Windows 10 Xbox Play Anywhere not working. Server connectivity: Blocked!

Anyone know if it's possible to play a Play Anywhere game behind a Sophos UTM?  I'm getting server connectivity blocked.  I've gone through the teredo troubleshooting/uninstalling steps and have created a NAT rule as well as IPS exception and Web filtering changes.   Here are the screenshots of what I'm seeing and have in the UTM.   Let me know if anyone has steps to get this working as it's extremely frustrating.  I don't have     any issues playing online from the Xbox itself. 

Thanks,

Gary

  • Hey Gary,

     

    please check the corresponding logs (firewall, webfilter, ips) for any block entries regarding xbox play anywhere. This way you can pinpoint which module is actually blocking the connection and check the specific configuration. Feel free to post the entries if you need more help regarding the issue.

     

     Regards

  • In reply to naiP:

    I'm attaching all 3 logs.  The ips log has nothing really in it and the other two have no traces of the IP of my machine (192.168.0.46).   I guess it begs the question is the system logging what it's supposed to?   Let me know what you see though or any changes I may need to make.  

    Gary

  • In reply to jacksonjuncture:

    Gary, you didn't attach the logs, but no one will dig through them for you.  A line or two related to the problem would let us help though.  Check out #1 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    Did you actually read my post?

    I stated that I wasn't able to even find the IP of the system having issues in the logs so suspecting something is wrong.  Therefore, I can't give 1 or 2 lines from the logs related to the problem.  Also, I did upload them but guess they were stripped upon saving.  I'll try again.  I've already spent hours on this on my own and combing through many google/youtube/sophos forum posts so pretty frustrated.  Troubleshooting connection issues with the UTM box is never intuitive as it should be.   My next step is just to go wireshark since that actually gives me useful data. 

    Gary

     

  • In reply to jacksonjuncture:

    Hey Gary,

    in my experience the system always logs what it is supposed to and configuration issues are the reason for an unexpected result. Looking through the logs the only noticeable thing is, that none of your configured firewall rules showing up despite having logging activated. Only default drops and one NAT Rule is showing up which leads to the assumption that your fw rule isn't working or a different rule without logging is used (also check automatic rules). Is it working with an Any - Any - Any rule on top?

    In a short search I couldn't find anything regarding xbox play anywhere and the specifics of it's communication but first I would search that and then start the configuration.

     

    Regards

  • In reply to jacksonjuncture:

    Gary, I had read your post - did you thoroughly read #1 in Rulz?

    Cheers - Bob

  • In reply to naiP:

    Thanks naiP.  This was very helpful.   I did have a desktop pc -- any -- any rule set up on top to troubleshoot and it was there before I gathered the log.   I removed it and then watched the firewall log and I can see the connections from x.46 going green so there are connections being made.  The Xbox app for Win 10 when it checks is showing NAT Open and I'm not getting a teredo error.   However, it still says blocked for server connectivity and there weren't any red drop lines for x.46 in the firewall log.  I'll check it tonight.   Is it safe to say since the Any Any rule didn't do the trick that the issue more than likely lies outside of that section?

    Gary

  • In reply to BAlfson:

    yes but wasn't seeing anything in the logs.  I'm seeing green lines now from x.46 after removing the desktop pc - any - any rule at position 1 but still seeing blocked.  I don't see any x.46 lines in IPS, application control, web filter logs. 

     

    Gary

  • In reply to jacksonjuncture:

    So we're down to a routing issue, as #1 says - check the other Rulz suggestions it makes.  If you get no joy with any of those, I think you're stuck doing packet captures.

    Cheers - Bob

  • In reply to jacksonjuncture:

    Hey Gary,

    if possible I would try to deactivate the web proxy for a moment while your Any FW Rule is still active and test again. But in generell you are now down to packet captures or searching for connection specifics of xbox play anywhere and of course check the Rulz.

     

    Regards

  • In reply to naiP:

    Ok I'll give this a try tonight.  I completely turned off web filtering and intrusion detection and a game in particular still won't connect on Xbox or the PC.  I don't have that any rule active anymore though so will check later.   Thanks.  Gary

  • In reply to jacksonjuncture:

    already tried a couple of things at lunch...   Now the Xbox doesn't connect to the game in particular at the present time (Sea of Thieves) Xbox says NAT Open but upnp not working.    I can connect to Xbox Live but when trying to connect to a game session it bombs out.  

    - turned off web filtering

    - turned off IPS

    - turned off advanced threat protection

    - added xbox one (0.34) any any rule as #3 in the list (1 and 2 weren't an option)

    - verified my dnat rule was there to send xbox live data to my xbox one.  (I'm not sure if this is correct).

    Opened up firewall port logging and saw the green lines for all connections 192.168.0.34.

     

    Still no go...

     

    Connected my cable modem directly to the xbox and NAT Open and upnp error went away.   

    All worked perfectly and I was able to connect to the sea of thieves servers. 

     

  • In reply to jacksonjuncture:

    well just found this port to try to add to a DNAT rule.    I'll try this one when I get home. 

    Port Forward Sea of Thieves on Xbox One

    In order to play Sea of Thieves on Xbox One you need to set up a static IP address for your console as well as forward the standard Xbox Live port of 3074.

     

    portforward.com/.../

  • In reply to jacksonjuncture:

    Ok all.  This is now solved.  The issue was the MTU size on the wan interface detected by the ISP.  It was 576.  Support showed me how to log into the shell and turn this autodetection off.  Then changed it in the gui to 1500.   That solved the issues I was having and explains why nothing was in any of the logs.   Crazy.  

    Gary

     

    https://martinsblog.dk/sophos-utm-how-to-fix-the-mtu-576-issue/