S2s connection between two Openfire not working

Hi,

first of all, I am not sure which version I am using, because i installed the 3.6.0a but it recognizes version 3.6.0 and on the admin page there is:

Server version 3.6.0a is now available…blabla…download…blabla.

Anyway, the two servers cannot communicate.

The two servers are called simply “japan” and “germany”.

They can ping, resolve, and telnet at port 5269.

Here is what i get from the debug when they try to communicate:

1:

2008.10.09 10:57:41 LocalOutgoingServerSession: OS - Trying to connect to japan:5269(DNS lookup: japan:5269)
2008.10.09 10:57:41 LocalOutgoingServerSession: OS - Plain connection to japan:5269 successful
2008.10.09 10:57:41 OutgoingSessionPromise: Error sending packet to remote server:

java.lang.Exception: Failed to create connection to remote server
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:252)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:216)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

2:

2008.10.09 10:57:41 Connect Socket[addr=/10.10.150.100,port=53710,localport=5269]
2008.10.09 10:57:41 Logging off japan/f508b36 on org.jivesoftware.openfire.net.SocketConnection@f9d4f7 socket: Socket[addr=/10.10.150.100,port=53710,localport=5269] session: org.jivesoftware.openfire.session.LocalIncomingServerSession@5b8e8c status: 1 address: japan/f508b36 id: f508b36

Can someone help me please?

Thanks

That happens for example when I try to add a buddy of a remote domain.

Greetings:

I have tried everything I know to s2s to other servers. I have only has luck with one. I have just about come to the conclusion, this is a TSL issue. Or perhaps a self signed certs. issue stemming from TSL.

unfortunately i already disabled any kind of security to avoid such problems

thus, that is not the problem in my case. but now that i think again: sniffing with wireshark between the servers, should i see jabber plain text messages or just TCP?

cause i remember now that i saw jabber clear messages to the clients, but not between servers (even though, as i said, i set Not Available on both SSL and TLS)

I tried also with version 3.5.2 and it has the same problem.

alice@germany tries to add diego@japan

On server germany:

2008.10.10 15:16:03 000080 (01/05/00) - Connection #5 tested: OK
2008.10.10 15:16:03 000081 (01/05/00) - Connection #5 tested: OK
2008.10.10 15:16:03 000081 (01/05/00) - Connection #2 tested: OK
2008.10.10 15:16:03 000082 (01/05/00) - Connection #2 tested: OK
2008.10.10 15:16:03 000082 (01/05/00) - Connection #1 tested: OK
2008.10.10 15:16:03 000083 (01/05/00) - Connection #1 tested: OK
2008.10.10 15:16:03 OutgoingSessionPromise: Error sending packet to remote server:

java.lang.Exception: Failed to create connection to remote server
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:228)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:194)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

Nothing arrives at server japan.

I noticed that (probably) when I disable dialback and TLS, it automatically disables s2s connections, maybe for safety reasons. Anyway, I re-enabled it and I can telnet, so it can’t be a problem with self-signed certificates as mentioned around.

just to confirm the theory:

if I login with bob@japan from german network (where openfire germany is located), and try to add diego@japan, it works, of course, because there is no s2s communication involved.

Hi

With the same configuration (Openfire 3.6.0a) explained by you iam able to connect two servers over a site to site vpn tunnel.

As said in this post, I to feel there is a problem with TLS configuration. My configuration is as below.

Server to Server Setting

Service Enabled and added my server to Allowed to Connect Whilelist.

Security Configuration

Client Connection Security

Optional

Server Connection Security

Optional

also check

Accept self signed certificates.

As a reference you can go thru this doc if you haven’t yet

http://www.igniterealtime.org/community/docs/DOC-1030

Hope this helps you.

Thnx

KM

I now set your same configuration, apart the self-signed certificates, which cannot be selected with the 3.5.2 i am currently trying.

Still getting this on the first server (germany):

2008.10.10 16:10:45 OutgoingSessionPromise: Error sending packet to remote server:

java.lang.Exception: Failed to create connection to remote server
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:228)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:194)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

I cannot see any TLS negotiation at all, so it cannot be the failure point.

Seems really a connection problem, but I can ping/telnet/nslookup the other server.

This is the debug log at startup, if it can be of any help:

2008.10.10 16:08:03 JettyLog: started {}
2008.10.10 16:08:06 NIOConnection: startTLS: using c2s
2008.10.10 16:08:07 000009 (01/05/00) - Connection #4 tested: OK
2008.10.10 16:08:07 000010 (01/05/00) - Connection #4 tested: OK
2008.10.10 16:08:07 000010 (01/05/00) - Connection #5 tested: OK
2008.10.10 16:08:07 000011 (01/05/00) - Connection #5 tested: OK
2008.10.10 16:08:07 AuthorizationManager: No AuthorizationProvider’s found. Loading DefaultAuthorizationPolicy
2008.10.10 16:08:07 AuthorizationManager: No AuthorizationMapping’s found. Loading DefaultAuthorizationMapping
2008.10.10 16:08:07 AuthorizationManager: Trying Default Mapping.map(alice)
2008.10.10 16:08:07 DefaultAuthorizationMapping: No realm found
2008.10.10 16:08:07 AuthorizationManager: Trying Default Policy.authorize(alice , alice)
2008.10.10 16:08:07 DefaultAuthorizationPolicy: Checking authenID realm
2008.10.10 16:08:07 000011 (01/05/00) - Connection #1 tested: OK

I already read that doc, but didn’t help.

I add some information, maybe irrelevant:

  • the servers have two separate network cards, one on internal network, one on the internet

  • I am working with virtual machines (VirtualBox), but shouldn’t be an issue because SIP is already working on the same machines

Hi

I don’t think running them in VM’s is a problem, because even i used them in VM’s before moving my setup into production.

one more imp. point which the document says is all about name resolution.

see that name resolution is successful from both the servers.

is this the way your servers are connected?

server1 ------- firewall1----------- INTERNET ------------ firewall2 ------------------- server2

If so then are these below points been taken care?

Make sure that Openfire in Office1 can create outgoing connections to Office2:5269 and vice versa.

Make sure that Office2:5269 accepts connections from Office1:1024-65536 and vice versa.

Make sure that Office2:5269 forwards the incomming requests to Openfire (R-NAT or whatever you want to call it).

Thnx

KM

I am just setting up a little testbed for research, os it is must more simple than that, with no security requirements.

VM(alice@germany) ----- VMOpenfire(germany) ----- VMOpenfire(japan) ----- VM(diego@japan)

Note that both of them can ping/nslookup/telnet the other one.

There is no firewall.

About NAT, I have to think about it later for communications between users, but for sure it can’t be an issue now, because the server is not sending the subscription request to the remote one, which shouldn’t have nothing to do with NAT.

Can you once check you subscription service properties and see that they are enabled?

KM

how?

Hi evil,

the server below 3.6.0a had a system property to allow self signed certificates (it took two nights to figure that out :slight_smile: ):

Taken from http://www.igniterealtime.org/community/docs/DOC-1030

Establish secure server to server communication

The methods above should also apply, if you set up several servers within your intranet. To establish a secure communication between servers, you do have to set the Server Connection Security (Server/Server Manager/Security Setting) to “Required”. You have to check that TLS is enabled for s2s. The value of the property xmpp.server.tls.enabled (within Server/Server Manager/System properties) has to be “true”. **Also, if you are using self signed server certificats, you should ad a system property " xmpp.server.certificate.verify" and set it to “false”. **A properly working encrypted s2s session is shown with a lock in the server session view.

Regards

Walter

but i thought i shouldn’t be concerned by any security setting since i DISABLED everything.

in such case i don’t expect any check on certificates.

anyway i try to check that property and see if it makes any difference (and as you can read, i am now trying the 3.5.2, but before i was with 3.6.0a, which instead appeared to be 3.6.0, offering to upgrade to 3.6.0a)

Solved.

I set Required in server2server security, I added that property (not sure it was necessary) and now it works.

This is weird, because normally you remove security to test something and narrow problems…

Besides, I would have preferred to see plain text messages between servers to analyze traffic.

I hope this will be possible in next releases.

Thank you everyone for the help

not happy, i tried to do the same with 3.6.0 and it is not working.

i’ll stick to the 3.5.2

Hi evil,

if I understand the remarks regarding TLS correctly (http://www.igniterealtime.org/community/docs/DOC-1243, http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html, http://www.igniterealtime.org/community/docs/DOC-1552) the solution may be the use of signed certificates.These signatures have to be done by a well established Certificate Authority. Otherwise the external Jabber server will not trust your certificate. This would be the obvious case for a self signed certificate. I can not confirm this suspicion as I don’t have signed certificates.

Regards,

Walter

ok, but i guess that is not my case, i am just setting up 2 openfire servers in a testbed for an internal project, a Certificate Authority is not a possibility

Well,

if you want to do act as CA yourself here is a guide: http://www.tc.umn.edu/~brams006/selfsign.html

And you will need to include your CA certificate in the truststore of the security folder within openfire.

Walter