External access not possible with ANY firmware after the PlexMediaServer-1.15.2.793-782228f99-x86_64.spk firmware

Server Version#: PlexMediaServer-1.15.2.793-782228f99-x86_64
Player Version#: https://app.plex.tv/desktop#

PlexMediaServer-1.15.2.793-782228f99-x86_64 is the last firmware I can use to keep external access possible.
Every firmware after this verion doesn’t work to enable it.
My network settings haven’t changed since that network version.
I’m running the latest DSM 6.2.2-24922 Update 3 Firmware on a RS3617xs.

What has changed in the next plex firmware versions that don’t allow the external access?
I want to use the latest plex firmware but this isn’t possible anymore since that specific firmware.

Have you implemented these changes? edit Sorry link jumped to the bottom, start at the top

Thank you for your reply.

I’ve tried it befor and after editing the user permissions but sadly enough no luck.

I’v been using every single Plex software on my Syno 918+ without any Remote Access issues! so I’m pretty sure its not a generic software issue…
Under the config-settings -> Remote Access … how it is configured ? You use a static-mapping on your router ?
Try to disable/enable remote access again from the top of that page.

Thx for the reply.

I always used static-mapping. port 32400 as adviced in my router etc.
The router has an uptime for around 7 months. So even befor the new 1.15.4.994 update on may 9 everything was working fine.
Since that software the read/write rights have changed but as the post befor you , I allready tested a lot with that specific issue and still failed.

The simple disable/enable the remote access was the first thing i tried…

Without diving into detailed logs, I’m afraid nobody will probably be able to help you.
So perhaps, select “Verbose” and “Debug” logging. Then stop/start the Plex server and immediately try a connection across Internet.
You should see some lines in the log on this.

Without logs there is only guessing…

Debug logging is running for some time now.
I’ve got 136 log files (around 5-6 versions per log file) that vary from com.plexapp.agents.fanarttv to Plex Tuner Service.

What would be the name of the log file(s) i need to look at?

typically the “Plex Media Server” log itself. In there you can see if a remote connetion arrives at the PMS itself etc (if verbose/debugging is active)
But you should only have this running brief. So debug/verbose, immediately do the test, disable verbose/debug logging so the logfiles don’t become to big.

Typically you see something like this

Nov 03, 2019 15:59:16.771 [0x7f593c673700] INFO - Plex Media Server v1.18.0.1944-f2cae8d6b - Synology DS918+ x86_64 - build: linux-x86_64 synology - GMT 01:00
Nov 03, 2019 15:59:16.812 [0x7f593c673700] INFO - Linux version: DSM 6.2.2.24922-3, language: en-US
Nov 03, 2019 15:59:16.812 [0x7f593c673700] INFO - Processor Intel(R) Celeron(R) CPU J3455 @ 1.50GHz
Nov 03, 2019 15:59:16.812 [0x7f593c673700] INFO - /var/packages/Plex Media Server/target/Plex Media Server
Nov 03, 2019 15:59:15.563 [0x7f593523c700] VERBOSE - It took 0.0 sec to serialize a list with 0 elements.
Nov 03, 2019 15:59:15.595 [0x7f5935b06700] VERBOSE - Comparing request from 119.142.83.12 against 192.168.1.0/255.255.255.0 (incoming request from the WAN mapped against internal LAN-range to determin authentication)
Nov 03, 2019 15:59:15.595 [0x7f58b3735700] DEBUG - Request: [119.142.83.12:4181 (WAN)] GET /video/:/transcode/universal/session/b9edc6155340ed0-com-plexapp-android/base/00001.ts (9 live) TLS Signed-in

I’ve tried it like you said:
Enable verbose logging.
go to the remote access tab -> enable remote access , (after fail retry again), after fail enable remote access)
Disabled verbose logging.

When i look at the file I can’t find (ctrl+f search) Verbose - compare request from … against …
(What i don’t understand, it should be in the log somewhere, right?)

what i do/did notice are these lines:

Nov 10, 2019 12:36:55.443 [0x7f59efa23700] DEBUG - EventSource: Got event [data] '<Message address="84.***.***.**" port="32400" asyncIdentifier="57bf9244-61eb-4b27-9c18-51cccedc5704" connectivity="0" command="notifyConnectivity"/>'
Nov 10, 2019 12:36:55.443 [0x7f59efa23700] WARN - PubSub: Received notifyConnectivity event with incorrect async identifier (57bf9244-61eb-4b27-9c18-51cccedc5704, expected 94cd70bf-1e07-41dd-b353-74384bf34691)
Nov 10, 2019 12:36:55.680 [0x7f59ef735700] DEBUG - EventSource: Got event [data] '<Message address="84.***.***.**" port="32400" asyncIdentifier="a0460130-b416-4603-a040-d8e6166ab4ea" connectivity="0" command="notifyConnectivity"/>'
Nov 10, 2019 12:36:55.680 [0x7f59ef735700] WARN - PubSub: Received notifyConnectivity event with incorrect async identifier (a0460130-b416-4603-a040-d8e6166ab4ea, expected 94cd70bf-1e07-41dd-b353-74384bf34691)
Nov 10, 2019 12:36:55.699 [0x7f59efa23700] VERBOSE - Auth: We found auth token (xxxxxxxxxxxxxxxxxxxx), enabling token-based authentication.
Nov 10, 2019 12:36:55.699 [0x7f59efa23700] DEBUG - Auth: authenticated user 1 as nasplexed
Nov 10, 2019 12:36:55.699 [0x7f59efa23700] VERBOSE - Auth: Came in with a super-token, authorization succeeded.
Nov 10, 2019 12:36:55.699 [0x7f59ed3be700] DEBUG - Request: [::ffff:192.168.1.26:54185 (Subnet)] GET /myplex/account (10 live) TLS GZIP Signed-in Token (nasplexed)
Nov 10, 2019 12:36:55.699 [0x7f59ed3be700] VERBOSE -  * Host => 192-168-1-37.bf34676c54b34090ab043051c4d3a23a.plex.direct:32400

What I think here is that you actually are coming in from the LAN side ! Hence the request made from 192.168.1.26 but coming from a client 192.168.1.37 ???
How are you testing this remote access ? iPhone PLEX app ? Android ? Remote PC ?

Under “Settings” -> “Network” you can put info on your local LAN ranges? In my case that is why you see

VERBOSE - Comparing request from 119.142.83.12 against 192.168.1.0/255.255.255.0

If have that field filled in in the plex-config under
“List of IP addresses and networks that are allowed without auth”

Do you have something set under “Custom server access URLs” field ?

How is your “Secure Connection” setting ? “Preferred” “Required” of “Disabled” ? (my setting=“Preferred”)
You have the “Enable IPv6” flag checked ? (I don’t)

I’ve tested from the lan side now yes (because i still received the warning external access not available)

Yesterday i’ve tested Remote acces though an external pc that has it’s own account.
Now I’m testing using my phone over 4G network. (and altough it says remote access not possible it does playback a video for a while.)
The log says:

Nov 10, 2019 14:02:48.903 [0x7f59ce88f700] DEBUG - Request: [::ffff:37.62.32.184:6211 (WAN)] GET /resources (17 live) TLS GZIP Signed-in Token (nasplexed)
Nov 10, 2019 14:02:48.903 [0x7f59ce88f700] VERBOSE -  * X-Plex-Version => 7.23.0.13123
Nov 10, 2019 14:02:48.903 [0x7f59ce88f700] VERBOSE -  * X-Plex-Client-Identifier => 8ecd6e0c56d693f0-com-plexapp-android
Nov 10, 2019 14:02:48.903 [0x7f59ce88f700] VERBOSE -  * X-Plex-Device-Name => Galaxy J7(2017)

(can’t find any verbose - compare again)

In the settings:
I’ve got IPv6 serversupport enabled yes.
Secure connection: preffered

Nothing under costum server access url’s.

I’ve tested from the lan side now yes (because i still received the warning external access not >available)

I get that too sometimes yes, but when I onto that setting after some seconds the red icon turn green indicating its accessible.

The weird thing is you say with 4G/Phone login etc is fine and playback “for a while” is OK, so it simply stops ? What quality are you viewing ? When you play on 4G and quickly login plex with the browser, goto “Activity” on the top, then the dashboard you should see the client (= your phone) that is currently playing content.

Eg. If I test on my Galaxy S7 phone, I get info about the client (Android) , speed that I’m watching etc. You have similar indicator ? I suppose Audio/Video are “transcoding” ?

What I also did, as written out in de help, is to allow certain additional IP’s from Plex! These are Amazon AWS cluster-IP’s

https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

Written in this article under “IP’s being blocked”

https://support.plex.tv/articles/200931138-troubleshooting-remote-access/

It says ; “Whenever you open your server settings or visit your Remote Access settings page, your server makes a HTTP request to our plex.tv service. That service then has a worker try to reach out to your server, using the supplied remote connection information, to see whether it’s accessible”

So the green/red indicator you get is probable a result of that check. So don’t trust it too much as this traffic coming in from AWS/Plex may be firewalls.
In my case these AWS-servers try also to connect on TCP/32400 that is available from the Internet (My Plex is not “open” for the whole world all the time but works with a dynamic list of allowed “clients”)

If I may add here?

Allowing your server to be open, brokered by Plex.tv (Remote Access button), asserts a few requirements.

• PMS is essentially open to all IP addresses but further qualifies server access to those which have been validated and are allowed access as authenicated by Plex.tv
• Mobile IP addresses are by definition dynamic
• Remote IP addresses from those you share with are by definition dynamic unless they have static IP addresses assigned by their ISP

There are a few things which impact how well PMS Remote Access accessibility tests and “Async ID” work.

What I’ve found to be the single, most important, aspect is:

How well does the local modem/router UPnP actually keep a well maintained table, expiring old port mappings in favor of new ones?

As prime example of this, my ISP-provided T-3200 modem was terrible. It would always reply to PMS that the port is opened but never actually open it because the mapping table was full. It never cleared the old port-forwarding mappings to port 32400 (internal).

The interim workaround for this was to:

1. Manually open an odd port number on the modem/router (e.g. port 53421) and forward it to static IP of the PMS server
2. Specify 53421 as the manual port for Remote Access.

This worked most of the time. Occasionally AWS timing was slow enough that PMS didn’t get the required Reachability Test (the generator of those ASYNC-IDs) before PMS gave up waiting.

The solution, for me, was to obtain a well-behaved modem/router and replace the ISP equipment.

My solution was to purchase the Netgate PfSense unit. It took over all ISP sign-in/authentication services for normal internet access.

It is a proper stateful firewall which profoundly increased my security level.

It is a fully functioning firewall in that I can specify special cases in whatever form I need through the use of NAT/Firewall aliases and a companion “PASS” rule.

Lastly, it has a properly functioning UPNP handler.

The UPNP handling alone solved all my remote access problems.
I test a number of platforms concurrently, each of them having Remote Access. Every one works perfectly.

Thanks to pfSense, I took all firewall management out of the hosts and put it where it belonged – at the edge device.

On Synology, Make certain to have selected one adapter as the default gateway. The first adapter in the device (lowest number used) is the best to use. If you use an adapter other than the first found, Inform PMS to use that Preferred Adapter (Settings - Server - Network - Show Advanced - Preferred Interface)

Hope this helps.

This topic was automatically closed after 90 days. New replies are no longer allowed.