QUIC does not respond

[konnykonny]

Hello together,
i am trying to set up a server and get stuck enableling QUIC. I have successfully installed the certificates (https and HTTP/2 are working fine). Furthermore, QUIC is enabled on all levels (server, listener and virtual host). The UDP port for QUIC is open, but when any client tries to connect no reply are send by the server. I have tried multiple clients (lsquic-client, quic-go, googles client and chrome) and use the supported Version 43 of QUIC. I also installed different versions of lightspeed on at least 2 different machines always encountering the same issues.

In the attached error.txt file are some errors related to QUIC, but these dont mean anything to me. The screenshot is an exemplary dump of what the quic-go client sends out.

Thanks for your help in advance

 

[Pong]

We checked your error log and we think it was a firewall problem.
log only show received packets for a dead connection.
You may need to check packet in/out at both sides with TCP dump.

 

[konnykonny]

Thank your for the fast response so far.
Im am pretty sure that the issue is not caused by a firewall. On my private local computer there is no firewall installed at all. Why are my connection requests already marked as "dead", if not a single packet was send out by the server?

 

[Pong]

Please try our test method from this wiki to see how it goes.
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:enable_quic

 

[Pong]

also you mentioned "my private local computer"? QUIC need HTTPS with trusted certificate. You may need a cloud test server online with real CA certificate(not self-signed certificate)

 

[konnykonny]

• Regarding the firewall (on my server) I can open a udp port with nc and connect from the outside and get data through in both directions
• Regarding the certificates the installation on my real server has a valid lets encrypt certificate.
  • The LiteSpeed server has https working without any certificate issues in chrome.
  • Also the server provides QUIC in the header to the browser alt-svc: quic=":8888"; ma=2592000; v="35,39,43"

Are there ways to check if everything is fine with the certificate? And does it matter, that I do not use port 443?

 []$ sudo netstat -lupn | grep 8888
udp        0      0 [MY IP]:8888      0.0.0.0:*                           13249/litespeed (ls

 

[konnykonny]

In this test case I try to trigger a version negotation, which is visible below in the log. However, the packet is never generated and I don't see anything on the network.

2018-10-10 16:54:43.391456 [DEBUG] [UDP:*.*.*.*:8888] onRead: read 1 packet
2018-10-10 16:54:43.391461 [DEBUG] [UDP:*.*.*.*:8888] processPacketsInBatch: 1 unique cid
2018-10-10 16:53:52.359200 [DEBUG] [QuicShm::cleanupOldShmData]: PID 17790 is alive
2018-10-10 16:53:52.359202 [DEBUG] [QuicShm::cleanupOldShmData]: PID 17791 is alive
2018-10-10 16:53:52.359213 [DEBUG] [QuicShm::lookupCidPid]: insert CID: 5138124825545491283, PID: 17791
2018-10-10 16:53:52.359216 [DEBUG] [UDP:*.*.*.*:8888] processPacketsInBatch: 1 unique pid
2018-10-10 16:53:52.359224 [DEBUG] saved cid 5138124825545491283 -> 0x1228ed0
2018-10-10 16:53:52.359267 [DEBUG] engine: grew heaps to 4 elements
2018-10-10 16:53:52.359315 [DEBUG] engine: client-supplied version tag 0x31303051 is not recognized
2018-10-10 16:53:52.359330 [DEBUG] engine: scheduled version negotiation packet for cid 5138124825545491283
2018-10-10 16:53:52.359335 [DEBUG] [UDP:*.*.*.*:8888] processPacketsInBatch: clean up bad CID 5138124825545491283

 

[Pong]

incorrect certificate setup may also lead to failure.
maybe you can try some command line tool to verify such as the following with your port and domain:
openssl s_client -connect example.com:443 -servername example.com
https://support.plesk.com/hc/en-us/articles/115001177774-How-to-check-SSL-certificate-for-validity-