Roon ARC SSL/TLS version error (?)

Roon Core Machine

Mac OS 12.6 - Mac mini (2018) / CPU 3,2 GHz 6-Core Intel Core i7 / RAM 64 GB 2667 MHz DDR4

Networking Gear & Setup Details

Router/Firewall: Zyxel USG 500 Flex, static public IP on WAN IF
Port forwarding TCP 35650 (same as Roon Arc)

Connected Audio Devices

Various Roon ready devices, all working fine

Number of Tracks in Library

Small library, 3000 tracks, Qobuz enabled

Description of Issue

On Roon Core, Roon ARC is marked as “Not ready”, following diagnostics data (public IP has been anonymized)

{
“connectivity”: {“status”:“NetworkError”,“status_code”:502,“error”:“error: Error: write EPROTO 140428239750976:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:…/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1536:SSL alert number 70\n, response code: undefined, body: undefined”},
“external_ip”: {“actual_external_ip”:“212.1XX.YYY.ZZ2”,“router_external_ip”:null},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“status”:“NotFound”}
}

Access from Roon ARC app on any of my mobile devices shows the same behaviour:

1. roon core “mini” is displayed:
   

   

   Screenshot_20221003-2113181080×2400 57.4 KB

2. after a couple of seconds, it changes to the following:
   

   

   Screenshot_20221003-2114001080×2400 58.6 KB

3. when clicking on “connect”, it will spinn the wheel and then time-out and you can click on “retry”:
   

   

   Screenshot_20221003-2114571080×2400 103 KB

Firewall logs show forwarding working as expected (last IP is public IP of my phone when accessing Roon ARC app):
|2|2022-10-03 20:41:00|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|35.190.182.123:55624|192.168.1.55:35650|ACCESS FORWARD|
|3|2022-10-03 20:38:59|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|35.190.182.123:34342|192.168.1.55:35650|ACCESS FORWARD|
|4|2022-10-03 20:38:17|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|35.227.61.12:37756|192.168.1.55:35650|ACCESS FORWARD|
|5|2022-10-03 20:38:17|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|34.73.75.215:59320|192.168.1.55:35650|ACCESS FORWARD|
|6|2022-10-03 20:37:58|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|35.227.61.12:48566|192.168.1.55:35650|ACCESS FORWARD|
|8|2022-10-03 20:36:54|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|35.227.61.12:52680|192.168.1.55:35650|ACCESS FORWARD|
|9|2022-10-03 20:36:33|notice|Security Policy Control|priority:13, from WAN to LAN2, TCP, service mac-mini, DNAT Packet, ACCEPT|212.95.X.XX:64817|192.168.1.55:35650|ACCESS FORWARD|

For reference, the same “mac-mini” is running Plex and access from outside with the same port forwarding configuration but different port is just working fine.

Is your Zyxel a full router or a firewall/gateway? Can you also provide a bit more information on the topics below:

1. Who is your internet service provider?
2. Please list the make and model of your modem and router?
3. Do you have any additional network hardware, like additional routers or managed switches?
4. Does your network have any VPNs, proxy servers, or enterprise-grade security?

The Zyxel USG 500 Flex is a full router with firewall and many other features. I’m using this vendor for many years and am pretty knowledgeable about its capabilities.

• It’s Austrian Magenta and I’m having a Business connection with a cable modem and a public IP subnet
• Zyxel USG 500 Flex, cable modem is likely some Cisco part, but should not be further relevant
• Yes, I have several managed switches from Mikrotik
• No VPNs and proxy servers, endpoint protection is Trendmicro Antivirus 11.0.2242 which I have disabled as well during troubleshooting but does not make any difference

I moved this to the Port Forwarding support category. I’m not sure if the public IP subnet or the managed switches also may be interacting in a way that is resulting in issues with ARC; Roon does not recommend the use of managed switches in the network.

Hi @blechkiste,

Thank you for your patience while we’ve worked through the queue of port forwarding tickets.

We’ve recently released a fix for an issue with Roon 2.0 affecting port assignments (release notes here). While there’s certainly a possibility that the culprit for your issue resides elsewhere in the network infrastructure, it could be that the port listed (in the 35000-36000 range) was unavailable, due to a port range assignment issue in Roon.

I recommend updating both Roon and ARC to the latest build, released today, and then attempting the automatically configure port forwarding again. Should you continue to experience the same or a similar set of symptoms, please provide the diagnostic message (obscuring any routable IP address) as you did in your original post. We should be equipped to help you more efficiently and pin down the issue, or at least provide a suitable workaround.

Thank you again for your patience.

Hi @blechkiste,

Looking deeper into the diagnostic error you’ve initially shared, the issue here is likely between the Zyxel network firewall and the Core, rather than the port assignment itself. My suspicion is you’ll either need to configure the Roon Core as an object, or the processes associated with it as services, within the Zyxel firewall.

At your convenience, are you able to share any information about the functionality of the Zyxel web administration? I’ve done a little research myself, but it would certainly guarantee efficiency if I know I’m exploring the functions available within your system. My first pass yielded this page, instructing users how to add security policies for the USG 500 router.

If you haven’t already, it may be worth checking if Roon is properly configured under Configuration > Object > Service in the Zyxel web GUI.

We’ll be standing by to assist further.

Hi Connor,

thanks for your investigation, highly appreciated!

There are several objects to be configured on the Zyxel firewall, amongst them the Host which is the IP address of the mac mini, Roon Core is running, as well as the service (TCP/UDP) for Roon ARC.
Both objects are required for a) the DNAT from WAN IP and b) the firewall rule, allowing access to Roon Core on the particular TCP service.
A similar configuration works for e.g. Plex running on the same mac mini under a different TCP port.

In the meantime, I have changed to another older Zyxel firewall (NSG-300) with a more simpler configuration using their Nebula Cloud Center (NCC) for the management of the firewall. Guess what: Roon ARC is just working fine. Same DNAT rules as on the FLEX 500. This is particularly interesting as the NSG-300, despite being a Nebula Cloud firewall without the possibility of running in stand-alone with the web management UI of the FLEX 500, uses the same configuration on the CLI interface under the hood.

I might try at a later stage to reconfigure the FLEX 500 from scratch and the same configuration as the NSG-300 to see if it’ll work.

You can get more information on the FLEX series here: Download Library | Zyxel Networks
Unfortunately, Zyxel is currently having their search function under maintenance, hence you cannot search for any documentation to download.

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.

Cheers and thank you for your informative reply @blechkiste.

The team has taken a peek through some automated diagnostics from your ARC account to make sure things have been running smoothly, and it seems port verification tests are still being blocked.

I wanted to check in to make sure you’ve been able to use ARC with the new router setup after your last report. The tech support team is standing by to assist if not.