This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dota 2 on UTM 9

Hello,

I am having issues connecting to games in dota 2.  I can connect to the client itself and browse through everything just fine, but when I try to join/spectate an actual game, it refuses to connect.  Its not even rejecting the connection it just hangs there trying to connect indefinitely until I manually stop it.  I am sure it is not my OS settings as all firewall/network security stuff has been disabled, and when I bypass the UTM device I can connect just fine.

I attempted the steps in https://community.sophos.com/products/unified-threat-management/f/general-discussion/82412/battlefield-1-on-sophos-utm-9 but did not get anywhere.  I've added exceptions to everything I can think of in UTM but it still isn't solving the issue.  Firewall log states packets are being allowed, web filter states all calls are being allowed, nothing showing up on intrusion protection log either....

Does anyone have any ideas or can help me troubleshoot this?

Current firmware version: 9.407-3 Your firmware is up to date.

Here is the log from the ingame console when it hangs (note the "connection already started" message appears even on a successful connection):


CL: Sending connect to 208.78.165.99:28101
CL: Received S2C_CHALLENGE [540558387 auth 3] from 208.78.165.99:28101
CL: Sending C2S_CONNECT [44 protocol 540558387 auth 3] to 208.78.165.99:28101
CL: Received S2C_CONNECTION from 208.78.165.99:28101 [addons:'']
CL: Connected to '208.78.165.99:28101'
CL: Suppress INetchannel::Transmit() in loopmode( remoteconnect )
CL: CLoopModeRemoteConnect::OnClientFrameSimulate switching to "levelload" loopmode with addons:
SwitchToLoop levelload requested: id [26] addons []
Failed to load image for cursor from resource\cursor\workshop\pw_chaos_cursors\cursor_inivisible.bmp: Couldn't open resource\cursor\workshop\pw_chaos_cursors\cursor_inivisible.bmp
ChangeGameUIState: DOTA_GAME_UI_STATE_DASHBOARD -> DOTA_GAME_UI_STATE_LOADING_SCREEN
CL: CNetworkGameClient::OnSwitchLoopModeFinished( levelload : success )
CL: Permit INetchannel::Transmit()
CL: CLoopModeLevelLoad::OnClientFrameSimulate switching to "game" loopmode with addons:
SwitchToLoop game requested: id [26] addons []
CL: CNetworkGameClient already exists for connection to '208.78.165.99:28101'
CL: connection to '208.78.165.99:28101' already started



This thread was automatically locked due to age.
Parents
  • Any troubleshooting steps at all I can take?  I just cannot figure this one out for the life of me.

  • Start with #1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Nothing shows in intrusion protection logs when I attempt to connect.

    Application control: 

    07:56:23 Application control rule #1 Steam  
    10.10.77.100 : 51702
    208.78.165.139 : 28076
     
    len=442 ttl=127 tos=0x00 srcmac=00:30:48:b1:cd:c1

    Rule #1 is allow

    Firewall:

    07:57:33 Packet filter rule #4 UDP  
    10.10.77.100 : 55222
    208.78.165.139 : 28076
     
    len=51 ttl=127 tos=0x00 srcmac=f4:6d:04:5b:fe:fa dstmac=00:30:48:b1:cd:c0

    Packet filter rule #4 is Internal LAN to any allow.

    I do not have any network definitions that aren't <<Any>> interface beyond my domain controller.

    Masquerading is Internal Network to Cable Modem.

    I have zero NATs set up.

    Link to wireshark: drive.google.com/.../view

     

  • Also as a side note I just downloaded a VPN and while connected to it I was able to connect fine.  I spectated a game for a moment and the second I disconnected the VPN, I was unable to continue watching.

  • It's just a guess, but your last two posts indicate that your ISP may be blocking this traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I wish it were that easy, but as in OP when I bypass the UTM and plug directly into my modem, I can connect just fine as well.  I even plugged my tower directly into the internal port on the UTM to remove all other devices from the network and it did not help either.

  • Does no one have any further things to try?  No hidden logs to check or config to look at?

  • Hi, when it comes to custom applications that are not widely used, unfortunately you will have to be the first one to figure out how to make it work. Here are the steps I would take

    1. Turn off IPS

    2. Turn off webfiltering

    3. Create Dota 2 service definition http://dev.dota2.com/showthread.php?t=15261

    Type of definition UDP

    Destination Port 27015:28999

    Source Port 1:65535 (Narrow that range down once you get the application working to 27015:28999)

    4. Create a firwall rule Source your PC > Services Dota 2 > Destination > Internet. Enable logging on the rule.

    4. Test the application and keeping an eye on firewall log to see if anything is being blocked.

    5. If application doesn't work, look for what is being blocked and open additional ports that are being blocked.

    6. Once the application works, enable web filtering and IPS. You may need to make exceptions for your PC in webfiltering.

    I never understand why people run IPS on gaming networks. IPS will and does create lag in your network traffic and won't do anything positive for your experience.

    Hope this gives you some clues on how to make DOTA 2 work. 

  • Ah well, I'm giving up.  I've already tried all the steps in your post to no avail beyond the specific firewall rule.  Firewall logs state every last thing is allowed.  Creating the specific rule with logging just revealed more things being allowed.  This suddenly started happening out of nowhere in the past two weeks, no configuration changes except adding the new domain controller.  Wireshark seems to state that replies are getting back but for some reason it just doesn't want to kick over.  I will probably blow out the config and start from scratch.  None of this makes any god damn sense.  Thanks for trying.

  • Hello all, I'm Souldragon's buddy and both of us run UTM9 servers, we've been at this thing for a week now and have not come to any conclusion.

     

    But there is one thing I have noticed, ever since the last patch things have gotten funky. I had issues with all my wildcards and had to recreate all those without the *., so I do not know if the lastest patch has broken something or has changed something.

     

    We are both at a loss.

  • Hi, both you guys sound like you know what you are doing but then you mention things like "*. rules" and "it works through vpn", which suggests that you are not using just NAT/firewall. Make the product work with simple NAT/firewall rules and then add exceptions to the stuff like webfiltering. You can't enable every daemon in UTM and then test connectivity of basic udp traffic.

    In any case, since you guys tried what I suggested, I am out of ideas[:(]

  • I'm going over sometime tonight or tomorrow for an extensive and through look thru. I'm out of idea's too, nothing is making any sense. Everything was working just fine till the lastest patch, but nothing in the patch states any effect of Dota 2..

     

    So odd.

Reply
  • I'm going over sometime tonight or tomorrow for an extensive and through look thru. I'm out of idea's too, nothing is making any sense. Everything was working just fine till the lastest patch, but nothing in the patch states any effect of Dota 2..

     

    So odd.

Children
  • Hi.. jumping in..

    i have read that you use cable-provider.. check your mtu maybe you run in the mtu bug

    read this:

    https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released

    there is a fix described if your mtu of external is 576...

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • Holy crap.... I looked and yes my MTU on my Charter uplink was only 576.  I went through the shell and did the steps described in the post you linked and IT WORKS!!!!  Thank you so much!!  I thought this was a lost cause, I was even preparing to rollback the firmware on my UTM box.

    I am beyond words.

     

    Thank you again.

  • Here is the fix FYI from that post by

     

    In reply to bulirich:

     

     
    bulirich

    For NUTM-4992 a new confd option has been introduced.

    For interface objects there now is a "mtu_auto_discovery" flag.
    1 = take interface MTU from DHCP and overwrite value in confd (default)
    0 = do not take interface MTU from DHCP

    Hope that helps.

     

     

     

     

    Thanks Bulirich, I tried it and it works hooray :-)

     

    The fix:

    Login as loginuser then root in ssh shell:

    cc 
    RAW 
    lock_override 
    OBJS 
    interface 
    ethernet (or cable, or other type) 
    REF_ (Tap TAB two times - then you can see the interface list. Mine is called "REF_IntCabExternaWan[WAN,interface,ethernet]"
    (You will get a look like this:)

    'additional_addresses' => [],
    'bandwidth' => 0,
    'comment' => 'Added by installation wizard',
    'inbandwidth' => 100000000,
    'itfhw' => 'REF_ItfEthEth1',
    'link' => 1,
    'mtu' => 576,
    'mtu_auto_discovery' => 1,
    'name' => 'WAN',
    'outbandwidth' => 20000000,
    'primary_address' => 'REF_ItfPri000024',
    'proxyarp' => 0,
    'proxyndp' => 0,
    'status' => 1
    }

    Then write:

    mtu_auto_discovery=0 
    w  (write the changes) 

    Now go into Webadmin and find the WAN link, change the MTU under Advanced to 1500 and voila! :-)

     

    ----

    Best regards Martin ;-)

  • After about 4 to 6 hours hammering away on this tonight..... Finally!!!!