Stuck at 60%

[dbrgn]

If connecting is stuck at 60%, this means that you WebRTC PeerConnection cannot be established. We're working on fixes, but it's a complex issue with many possible causes.

• Do you use a modern browser?
• Do you use a browser plugin that disables WebRTC?
• Do you use an ad blocker that might also block WebRTC?
• Are you behind a (corporate?) firewall that does deep packet inspection?

Please go to https://web.threema.ch/troubleshoot/ to see if any problem is detected.

When using Firefox, please try whether it works with Chrome/Chromium/Opera, since current versions of Firefox don't yet support TURN via TLS, which can cause the traffic to be blocked by some firewalls.

When it doesn't work in Chrome, try running the Threema Web in an anonymous window (Ctrl+Shift+n). If it works there, a plugin is blocking the connection.

If that does not help, a firewall might be the problem, especially if the issue occurs in a company network. We're actively working on a fix to circumvent the firewalls, but it might take a few more days until everything is properly set up and tested.

[CptHermi]

has to be the corporate firewall...

Will test again at home.

Thank you!

[fichtennadel]

Stuck at 60% ...

• browser FF 51.0.1 and Chrome 56.0.2924.87 (also tried in anon window), both on Win7 64bit
• no plugin
• disabled ad blocker
• corporate VPN, don't know about deep packet inspection fw

Are there STUN or TURN servers available to traverse vpn/fw restrictions?

[dbrgn]

Are there STUN or TURN servers available to traverse vpn/fw restrictions?

Yes, they're at stun.threema.ch:443 and turn.threema.ch:443. Maybe the company firewall blocks the traffic because it's not real HTTPS. Does it work outside the VPN?

[lgrahl]

@dbrgn I think it would be a good idea to log gatherered and exchanged candidates (censor IP addresses that are not from Threema) so this can be investigated easier.

[fichtennadel]

Does it work outside the VPN?

Yes

Yes, they're at stun.threema.ch:443 and turn.threema.ch:443

In VPN I can see an UDP connection to turn.threema.ch:443 with 14 packets exchanged, then handover to another port happens, but there only 7 packets are exchanged before it stops at 60% (according to SmartSniff tool)

[Ka-Hen]

Same situation here.
Tried browsers

• Chromium 56.0.2924.87 (64-bit) with WebRTC and w/o any plug-ins etc.
• Firefox 51.0.1 (32-Bit) with and w/o plug-ins

btw. Slack, WhatsApp, etc. are working fine in both browsers.
Android phone connected via WiFi or 4G. Same behaviour.
The message_log.txt reports nothings interesting AFAICS (attached below)

I tried out https://test.webrtc.org/
in Chromium the network part is green (TURN) but the Connectivity part is yellow at the "Reflexive connectivity"
in FF the network part is red "[ FAILED ] TURN request failed". No idea why atm.

Any suggestions?

Thu Feb 16 15:38:47 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:38:47 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:38:47 MEZ 2017 acquireConnection: source = activityResumed, refCount = 1 Thu Feb 16 15:38:49 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:38:49 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:38:49 MEZ 2017 acquireConnection: source = activityResumed, refCount = 1 Thu Feb 16 15:38:51 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:38:51 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:38:51 MEZ 2017 acquireConnection: source = activityResumed, refCount = 1 Thu Feb 16 15:38:51 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:38:51 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:38:51 MEZ 2017 acquireConnection: source = activityResumed, refCount = 1 Thu Feb 16 15:39:01 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:39:01 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:39:02 MEZ 2017 onTrimMemory: 20 Thu Feb 16 15:39:06 MEZ 2017 acquireConnection: source = activityResumed, refCount = 1 Thu Feb 16 15:41:39 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:41:39 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:41:39 MEZ 2017 acquireConnection: source = activityResumed, refCount = 1 Thu Feb 16 15:41:43 MEZ 2017 releaseConnectionLinger: source = activityPaused, timeout = 60000 Thu Feb 16 15:41:43 MEZ 2017 releaseConnection: source = activityPaused, refCount = 0 Thu Feb 16 15:41:43 MEZ 2017 onTrimMemory: 20

[fichtennadel]

These are the last few lines of the log from FF console:

19:02:01.743 [SaltyRTC.WebRTC.initiator] New event: candidates  saltyrtc-task-webrtc.es5.js:1051:13
19:02:12.854 [PeerConnectionHelper] ICE connection state change: failed  angular.js:14199:18
19:02:12.863 [StateService] RTC connection state: connecting => disconnected  angular.js:14199:18

Note the 10s gap between first and second line.

Let me know if and how I shall provide the complete log.

Btw, meanwhile the circle keeps turning in the app, but can be removed by hold+Remove session.

[rugk]

Note also about:webrtc may contain some useful debug information in Firefox.

[fichtennadel]

Note also about:webrtc may contain some useful debug information in Firefox.

Ok, but this contains sensitive information like local IP adresses, I won't post this here. Let me know which parts in particular might be helpful.

[fichtennadel]

Some redacted info from about:webrtc

ICE stats

Local Candidate	Remote Candidate	ICE State	Priority
(web client IP VPN):58350/udp(host)	(app IP LAN):53677/udp(host)	failed	9xxxx
(web client IP VPN):58350/udp(host)	(LAN gateway public IP):53677/udp(serverreflexive)	failed	7xxxx
(web client IP VPN):58350/udp(host)	5.148.175.222:62236/udp(relayed)	failed	1xxxx
	::1:38781/udp(host)
	127.0.0.1:36203/udp(host)
	(app IP LAN):59211/tcp(host)
	::1:49132/tcp(host)
	127.0.0.1:48222/tcp(host)

Might there anything else be helpful from about:webrtc?

[rugk]

I've no idea. I just saw this panel and thought it might be nice.
But "ICE State = failed" does not look good…

[lgrahl]

When ICE goes to failed every time you try it, you can be pretty certain that it is a network-related problem.

[fichtennadel]

When ICE goes to failed every time you try it, you can be pretty certain that it is a network-related problem.

AFAIK WebRTC is supposed to traverse firewalls, so there must be something missing in threema-web's way to use it or in the setup of the STUN/TURN servers.

I checked at https://www.netscan.co/ , WebRTC tests are ok.

Just have a look at the forums (threema-forum.de, heise), this bug bites many.

[DerDakon]

I'm pretty sure it is not related to networking. Both my phone and the PC are on the same net, and the progress is steady. When reaching 99% it always stops when I have the error (once it actually worked), and when I then delete the session inside the app the browser is notified immediately.

[fichtennadel]

... When reaching 99% it always stops ...

That's an other issue: #38

[lgrahl]

All I'm saying is that when ICE goes to failed... what I said above. This does not mean I'm ruling out a bug here. And I'm not talking about the 99% stuck case here, this is the 60% stuck case, so please only discuss problems related to the 60% case in this issue.

[lgrahl]

So, to clarify: I was talking about the case that both app and browser have no unhandled exceptions and then ICE goes to failed. Indeed, exceptions raised in the app that tear down the WebRTC PeerConnection instance would also lead to ICE going to failed on the browser side.

[fichtennadel]

... exceptions raised in the app that tear down the WebRTC PeerConnection ...

I didn't check that explicitly. Would this have caused a message in the app (which did not occcur) or do I need to gather logs? If logs from the app are helpful, let me know how to do this.

[lgrahl]

Yeah, give it a try. Edit: You can turn it on in the settings.

[jakunar]

I am also having the 60% issue in a corporate network.
about:webrtc result is equal #43 (comment)

[Gegh]

+1 same here

[fichtennadel]

log from Threema app while trying to connect to the browser:

Fri Feb 17 13:14:49 CET 2017	acquireConnection: source = activityResumed, refCount = 1
Fri Feb 17 13:14:49 CET 2017	startConnection
Fri Feb 17 13:14:49 CET 2017	ThreemaConnection state changed: CONNECTING Port: 5222 IPv6: false
Fri Feb 17 13:14:49 CET 2017	ThreemaConnection state changed: CONNECTED Port: 5222 IPv6: false
Fri Feb 17 13:14:49 CET 2017	ThreemaConnection state changed: LOGGEDIN Port: 5222 IPv6: false
Fri Feb 17 13:14:55 CET 2017	[type: WIFI[], state: CONNECTED/CONNECTED, reason: (unspecified), extra: "SSID", roaming: false, failover: false, isAvailable: true, isConnectedToProvisioningNetwork: false]
Fri Feb 17 13:14:59 CET 2017	releaseConnectionLinger: source = activityPaused, timeout = 60000
Fri Feb 17 13:14:59 CET 2017	releaseConnection: source = activityPaused, refCount = 0
Fri Feb 17 13:14:59 CET 2017	onTrimMemory: 20
Fri Feb 17 13:15:59 CET 2017	stopConnection
Fri Feb 17 13:15:59 CET 2017	ThreemaConnection state changed: DISCONNECTED Port: 5222 IPv6: false

[dbrgn]

STUN/TURN servers are listening on port 443. This was done in order to prevent company firewalls from blocking it. But since the traffic going through Port 443 is not actually HTTPS, some firewalls with packet inspection might still block it.

[lgrahl]

@dbrgn We should be able to verify this if you configure both servers to respond on the default STUN port as well and add it to the list of ICE servers.

[ghost]

My initial comment was completely misguided, so I decided to try again.

It's not the PCs that prevent my connection to Threema (stuck at 60%). It is my phone. My cellular provider seems to be causing the issue. Connecting to Wi-Fi or turning on a VPN such as Opera VPN allows me to circumvent it.

All the browsers I have tested have this issue.

---

Originally I got the 60% error in Opera regardless, but I then noticed WebRTC is disabled on the Opera browsers I tested. Opera's content settings make enabling WebRTC simple enough. I think Threema may want to suggest this to beginners using their Web client.

[lgrahl]

@echotest123 Can you tell us the name of the cellular provider? It is indeed a possibility that they do not allow STUN/TURN packets because they are usually used in relation with mobile calls which probably isn't in the interest of the cellular provider.

@dbrgn It should be possible to circumvent this limitation by using TURN with TLS (but I'm not sure if WebRTC can cope with TURN over TLS).

[ghost]

@lgrahl It's Cricket, an AT&T based provider if that matters.

[lgrahl]

@echotest123 Thanks. I'm not asking to be able to blame the ISP, just to be able to google if this is a known limitation. :)

[FriedrichFroebel]

I can get it to work in this case and the error disappears. As the problem does not seem to be connected with any of my installed addons, maybe this could be connected due to some customized values inside about:config.

[rugk]

Yes that's true. What is the value of media.peerconnection.enabled in about:config?
If set to false, this disables WebRTC. Please set it to true in this case.

[FriedrichFroebel]

@rugk The connection could be established now after setting this value.

[bruennlein]

Hi. I get the 60% problem, when my Phone is connected to my OpenVPN. When I deactivate the OpenVPN connection, everything´s fine. When I activate the OpenVPN connection after the session was successfully established, the connection to the web-client gets lost.

[rugk]

Maybe OpenVPN blocks WebRTC? And if you're using Firefox did you check the setting I mentioned?

[dbrgn]

Maybe OpenVPN blocks WebRTC?

Threema Web works fine for me through OpenVPN. @bruennlein is there a firewall on the other side of the tunnel?

And if you're using Firefox did you check the setting I mentioned?

If that were the case, it wouldn't have worked without OpenVPN.

[lgrahl]

@bruennlein A browser log (to see the ICE candidates) would help in this case. Please let us know at which point in the log you activated the OpenVPN connection.

[bruennlein]

@dbrgn Yes, there is a firewall, but it blocks incoming traffic only. The outgonig traffic is not limited. One special thing about my OpenVPN is, that is goes through port 443. But as far as I know, this shouldn´t be a problem.

I was just testing this at home and there I can use Threema Web while my phone is connected to the VPN. When I encountered the problem, the browser I used was communicating through a SOCKS Proxy.
Maybe it´s the combination of SOCKS and OpenVPN. I´ll try it again tomorrow.

@lgrahl By browser log, do you mean F12->Console?

[lgrahl]

@bruennlein Yes.

[bruennlein]

There is another strange behavior. The problem shows up in my companys network. When I use a Chrome portable (with or without SOCKS), it doesn´t work. If I use the installed Chrome (same version) on the same machine, it works from my companys network. But I have to deactivate VPN on my phone. When I´m at home, I can use everything while VPN is active on my phone...very strange..

All right, here is the log, when it´s stuck at 60%:
angular.js?v=1.0.3:14199 [StateService] Reset
angular.js?v=1.0.3:14199 Detected browser: Chrome 56
angular.js?v=1.0.3:14199 Initialize session by scanning QR code...
angular.js?v=1.0.3:14199 [StateService] Reset
saltyrtc-client.es5.js?v=1.0.3:467 [SaltyRTC.KeyStore] New public key: 1f94411217ff0135de41c3e4bf714c6eeaae3c0b1e8465ae41116cb3f13fb817
saltyrtc-client.es5.js?v=1.0.3:526 [SaltyRTC.AuthToken] Generated auth token
angular.js?v=1.0.3:14199 Starting WebClientService...
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change:new
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change:ws-connecting
saltyrtc-client.es5.js?v=1.0.3:1172 [SaltyRTC.Initiator] Opening WebSocket connection to wss://saltyrtc-1f.threema.ch:443/1f94411217ff0135de41c3e4bf714c6eeaae3c0b1e8465ae41116cb3f13fb817
angular.js?v=1.0.3:14199 [StateService] Signaling connection state: new => new
angular.js?v=1.0.3:14199 [StateService] Signaling connection state: new => ws-connecting
saltyrtc-client.es5.js?v=1.0.3:984 [SaltyRTC.Initiator] Opened connection
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change:server-handshake
angular.js?v=1.0.3:14199 [StateService] Signaling connection state: ws-connecting => server-handshake
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (81 bytes)
saltyrtc-client.es5.js?v=1.0.3:1189 [SaltyRTC.Initiator] Received server-hello
saltyrtc-client.es5.js?v=1.0.3:1273 [SaltyRTC.Initiator] Sending client-auth
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (194 bytes)
saltyrtc-client.es5.js?v=1.0.3:1200 [SaltyRTC.Initiator] Received server-auth
saltyrtc-client.es5.js?v=1.0.3:1435 [SaltyRTC.Initiator] Expected server public permanent key is b1337fc8402f7db8ea639e05ed05d65463e24809792f91eca29e88101b4a2171
saltyrtc-client.es5.js?v=1.0.3:1436 [SaltyRTC.Initiator] Server public session key is b90f088cde27ac1b80c50fa39ea429396169b40864e9f3bc8e89558560ea4307
saltyrtc-client.es5.js?v=1.0.3:1928 [SaltyRTC.Initiator] 0 responders connected
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change:peer-handshake
saltyrtc-client.es5.js?v=1.0.3:1210 [SaltyRTC.Initiator] Server handshake done
angular.js?v=1.0.3:14199 [StateService] Connection buildup state: connecting => waiting
angular.js?v=1.0.3:14199 [StateService] Signaling connection state: server-handshake => peer-handshake
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (64 bytes)
saltyrtc-client.es5.js?v=1.0.3:1809 [SaltyRTC.Initiator] Received new-responder 0x02
saltyrtc-client.es5.js?v=1.0.3:467 [SaltyRTC.KeyStore] New public key: b0bbb3064f9a975266a84b73e21d075d9ff287a7eebd615e18dcc91724a82408
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: new-responder
angular.js?v=1.0.3:14199 [StateService] Connection buildup state: waiting => peer_handshake
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (90 bytes)
saltyrtc-client.es5.js?v=1.0.3:1838 [SaltyRTC.Initiator] Received token
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (88 bytes)
saltyrtc-client.es5.js?v=1.0.3:1854 [SaltyRTC.Initiator] Received key
saltyrtc-client.es5.js?v=1.0.3:1962 [SaltyRTC.Initiator] Sending key
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (193 bytes)
saltyrtc-client.es5.js?v=1.0.3:1861 [SaltyRTC.Initiator] Received auth
saltyrtc-client.es5.js?v=1.0.3:2001 [SaltyRTC.Initiator] Task v0.webrtc.tasks.saltyrtc.org has been selected
saltyrtc-task-webrtc.es5.js?v=1.0.3:706 [SaltyRTC.WebRTC] Max packet size: We requested 65536 bytes, peer requested 65536 bytes. Using 65536.
saltyrtc-client.es5.js?v=1.0.3:2004 [SaltyRTC.Initiator] Responder 0x02 authenticated
saltyrtc-client.es5.js?v=1.0.3:1981 [SaltyRTC.Initiator] Sending auth
saltyrtc-client.es5.js?v=1.0.3:2038 [SaltyRTC.Initiator] Dropping 0 other responders.
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change
saltyrtc-client.es5.js?v=1.0.3:2934 [SaltyRTC.Client] New event: state-change:task
angular.js?v=1.0.3:14199 Initialize WebRTC PeerConnection
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Setting up ICE candidate handling
saltyrtc-task-webrtc.es5.js?v=1.0.3:948 [SaltyRTC.WebRTC.initiator] Initiate handover
saltyrtc-client.es5.js?v=1.0.3:1869 [SaltyRTC.Initiator] Peer handshake done
angular.js?v=1.0.3:14199 [StateService] Signaling connection state: peer-handshake => task
angular.js?v=1.0.3:14199 [PeerConnectionHelper] RTCPeerConnection: negotiation needed
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Signaling state change: have-local-offer
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Created offer, set local description
saltyrtc-task-webrtc.es5.js?v=1.0.3:874 [SaltyRTC.WebRTC.initiator] Sending offer
saltyrtc-client.es5.js?v=1.0.3:1592 [SaltyRTC.Initiator] Sending task message through ws
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Gathered local ICE candidate: candidate:839781666 1 UDP 2113937151 *** 1 typ host
saltyrtc-task-webrtc.es5.js?v=1.0.3:920 [SaltyRTC.WebRTC.initiator] Buffering 1 candidate(s)
saltyrtc-task-webrtc.es5.js?v=1.0.3:924 [SaltyRTC.WebRTC.initiator] Sending 1 candidate(s)
saltyrtc-client.es5.js?v=1.0.3:1592 [SaltyRTC.Initiator] Sending task message through ws
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Gathered local ICE candidate: candidate:2434426190 1 UDP 16785151 5.148.175.197 51111 typ relay raddr *** rport 2
saltyrtc-task-webrtc.es5.js?v=1.0.3:920 [SaltyRTC.WebRTC.initiator] Buffering 1 candidate(s)
saltyrtc-task-webrtc.es5.js?v=1.0.3:924 [SaltyRTC.WebRTC.initiator] Sending 1 candidate(s)
saltyrtc-client.es5.js?v=1.0.3:1592 [SaltyRTC.Initiator] Sending task message through ws
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (512 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received answer [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: answer
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: answer
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Signaling state change: stable
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Received answer, set remote description
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Initiator flow done
angular.js?v=1.0.3:14199 [PeerConnectionHelper] ICE connection state change: checking
angular.js?v=1.0.3:14199 [StateService] RTC connection state: new => connecting
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (229 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:221074828 1 UDP 2122260223 *** 1 typ host
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (222 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:257476908 1 UDP 2122194687 *** 1 typ host
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (201 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:559267639 1 UDP 2122136831 *** 1 typ host
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (208 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:1510613869 1 UDP 2122063615 *** 1 typ host
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (246 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:1135520124 1 TCP 1518280447 *** 1 typ host tcptype passive
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (239 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:1104885212 1 TCP 1518214911 *** 1 typ host tcptype passive
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (218 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:1876313031 1 TCP 1518157055 *** 1 typ host tcptype passive
saltyrtc-client.es5.js?v=1.0.3:1027 [SaltyRTC.Initiator] New ws message (223 bytes)
saltyrtc-client.es5.js?v=1.0.3:1217 [SaltyRTC.Initiator] Message received
saltyrtc-client.es5.js?v=1.0.3:1246 [SaltyRTC.Initiator] Received candidates [v0.webrtc.tasks.saltyrtc.org]
saltyrtc-task-webrtc.es5.js?v=1.0.3:721 [SaltyRTC.WebRTC.initiator] New task message arrived: candidates
saltyrtc-task-webrtc.es5.js?v=1.0.3:1051 [SaltyRTC.WebRTC.initiator] New event: candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] Adding remote ICE candidate: candidate:344579997 1 TCP 1518083839 *** 1 typ host tcptype passive
angular.js?v=1.0.3:14199 [PeerConnectionHelper] No more local ICE candidates
angular.js?v=1.0.3:14199 [PeerConnectionHelper] ICE connection state change: failed
angular.js?v=1.0.3:14199 [StateService] RTC connection state: connecting => disconnected

[lgrahl]

Thanks! The app doesn't gather any server reflexive or relay candidates which means the app cannot reach the STUN/TURN servers.

You might want to wait until the next app update where #83 will be added to the app. @dbrgn will probably post here when this has been deployed. (But I'm not certain that it will help in your case.)

[ovalseven8]

For everyone who has still problems with the connection, there is a test page now:
https://web.threema.ch/troubleshoot

[bruennlein]

Thanks. I´ve tired it and everything´s green.
For some reason it is working now with all my extra-stuff (portable Chrome, SOCKS, Phone connected to OpenVPN).
I don´t know if the Threema-Guys have changed anything, because I haven´t.
But I think an update came in today. My current version is 3.1.2000343. So if anyone has the same problem, try updating to this version.

Thanks a lot and happy chatting.

[lgrahl]

Yes, TURN-TLS is now deployed on both sides. If it still doesn't work, post in this issue.

[dbrgn]

Can you try whether it works in an anonymous session in Chrome (ctrl+shift+n)?

But it definitely looks like the issue is either your browser configuration (addons) or your firewall.

[james56b]

Still having issues here with firefox 51.0.1, latest Threema update, and Threema web 1.0.5.
I've tested with my phone behind a Carrier Grade NAT (CGN) and also in a situation without. And also tested with my laptop on either the office network behind a proxy or behind a PFSense with basic NAT44. Additionally, having the laptop tethered to the phone via wifi also does not help even if the phone is connected to a APN with or without CGN.

All tests were done in a normal firefox session with all extensions disabled and an anonymous session.

When looking at the troubleshooting page in any of the previously mentioned situation all tests are YES except for TURN - which is a shiny red No.

[dbrgn]

@james56b your computer is apparently behind a firewall that blocks non-HTTPS TCP and UDP traffic to our TURN servers. Can you try the troubleshooting tool in a modern version of Chrome/Chromium/Opera instead? Firefox does not support TURN via TLS yet (it will be added in version 53).

[james56b]

Used Chrome and the problem is solved. Thank you very much for the help!

[dbrgn]

I think this can be closed for now.

If you're still having problems, please follow the advice in the issue description.

[axeluhl]

I ran into this problem, OpenVPN connection established, and no longer being able to get Threema Web to run. I think my VPN connection is taking traffic only for specific 192.168.0.0/16 addresses of my home network based on routes pushed by the server. It's not clear to me why the WebRTC connections suddenly time out.

Anyway, I finally gave up and explicitly excluded Threema from VPN access in the VPN settings (Allowed Apps). With this, even with established OpenVPN connection on the Android device, Threema Web keeps working without problems.

[bruennlein]

@axeluhl ThreemaWeb is working with my OpenVPN-Server, so it should be possible in generyl. Maybe you could post your server and client-configs, so we can have a look.

[axeluhl]

Here goes the generated config from the phone:

-------- SNIP --------

Config for OpenVPN 2.x

Enables connection to GUI

management /data/user/0/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold

setenv IV_GUI_VER "de.blinkt.openvpn 0.7.22"
setenv IV_SSO openurl,crtext
setenv IV_PLAT_VER "25 7.1.1 armeabi-v7a bq msm8952 Aquaris X5 Plus"
machine-readable-output
allow-recursive-routing
ifconfig-nowarn
client
verb 4
connect-retry 2 30
resolv-retry 60
dev tun
remote {my-hostname} 1194 udp
connect-timeout 10

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- ... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- remote-cert-tls server data-ciphers AES-256-GCM auth SHA256 float -------- SNIP --------

And here goes the server config file, tun0.conf in my case:

-------- SNIP --------
dev tun0
topology subnet
server 192.168.105.0 255.255.255.0
keepalive 10 60
dh /etc/openvpn/openvpn-ca/keys/dh2048.pem
ca /etc/openvpn/openvpn-ca/keys/ca.crt
cert /etc/openvpn/openvpn-ca/keys/klo.crt
key /etc/openvpn/openvpn-ca/keys/klo.key
cipher AES-256-GCM
auth SHA1
reneg-sec 6000

push 'route 192.168.101.0 255.255.255.0'
push 'route 192.168.102.0 255.255.255.0'
push 'route 192.168.104.0 255.255.255.0'
push 'route 192.168.105.0 255.255.255.0'
push 'dhcp-option DOMAIN {my-internal-domain-name}'
push 'dhcp-option DNS 192.168.101.1'
push 'dhcp-option DNS 8.8.8.8'
-------- SNIP --------

I think that this config should not cause the phone to route any Threema traffic through the VPN. It's not the default route, and all routes pushed by the server are within 192.168.0.0/16. Even if DNS queries hit my own DNS server (which forwards requests for non-internal domains to another DNS server) then this shouldn't affect the routing of non-DNS requests. But maybe I'm missing something...

I tested a large download from the phone's browser with VPN active, from some external web site. The fact that the VPN traffic count wasn't affected by this download suggests to me that regular HTTP/HTTPS requests don't route through the VPN which is the behavior I expect. Threema Web so far is the only service causing noticeable trouble in relation to the VPN.

[bruennlein]

@axeluhl what happens, when you do an nslookup to web.threema.ch? Maybe this can give more information about the way, the request takes. You could try to change the push dhcp-option for testing. Seems like, we have to exclude possible causes one by one, unless someone has a solution.

[axeluhl]

nslookup on a terminal opened on the phone uses the Google 8.8.8.8 server, find a few IPv6 addresses and then reports "Can't find web.threema.ch: no answer" which is a bit surprising, given the fact that IPv6 addresses were discovered.

Trying a "ping", however, seems to retrieve the IPv4 address 185.88.236.108 properly, and the ping succeeds.

Android's DNS resolution schemes drive me nuts.

[rugk]

Note that if that is Termux you are using, note that it does not use Android's DNS server, see termux/termux-packages#1174.

The better way is to use the WebRTC troubleshooting tool included in the Threema app (in the settings). It checks most stuff.

[lgrahl]

Yup, you can see chosen IP addresses and potentially debug your routes here: https://web.threema.ch/troubleshoot/
WebRTC can have some... surprising mechanics in which address/interface combination it chooses. If you're familiar with Wireshark, it's the best tool I know to debug that. Use stun or dtls for filtering.