Troubleshooting PCoIP session Connection Issues
Problem
When connecting to a PCoIP Standard Agent for Windows, PCoIP Graphics Agent for Windows, PCoIP Standard Agent for Linux or PCoIP Graphics Agent for Linux the connection fails with one of the following messages:
- Error: Unable to connect to myhost.cloudaccesslabs.com. Please enter a new name or IP address.
- HP Anyware PCoIP Software Client - Error: The network connection has been lost
- HP Anyware PCoIP Software Client - Alert: This desktop has no sources available or it has timed out. Please try connecting to this desktop again later.
Cause
For a PCoIP session to successfully start, certain ports must be open for the PCoIP Client, PCoIP agent, PCoIP Connection Manger and PCoIP Security Gateway to communicate.
When the PCoIP client is connecting directly to the PCoIP Agent and is not being brokered, the following ports must be open:
- TCP port 443 (or TCP port 60443)
- TCP port 4172
- UDP port 4172, both receiving and sending on the agent from UDP port 4172 to any port number.
- TCP 443 to Teradici Cloud Licensing or TCP 7070 to the local license server
When connecting via PCoIP Connection Manager and PCoIP Security Gateway, the following ports must be open:
- Between the client and PCoIP Connection Manager
- TCP port 443
- Between the client and PCoIP Security Gateway
- TCP port 4172
- UDP port 4172, both receiving and sending on the PCoIP Security Gateway
- Between the PCoIP Connection Manager and PCoIP Agent
- TCP port 60443
- Between the PCoIP Security Gateway (connector_cmsg on the CAS Connector) and PCoIP Agent
- TCP port 4172
- UDP port 4172
Resolution
Blocked TCP 443
If the client shows the error "Error: Unable to connect to myhost.cloudaccesslabs.com. Please enter a new name or IP address." when trying to connect to the PCoIP Connection Manager to directly to a host, it maybe because of
- Blocked TCP port 443
During the installation process, the PCoIP Agent will open the required firewall ports in the Windows and Linux operating system default firewalls. If you are using Microsoft Windows, ensure the Windows Firewall service is running and re-install the PCoIP Agent. If you are using a 3rd party or non-default firewall ensure a rule is in to allow TCP port 443. - Blocked TCP port 60443 (backup port on direct client to host connection)
During the installation process, the PCoIP Agent will open the required firewall ports in the Windows and Linux operating system default firewalls. If you are using Microsoft Windows, ensure the Windows Firewall service is running and re-install the PCoIP Agent. If you are using a 3rd party or non-default firewall ensure a rule is in to allow TCP port 60443. TCP port 60443 may be used as an alternative to TCP port 443 if another application requires TCP port 443. - Fully qualified domain name cannot be resolved by DNS.
Test DNS resolution in your operating system and confirm the fully qualified domain name resolves to the IP address. You can also try connecting via IP address.
Client message
Client log file messages
When checking or monitoring client log files, you may see these messages when the client cannot connect on TCP port 443 or TCP port 60443.
Note: You log files will differ due to the unique information for each environment.
LVL:2 RC: 0 QUERYBROKER :No PCoIP broker found on port 443, retrying on port 60443. LVL:2 RC: 0 BROKER :Error: Unable to connect to myhost.cloudaccesslabs.com. Please enter a new name or IP address.
Blocked TCP port 4172
If the PCoIP Client shows the message "Error: The network connection has been lost" when trying to establish a PCoIP session. This typically means the TCP port 4172 connection was not successfully established between the PCoIP Client and PCoIP Security Gateway or the PCoIP Client and PCoIP agent. If you receive this message when not trying to establish a PCoIP session, the network communication has failed.
To resolve this issue confirm TCP port 4172 is open in all firewalls. During the installation process, the PCoIP Agent will open the required firewall ports in the Windows and Linux operating system default firewalls. If you are using Microsoft Windows, ensure the Windows Firewall service is running and re-install the PCoIP Agent.
If you are using a 3rd party or non-default firewall ensure a rule is in to allow TCP port 4172. In Microsoft Windows, firewall will need to be configured to allow communication to the process pcoip_arbiter_win32.exe that is located in C:\Program Files (x86)\Teradici\PCoIP Agent\bin to receive connections on TCP port 4172. For Linux, the firewall will need to allow TCP port 4172 for the application /usr/lib/pcoip-agent/pcoip-arbiter
Client message
Client Logs
When checking or monitoring client log files, you may see these messages when the client cannot connect on TCP port 4172. Note: Your log files will differ due to unique information for each environment.
Note: Your log files will differ due to unique information for each environment.
2018-01-09T04:36:38.479Z 8d71f800-a47d-1feb-a820-000000000000 LVL:2 RC:-500 SCNET :(scnet_client_open_ssl): tera_sock_connect failed to connect to 10.11.12.13:4172! 2018-01-09T04:36:38.479Z 8d71f800-a47d-1feb-a820-000000000000 LVL:2 RC:-500 SCNET :(scnet_client_open_ssl): tera_sock_connect returned error 10060 - Connection timed out! 2018-01-09T04:36:38.479Z 8d71f800-a47d-1feb-a820-000000000000 LVL:1 RC:-500 SCNET :(scnet_client_open): Failed to connect to 10.11.12.13:4172
PCoIP Agent logs
When checking or monitoring the PCoIP Agent, the arbiter.log file in a Linux OS or pcoip_agent_XXX.txt for a Microsoft Windows OS will contain similar entires to these examples on a successful and failed TCP port 4172 connection.
Note: Your log files will differ due to unique information for each environment.
Successfull connection
2018-01-11T07:08:19.745Z 18412700-a625-1feb-b87a-000000000000 > LVL:2 RC: 0 ARBITER :tera_mail_box_arbt_srvr_recvr: Received session ID: 50fa75b01004b5d1 2018-01-11T07:08:19.745Z 18412700-a625-1feb-b87a-000000000000 > LVL:2 RC: 0 ARBITER :forward_message_to_server: sending 44 byte message to server: srvr0001. 2018-01-11T07:08:19.745Z 18412700-a625-1feb-b87a-000000000000 > LVL:2 RC: 0 ARBITER :forward_message_to_server: sent message to server. 2018-01-11T07:08:21.152Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 COMMON :SOCKET_TRACE: tera_sock_accept() added socket 13 - currently 2 sockets. 2018-01-11T07:08:21.152Z 00000000-0000-0000-0000-000000000000 > LVL:1 RC: 0 SCNET :(scnet_socket_accept): Socket accepted... 13 2018-01-11T07:08:21.152Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 SCNET :(scnet_open_accepted_socket): Server accepting connection from 10.11.12.13:53233. 2018-01-11T07:08:21.152Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 SCNET :(scnet_open_accepted_socket): Server connecting on address 10.11.12.33:4172. 2018-01-11T07:08:21.152Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 MGMT_ENV :Setting ENV variable[ 4]: pcoip.ip_address = 10.11.12.33 2018-01-11T07:08:21.152Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 SCNET :(ssl_server_name_cback): Received SSL Client Hello: server name = "myhost.cloudaccesslabs.com"
Failed Connection
2018-01-11T04:55:45.108Z 92b47b80-a612-1feb-9320-000000000000 > LVL:2 RC: 0 ARBITER :tera_mail_box_arbt_srvr_recvr: Received session ID: 01f67066e9b8f5d9 2018-01-11T04:55:45.108Z 92b47b80-a612-1feb-9320-000000000000 > LVL:2 RC: 0 ARBITER :forward_message_to_server: sending 44 byte message to server: srvr0002. 2018-01-11T04:55:45.108Z 92b47b80-a612-1feb-9320-000000000000 > LVL:2 RC: 0 ARBITER :forward_message_to_server: sent message to server. 2018-01-11T04:56:45.165Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 ARBITER :tera_mail_box_arbt_agnt_recvr: Message from A:arbt1;B:agnt0001 to A:arbt1, message = 09 00 00 00, len=24 2018-01-11T04:56:45.165Z 00000000-0000-0000-0000-000000000000 > LVL:0 RC: 0 COMMON :Setting pcoip.event_filter_mode to 2 2018-01-11T04:56:45.165Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 ARBITER :tera_mail_box_arbt_agnt_recvr: MBX_MAILSLOT_CLOSE 2018-01-11T04:56:45.165Z 92b47b80-a612-1feb-9320-000000000000 > LVL:2 RC: 0 ARBITER :end_session: De-registered session 0x01f67066e9b8f5d9 2018-01-11T04:56:45.165Z 92b47b80-a612-1feb-9320-000000000000 > LVL:2 RC: 0 ARBITER :end_session: closed mailbox to session 0x01f67066e9b8f5d9.
In the failed connection attempt. Note the 1 minute gap bet the log entries. This is the time period the Arbiter is waiting for the connection on TCP port 4172 from the client or PCoIP Security Gateway. After a 1 minute time out the arbiter aborts the PCoIP Session.
Blocked UDP
If the point of failure is the SSL handshaking between the PCoIP client and agent, you will see similar log entries as those shown for the Client and Arbitor/Agent logs.
Client Log
2020-04-08T17:04:45.256Z f1056680-5be8-1038-93ff-000000000000 LVL:3 RC: 0 SCNET :(scnet_client_open_ssl): TCP connection established 2020-04-08T17:04:45.256Z f1056680-5be8-1038-93ff-000000000000 LVL:3 RC: 0 SCNET :(scnet_client_open_ssl): Opening SSL connection to 10.49.70.103:4172 2020-04-08T17:04:45.264Z f1056680-5be8-1038-93ff-000000000000 LVL:2 RC: 0 CLIENT :SettingsManager::enable_enhanced_avsync_get: "enable_enhanced_avsync" set to false. 2020-04-08T17:04:45.277Z f1056680-5be8-1038-93ff-000000000000 LVL:3 RC:-500 SCNET :scnet_client_open_ssl: SSL_connect: ssl_rv=-1, rv=5 (SSL_ERROR_SYSCALL) 2020-04-08T17:04:45.277Z f1056680-5be8-1038-93ff-000000000000 LVL:3 RC:-500 SCNET :Last socket error - Connection reset by peer (10054L)!
Arbiter log (Agent 20.04.0 and prior) or Agent log (Agent 20.07.0 and later):
2020-04-08T17:04:44.177Z 00000000-0000-0000-0000-000000000000 > LVL:1 RC: 0 SCNET :(scnet_socket_accept): Socket accepted... 548 2020-04-08T17:04:44.177Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 SCNET :(scnet_open_accepted_socket): Server accepting connection from 10.35.0.65:51963. 2020-04-08T17:04:44.177Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 SCNET :(scnet_open_accepted_socket): Server connecting on address 10.49.70.103:4172. 2020-04-08T17:04:44.181Z 00000000-0000-0000-0000-000000000000 > LVL:1 RC:-500 SCNET :scnet_open_accepted_socket: SSL_accept failed: ssl_rv=-1, rv=5 (SSL_ERROR_SYSCALL) 2020-04-08T17:04:44.181Z 00000000-0000-0000-0000-000000000000 > LVL:1 RC:-500 SCNET :Last socket error - Connection reset by peer (10054L)! 2020-04-08T17:04:44.182Z 00000000-0000-0000-0000-000000000000 > LVL:2 RC: 0 COMMON :SOCKET_TRACE: tera_sock_socket_close() closed socket 548 - currently 1 sockets.
If these entries are identified, perform a packet capture on the agent for TCP port 4172.
- When the SSL handshake happens, a packet in the TLS protocol with Client Hello should be observed as highlighted in the following image.
If a packet with Client Hello is NOT observed, the SSL connection is blocked.
If a VPN is used, check the VPN settings. Some VPN software has the ability to allow/disallow software going through the VPN.
If the PCoIP client shows the message Alert: This desktop has no sources available, or it has timed out. Please try connecting to this desktop again later. when trying to establish a PCoIP session, this typcially means the UDP data connection has not successfully established between the PCoIP client and PCoIP Security Gateway or the PCoIP Client and PCoIP agent.
There are two UDP connections for a PCoIP session.
- PCoIP client to PCoIP agent or PCoIP Security Gateway
- PCoIP agent or PCoIP Security Gateway to PCoIP client
The port numbers vary by the client and PCoIP Security Gateway or PCoIP Agent configuration. The actual port used is negotiated at the start of the PCoIP session. This is a summary of possible UDP port requirements.
Client | Client port | Server | Server Port |
---|---|---|---|
PCoIP Software Client | 50002* | PCoIP Security Gateway | 4172 |
PCoIP Software Client | 50002* | PCoIP Agent | 4172 |
PCoIP Zero Client | 4172 | PCoIP Security Gateway | 4172 |
PCoIP Zero Client | 4172 | PCoIP Agent | 4172 |
* The PCoIP Software Client will start at UDP port 50002 if it is available and increment the port number by 1 until an available port is found. If you are running multiple PCoIP software clients on one client, the first PCoIP session will typically use UDP port 50002, the second PCoIP session will typically use UDP port 50003 and so on.
To resolve this issue confirm required UDP ports are open in both directions. During the installation process, the PCoIP Agent will open the required firewall ports in the Windows and Linux operating system default firewalls. If you are using Microsoft Windows, ensure the Windows Firewall service is running and re-install the PCoIP Agent. Ensure you firewalls are not configured to block or limit data flows after a number of packets in a time period has been reached.
If you are using a 3rd party or non-default firewall ensure a rule is in to allow the required UDP ports. In Microsoft Windows, firewall will need to be configured to allow communication to and from the process pcoip_server_win32.exe that is located in C:\Program Files (x86)\Teradici\PCoIP Agent\bin to receive connections on UDP port 4172. For Linux, the firewall will need to allow the required UDP ports for the application /usr/lib/pcoip-agent/pcoip-server.
When establishing the PCoIP UDP session the client and host will aggressively sent UDP packets to each other to start the session. After 30 seconds of no response from the other endpoint the PCoIP session will abort.
If the machine running the PCoIP Agent has multiple network interfaces review the KB: Will the PCoIP Agent work with more than one network interface?
Client message
Client Logs
When checking or monitoring the client logs, you will find similar logging to this when the UDP connection was not successfully established.
Note: Your log files will differ due to unique information for each environment.
1635 2018-01-09T03:34:30.278Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 VGMAC :tera_vgmac_connect_pcoip_sock(port=4172, 0, peer_ip="10.11.12.33"), pcoip_sock = 5656, pcoip_sock6 = -1 1636 2018-01-09T03:34:30.278Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:1 RC: 0 VGMAC :Connected the PCoIP socket to peer IP 10.11.12.33 peer [UDP] port 4172, socket = 1618 in &cblk = f7fbbb8 1637 2018-01-09T03:34:30.278Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:2 RC: 0 MGMT_PCOIP_DATA :tera_mgmt_pcoip_data_open: active=1152 target=0 floor=13 ceil=112500 wan=0 1644 2018-01-09T03:34:30.279Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :env_bandwidth=1000000, env_bandwidth/8=125000, cblk.protocol_cblk.bw_ceiling=112500, temp_perf_bw_limit=900000 1645 2018-01-09T03:34:30.405Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #1 1646 2018-01-09T03:34:30.416Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 VGMAC :process_rx_path_pcoip_sock(): First message has been sent, start listening now. 1649 2018-01-09T03:34:30.656Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #2 1652 2018-01-09T03:34:31.157Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #3 1657 2018-01-09T03:34:32.157Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #4 1666 2018-01-09T03:34:34.157Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #5 1683 2018-01-09T03:34:38.158Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #6 1716 2018-01-09T03:34:46.158Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #7 1782 2018-01-09T03:35:02.158Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:3 RC: 0 MGMT_PCOIP_DATA :INIT: Sent invite packet to peer - attempt #8e 1783 2018-01-09T03:35:02.158Z ec7f3f00-a474-1feb-b8ba-000000000000 LVL:1 RC:-504 MGMT_PCOIP_DATA :Invite packet not acknowledged, aborting session
PCoIP Agent logs
When checking or monitoring the PCoIP Agent, the arbiter.log file in a Linux OS or pcoip_server_XXX.txt for a Microsoft Windows OS will contain similar entries to these examples on a successful and failed TCP port 4172 connection.
Note: Your log files will differ due to unique information for each environment.
2018-01-09T03:34:30.259Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:1 RC: 0 VGMAC :Connected the PCoIP socket to peer IP 10.117.12.20 peer [UDP] 2018-01-09T03:34:30.260Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:2 RC: 0 MGMT_PCOIP_DATA :tera_mgmt_pcoip_data_open: active=1152 target=0 floor=13 ceil=112500 wan=0 2018-01-09T03:34:30.289Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:2 RC: 0 MGMT_SESS :Session resume has been negotiated. Timeout supported = 1, Negotiated timeout = 1200 secs, Current timeout = 1140 secs 2018-01-09T03:35:02.240Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:1 RC:-504 MGMT_PCOIP_DATA :Invite packet not received, aborting session 2018-01-09T03:35:02.241Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:2 RC: 0 COMMON :TERA_PCOIP: SESSION_EVENT=TERA_MGMT_SYS_SESS_EVENT_LOST, disconnect cause (0x402) 2018-01-09T03:35:02.241Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:2 RC: 0 SERVER :server main: cb_notify_session_status called (mask 0x100) with disconnect_cause (0x402) 2018-01-09T03:35:02.241Z ec7f3f00-a474-1feb-b8ba-000000000000 > LVL:1 RC: 0 SERVER :`anonymous-namespace'::map_disconnect_cause_to_disconnect_reason: PCOIP_DISCONNECT_CAUSE_DEVICE_INTERNAL_PCOIP_OPEN_TIMEOUT(0x402) -> DISCONNECT_EXPIRED(1)
Blocked TCP 443 to Teradici Cloud Licensing or TCP 7070 to the local license server
If the logs are indicating communication issues between the PCoIP Agent and the Cloud Licensing Server check:
- TCP 443 is not blocked for internet access. What does "Could not send message to FNE license server" mean?
- If you are using a local license server. Ensure the firewall has been configured to allow TCP 7070 inbound.
Firewall
For more information on firewall configuration refer to What firewall rules are created by the PCoIP Agent?