Remote Access shows "Not available outside your network" but server is verifiably reachable external

Plex Media Server Remote Access
1

Hoping someone here has seen this pattern before, because I’ve exhausted every client-side and network-side check I can think of.

Setup

  • Server: Plex Media Server 1.43.1.10611 (latest) on Synology DiskStation, native package
  • Router: Ubiquiti UDM Pro with an explicit port forward: WAN TCP/UDP 32400 → Synology LAN IP:32400
  • Synology firewall: TCP 32400 explicitly allowed inbound
  • Plex Network settings:
    • Secure Connections: Preferred
    • Client Network: IPv4 Only
    • Custom server access URLs: empty
    • LAN Networks: empty (defaults to server subnet)
    • Allowed without auth: empty
    • Relay: enabled

Symptom

  • Server UI → Remote Access: red X, “Not available outside your network.” Retry doesn’t help. Toggling the manual public port off/on doesn’t help.
  • iOS Plex app on cellular data: my server shows up in the server list, libraries (Movies, TV Shows) are listed but with warning icons. Tapping any library returns: “Uh Oh… Something’s Not Right. You may not have access to this media server.”
  • Safari on the same cellular device, hitting http://<public-ip>:32400/web directly: works perfectly, full UI, browsable content.

So the server is clearly reachable. The Plex app and Plex.tv validator disagree.

Diagnostics I’ve run

1. External TCP port test (from a foreign IP via an online port checker): port 32400 = OPEN on my public IP. No ISP filtering, no CGNAT.

2. Independent HTTPS test from a VPS outside my country:

  • curl http://<public-ip>:32400/identity → 200 OK, returns MediaContainer XML with correct machineIdentifier, claimed="1"
  • curl -kvI https://<public-ip>:32400 → TLS handshake succeeds (TLSv1.3)
  • Certificate inspection: valid Let’s Encrypt wildcard for the expected *.<hash>.plex.direct pattern, issued recently, valid for 90 days
  • DNS: <dashed-ip>.<hash>.plex.direct resolves correctly to my public IP
  • HTTPS /identity via the plex.direct hostname → 200 OK, matching machineIdentifier

3. Client-side troubleshooting:

  • Signed out of the Plex server, re-claimed it
  • Fully restarted the Plex package on Synology
  • Uninstalled and reinstalled the iOS Plex app, signed in fresh
  • Tested the iOS app both with and without Cloudflare Warp enabled
  • Confirmed Plex server is signed in to the correct Plex account

4. Server-side config sanity checks (all clean — no custom URLs, no IPv6 advertisement, no stale allowed-without-auth entries, relay enabled as fallback).

What this tells me

End-to-end, an arbitrary external client can:

  • Open a TCP connection on 32400
  • Complete a TLS 1.3 handshake
  • Resolve the plex.direct hostname to the correct IP
  • Get a valid HTTPS response from Plex’s /identity endpoint with the correct machineIdentifier

Every piece the Plex app and Plex.tv validator need is in place and responding correctly. Yet the validator still says “Not available” and the iOS app returns the generic “may not have access” error when a library is opened.

This strongly suggests a stale/cached reachability state on Plex.tv’s side that isn’t being refreshed by Retry, re-claim, or service restart.

Questions for anyone who’s been here

  1. Is there a known way to force Plex.tv to re-run its reachability check from scratch, beyond the Retry button and the server sign-out/re-claim flow?
  2. Has anyone seen the iOS app fail on libraries while Safari succeeds on the same network, and what was the root cause?
  3. Are there specific lines in Plex Media Server.log I should grep for around a Retry attempt that would show the actual handshake failure from Plex.tv’s probe (if any)?
  4. Is there a support-side action I should request via a ticket (e.g., server-side refresh of the registration) if community troubleshooting doesn’t resolve it?

Happy to share log excerpts or run additional tests if anyone has suggestions. Thanks in advance.