3.6.0a Server to Server problems

I run two Openfire 3.6.0a servers. One is my personal domain, the other is my corporate domain. Both systems are using Debian Etch 4.0 with the latest patches, no iptables running, Openfire 3.6.0a, same plugin set minus fastpath on the corporate domain.

For the life of me, I can’t get these two domains to talk to each other. I had this working with 3.5.2 implementations but I haven’t been able to get server to server communication working with Openfire 3.6.0a as of yet. Here’s an interesting excerpt from the logs of both servers:

**openfire 3.6.0a warn.log
**
servepath.com:

2008.10.08 01:36:25 Error returning error to sender. Original packet:

org.jivesoftware.openfire.PacketException: Cannot route packet of type IQ or Presence to bare JID:





at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.jav a:217)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.return ErrorToSender(OutgoingSessionPromise.java:285)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:219)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

cat6wired.net:

2008.10.08 01:27:40 Missing type info for saveSettings(1<0>). Assuming this is a map with String keys. Please add to in dwr.xml
2008.10.08 01:27:40 Missing type info for saveSettings(1<1>). Assuming this is a map with String keys. Please add to in dwr.xml
2008.10.08 01:34:54 Error returning error to sender. Original packet:


d4dd5f4f4bc22f57e55af7cbd356577f325192a2


d4dd5f4f4bc22f57e55af7cbd356577f325192a2


org.jivesoftware.openfire.PacketException: Cannot route packet of type IQ or Presence to bare JID:





at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.jav a:217)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.return ErrorToSender(OutgoingSessionPromise.java:285)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:219)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

I’m not sure why its thinking that it cannot route:

**neutral server doing DIG
**

; <<>> DiG 9.2.1 <<>> -t SRV _xmpp-server._tcp.cat6wired.net @4.2.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50507
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_xmpp-server._tcp.cat6wired.net. IN SRV

;; ANSWER SECTION:
_xmpp-server._tcp.cat6wired.net. 3600 IN SRV 0 0 5269 secure.cat6wired.net.

;; Query time: 101 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Wed Oct 8 01:35:52 2008
;; MSG SIZE rcvd: 89

[01:35:52][bmenges@x~]$ dig -t SRV _xmpp-server._tcp.servepath.com @4.2.2.2

; <<>> DiG 9.2.1 <<>> -t SRV _xmpp-server._tcp.servepath.com @4.2.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 484
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_xmpp-server._tcp.servepath.com. IN SRV

;; ANSWER SECTION:
_xmpp-server._tcp.servepath.com. 60 IN SRV 10 0 5269 jabber2.servepath.com.

;; Query time: 259 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Wed Oct 8 01:36:08 2008
;; MSG SIZE rcvd: 90
[01:36:08][bmenges@sysmon ~]$ dig -t A secure.cat6wired.net @4.2.2.2
; <<>> DiG 9.2.1 <<>> -t A secure.cat6wired.net @4.2.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57400
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;secure.cat6wired.net. IN A

;; ANSWER SECTION:
secure.cat6wired.net. 21600 IN A 64.151.74.252

;; Query time: 115 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Wed Oct 8 01:37:17 2008
;; MSG SIZE rcvd: 54

[01:37:18][bmenges@sysmon ~]$ dig -t A jabber2.servepath.com @4.2.2.2

; <<>> DiG 9.2.1 <<>> -t A jabber2.servepath.com @4.2.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48376
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jabber2.servepath.com. IN A

;; ANSWER SECTION:
jabber2.servepath.com. 60 IN A 69.59.136.177

;; Query time: 170 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Wed Oct 8 01:37:29 2008
;; MSG SIZE rcvd: 55

So the SRV records are correct, and they point to the right IPs. I can prove this because I can connect to both servers individually and they work fine. The only exception to this is that the corporate has a server to server whitelist, but I’ve entered in cat6wired.net so this should be allowed. Some help in diagnosing would be great, as I cannot figure out why beyond layer 3 this isn’t working…

Searching for “Cannot route packet of type IQ or Presence to bare JID” gets me an old bug back in core 1.1.0… http://www.igniterealtime.org/community/message/169668 from 4/29/2008 was no help as there’s no resolution. Server security isn’t optional in my case.

Both servers are certified through a wildcard certificate through GoDaddy.

So, I decided to go one step further… since I have a jabber.org account. This works just fine?! So what is it about these two domains that I’m missing here? I have full SRV records, and so far as I know all the IP access that the servers need for this kind of connectivity. If I can message jabber.org users just fine, why can’t my two openfire servers talk to each other?

Bump.

No one is experiencing similar problems or has any insight?

Hi,

maybe not exactly the same, but if you look about S2S and openfire 3.6.0a you will find some heated discussions.

Walter

Hi Brian,

I have just checked with two 3.6.0a servers, it is working. My server settings are:

Server-Server Settings-Server to Server Settings

Service Enabled

Idle Connections Settings

minutes.

Allowed to Connect

Server-Server Settings-Server Connection Security

checked

checked

**IT IS NOT WORKING WITH THE SETTING REQUIRED. **The session between the servers seems to be secured which is indicated by the lock in the session overview.

The Debug log shows this:

2008.10.13 10:27:19 Connect Socket[addr=/10.49.229.74,port=2556,localport=5269]
2008.10.13 10:27:20 ServerDialback: RS - Received dialback key from host: dew05947.ger.win.int.kn to: w3hambomisc01.ger.win.int.kn
2008.10.13 10:27:20 ServerDialback: RS - Trying to connect to Authoritative Server: dew05947.ger.win.int.kn:5269(DNS lookup: dew05947.ger.win.int.kn:5269)
2008.10.13 10:27:20 ServerDialback: RS - Connection to AS: dew05947.ger.win.int.kn:5269 successful
2008.10.13 10:27:20 ServerDialback: RS - Asking AS to verify dialback key for idca20b08b
2008.10.13 10:27:20 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: dew05947.ger.win.int.kn
2008.10.13 10:27:20 ServerDialback: RS - Closing connection to Authoritative Server: dew05947.ger.win.int.kn
2008.10.13 10:27:20 ServerDialback: RS - Sending key verification result to OS: dew05947.ger.win.int.kn
2008.10.13 10:27:20 000090 (01/03/00) - #2 registered a statement as closed which wasn’t known to be open. This could happen if you close a statement twice.
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - Trying to connect to dew05947.ger.win.int.kn:5269(DNS lookup: dew05947.ger.win.int.kn:5269)
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - Plain connection to dew05947.ger.win.int.kn:5269 successful
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - Indicating we want TLS to dew05947.ger.win.int.kn
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - Negotiating TLS with dew05947.ger.win.int.kn
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - TLS negotiation with dew05947.ger.win.int.kn was successful
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - About to try connecting using server dialback over TLS with: dew05947.ger.win.int.kn
2008.10.13 10:27:20 ServerDialback: OS - Sent dialback key to host: dew05947.ger.win.int.kn id: 4abdc884 from domain: w3hambomisc01.ger.win.int.kn
2008.10.13 10:27:20 Connect Socket[addr=/10.49.229.74,port=2557,localport=5269]
2008.10.13 10:27:20 ServerDialback: AS - Verifying key for host: dew05947.ger.win.int.kn id: 4abdc884
2008.10.13 10:27:20 ServerDialback: AS - Key was: VALID for host: dew05947.ger.win.int.kn id: 4abdc884
2008.10.13 10:27:20 ServerDialback: AS - Connection closed for host: dew05947.ger.win.int.kn id: 4abdc884
2008.10.13 10:27:20 Connection closed before session established
Socket[addr=/10.49.229.74,port=2557,localport=5269]
2008.10.13 10:27:20 ServerDialback: OS - Validation GRANTED from: dew05947.ger.win.int.kn id: 4abdc884 for domain: w3hambomisc01.ger.win.int.kn
2008.10.13 10:27:20 LocalOutgoingServerSession: OS - SERVER DIALBACK OVER TLS with dew05947.ger.win.int.kn was successful

**
**Kind regards,

Walter

Seems to be a bit contradictory to have the settings optional succeed in securing the connection, yet required it fails. I wonder when they’ll tend to this issue … if ever … to get it fixed.

I’ve also noticed that with the required settings (which is what I desire) 3.5.2 won’t talk to 3.6.0a; which I suspect is the same issue with two 3.6.0a servers. Maybe I’ll give that a try.

-B

The session between the servers seems to be secured which is indicated by the lock in the session overview.

I don’t know where you’re seeing this, because my tests show exactly the opposite. Sure the client to individual server connection is secured as displayed by the security lock on both the client (Spark) and the console (Openfire), but the server to server connection is not secured:

1

jabber.org

Outgoing
Outgoing
12:52 PM
12:52 PM

2

servepath.com

Both
Both
12:55 PM
12:55 PM

As you can see above, my connection between cat6wired.net and servepath.com is clearly not secure. This is still a present problem, and causes me much heartburn. I may simply have to regress back to 3.5.2 because that was the most stable version thus far I’ve encountered. Since we don’t use FastPath or the likes, I think it’ll suite our organization if 3.6.0a cannot get this resolved.

Hi Brian,

if I understand the remarks regarding TLS correctly (http://www.igniterealtime.org/community/docs/DOC-1243, http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html, http://www.igniterealtime.org/community/docs/DOC-1552) the solution may be the use of signed certificates.These signatures have to be done by a well established Certificate Authority. Otherwise the external Jabber server will not trust your certificate. This would be the obvious case for a self signed certificate. I can not confirm this suspicion as I don’t have signed certificates.

Regards,

Walter

Both servers are using signed CA certificates by GoDaddy with the intermediate in the chain. Both servers talk encrypted to other non-openfire servers with encryption required (ex. jabber.org).

never resolved, giving up.