TURN Allocate Error Response

%3CLINGO-SUB%20id%3D%22lingo-sub-1366124%22%20slang%3D%22en-US%22%3ETURN%20Allocate%20Error%20Response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366124%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20There%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20company%20are%20now%20introducing%20Teams%20into%20our%20services%2C%20but%20there%20is%20a%20serious%20problem%20when%20using%20UDP.%20The%20conversation%20closed%20and%20try%20to%20re-connect%20every%206%20seconds%20after%20connected%20or%20re-connected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20firewall%20rule%20allows%20the%20traffic%20below%3A%3C%2FP%3E%3CP%3ENetwork%3A%2013.107.64.0%2F18%2C%2052.112.0.0%2F14%20and%2052.120.0.0%2F14%3C%2FP%3E%3CP%3EProtocol%3A%20UDP%203478-3481%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20some%20network%20packets%20captured%20and%20analyzed%2C%20we%20found%20most%20of%20the%20time%20the%20server%20sent%20%3CSTRONG%3EAllocate%20Error%20Request%3C%2FSTRONG%3E%26nbsp%3Bto%20clients%20after%20received%20from%20their%20%3CSTRONG%3EAllocate%20Request%3C%2FSTRONG%3E.%20The%20error%20code%20in%20the%20Allocate%20Error%20Response%20packet%20is%20Number%3D1%2C%20The%20request%20did%20not%20contain%20a%20Message-Integrity%20attribute.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20we%20have%20deeper%20inspections%20into%20each%20Allocate%20Request%20packet%20and%20we%20found%20those%20request%20packets%20caused%20error%20responses%2C%20they%20did%20miss%20to%20contain%20the%20%3CSTRONG%3EMessageIntegrity%3C%2FSTRONG%3E%20attribute%20within%20the%20TURN%20field.%20Sometimes%20they%20sent%20Bandwidth%20attribute%20only%20and%20sometimes%20UserName%2C%20Realm%20or%20some%20others%20attributes%2C%20as%20long%20as%20the%20MessageIntegrity%20not%20there%2C%20they%20got%20Allocate%20Error%20Response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20no%20idea%20if%20anyone%20here%20have%20the%20same%20situation%2C%20we%20also%20don't%20know%20if%20this%20is%20the%20reason%20to%20cause%20the%206%20seconds%20re-connecting.%20It%20just%20very%20strange%20that%20the%20requests%20do%20not%20bring%20all%20the%20sufficient%20information%20at%20once%20especially%20not%20together%20with%20the%20most%20important%20MessageIntegrity%20attribute.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eps.%3C%2FP%3E%3CP%3E1.%20Teams%20Meeting%20running%20by%20TCP%20without%20problems%20(to%20block%20UDP%20ports%20by%20firewall).%3C%2FP%3E%3CP%3E2.%20the%20packets%20only%20captured%20UDP%203478%20for%20analysis%20while%203479%20runs%20audio%2C%203480%20runs%20video%20and%203481%20runs%20sharing.%3C%2FP%3E%3CP%3E3.%20we%20only%20find%20the%20Allocate%20Error%20Responses%20which%20probably%20caused%20conversations%20re-connecting%20but%20we%20are%20not%20sure%20if%20it%20is%20the%20root%20cause.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1366124%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMeetings%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1527707%22%20slang%3D%22en-US%22%3ERe%3A%20TURN%20Allocate%20Error%20Response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1527707%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20solve%20it%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F658737%22%20target%3D%22_blank%22%3E%40Robin_Chung%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hi There,

 

Our company are now introducing Teams into our services, but there is a serious problem when using UDP. The conversation closed and try to re-connect every 6 seconds after connected or re-connected.

 

The firewall rule allows the traffic below:

Network: 13.107.64.0/18, 52.112.0.0/14 and 52.120.0.0/14

Protocol: UDP 3478-3481

 

After some network packets captured and analyzed, we found most of the time the server sent Allocate Error Request to clients after received from their Allocate Request. The error code in the Allocate Error Response packet is Number=1, The request did not contain a Message-Integrity attribute.

 

Then we have deeper inspections into each Allocate Request packet and we found those request packets caused error responses, they did miss to contain the MessageIntegrity attribute within the TURN field. Sometimes they sent Bandwidth attribute only and sometimes UserName, Realm or some others attributes, as long as the MessageIntegrity not there, they got Allocate Error Response.

 

We have no idea if anyone here have the same situation, we also don't know if this is the reason to cause the 6 seconds re-connecting. It just very strange that the requests do not bring all the sufficient information at once especially not together with the most important MessageIntegrity attribute.

 

ps.

1. Teams Meeting running by TCP without problems (to block UDP ports by firewall).

2. the packets only captured UDP 3478 for analysis while 3479 runs audio, 3480 runs video and 3481 runs sharing.

3. we only find the Allocate Error Responses which probably caused conversations re-connecting but we are not sure if it is the root cause.

1 Reply
Highlighted

Did you solve it@Robin_Chung