I got a few questions about server 2 server connections.
DNS: Are SRV entries required or will a single A Record work for each server?
A Server1 IP
A Server2 IP
Also do I need to make entries for search and conference, I have never needed to running the server locally but I don’t know if I need that for S2S.
Ports: So I know 5269 needs to be open but on our firewall which we have done on both sides, we are seeing ports in the 30000-60000 ranges as well, do we need to open that range?
S2S: one server shows both way and one shows incoming only with the TLS lock displayed, The server with incoming only can get messages but cannot send back, we can’t figure out why it is only one way. We can telnet to 5269 on both servers from the other server without issues.
Debug Logs: If I look in the debug logs, I see nothing about the s2s connections, even if I search the log for the name of the other server I see nothing, could these logs be going some place else?
@DNS: You don’t need any SRV records if the jabber-server is the same machine (or firewall) like machine/IP behind the A record. If your hostname differs from the jabber-hostname, you need the SRV records. Example: example.com is your webside, jabber.example.com is your jabber-server and your JID is jason@example.com => you need DNS records. if your JID is jason@jabber.example.com an A record should be sufficient. (I’m running both kind of servers with openfire)
@Ports: For S2S (Chat, Groupchat, Presence) you only need 5269 (or the port in your DNS record). For other services some other ports or ranges could be needed. BOSH, SIP, etc.
@S2S: Please check your SSL certificates of both servers. You should prefer ssl certificates of an official CA like startssl.com (free). But you could use self-signed certificates as well if the remote server allows them. Check your SSL-settings and look into the server session overview, click on the server name and check the directions. Errors due certificate and/or connection issues should be shown in error log.
Best hint: Check your server connectivity with xmpp.net - all issues recarding connectivity and ssl encryption could be checked there (free).
@DNS: So long as the server host names are identical to their respective XMPP domain names (chat.example.com) you should not need SRV records, but, as BigD advises, you should have an A record in place. If the host and domain names that a given server is handling are different (server1.example.com is managing the example.com XMPP domain), then you’ll need the appropriate SRV records, like:
Also, some non-Openfire servers (like MS Lync) will check for the SRV record, and depending upon how they’re configured, may refuse the connection.
@Ports: XMPP S2S should only need 5269 (or whatever port you configure on the server for S2S). Even where the only port allowed both ways is 5269, the servers should be able to establish the necessary connection. If other ports are open, the servers will try using them in their responses. I have not found a configuration parameter in Openfire that allows you to lock the app down to only communicating on a single port (e.g. the way you can with ISC Bind).
@S2S: Definitely check to make sure both servers either have a publicly signed cert, or that any self-signed certs have been imported into the other server’s truststore. Note the option to allow self-signed certs can be enabled, but this may not be an option on non-Openfire servers (you guessed it, like Lync). For those you’ll need to import any self-signed certs into the partner server. My team has had problems with S2S between Openfire versions up to and including 3.9.3 and MS Lync due to an issue with how Openfire handles dialback. I am in the process of testing whether this is fixed in the latest Openfire 3.10.0 Alpha nightly builds. My initial results on trial connections between two Openfire servers using the nightly build are that it is now in fact fixed. I’m currently waiting for some network changes that will allow me to test between Openfire nightly and Lync 2013 (thanks to enterprise change control).
It took a full server reboot to get the s2s chat working. it seems to be stable on a both connection right now. Still having issues getting search and conference working across the connections. Both come up saying unable to locate the search/conference service.
So, S2S stayed stable for 5 days and then stopped working again. Rebooted the entire server and it started working again.
Ubuntu 12.04.05 x64
Anyone got any ideas behind for this one? Something I don’t/do have installed on Ubuntu causing this? Maybe Ubuntu itself, would a different OS make it better?
Debug logs show nothing as if there is no 2nd server.
Right now the server session shows connections both ways, when we start running into issues the session shows incoming only with the TLS lock beside it but nothing gets transmitted between the servers. if I close that session it will not reconnect as if there is a stuck open connection on one of the servers stopping it from reconnecting.
Java Version:
1.7.0_67 Oracle Corporation – Java HotSpot™ 64-Bit Server VM
Appserver:
jetty/7.x.y-SNAPSHOT
Seems like switching to from Oracle Java to OpenJDK may have been the answer. We can now search between servers, conference as well just waiting to see if the connections hold longer then the 8 days they have been.