because tomcat doesn't really like them too much.

If this is for production use and not just for testing it's much much easier (and less prone to breaking) to just set it up following the instructions on an external cloud server. Trying to share an IP between BBB and other services is really painful.

[Антон Мацюк]

Thanks, Chad.

I am definitely interested in such configuration be available, so I will try at free time to play with it.

It's for myself. :)

I see a big potential in bbb, so it's time to contribute.

понедельник, 29 мая 2017 г., 20:45:23 UTC+3 пользователь Chad Pilkey написал: