UniFi Protect - Troubleshooting Connectivity


Overview


This article covers some basics about connecting to the UniFi Protect Cloud interface at https://protect.ui.com/, and the steps to diagnose and then solve issues regarding this connection. It is important to read and follow the initial diagnostics section, followed by the network, operating system, and browser troubleshooting. If only one is aspect is investigated the solution might be missed.


Table of Contents


  1. Introduction
  2. General Network Connectivity Requirements
  3. Initial Connectivity Diagnostics
  4. Network Troubleshooting
  5. Troubleshooting Android Devices
  6. Troubleshooting iOS Devices
  7. Troubleshooting Browser Connectivity

Introduction


Back to Top

UniFi Protect’s Hybrid Cloud uses WebRTC technology to facilitate direct, configuration-free, and encrypted peer-to-peer connections between the client device (computer browser or mobile app) and the Protect controller. WebRTC allows connections to be established through NAT and Firewalls (such as a UniFi Gateway) without requiring explicit port forwarding or editing firewall rules.

Under normal circumstances, UniFi Protect users should not need to make any changes to their network environment, device or client configuration in order to connect locally or remotely using the Cloud interface at https://protect.ui.com/ or any of the mobile apps. That said, certain network environments, third-party software, or client-side settings may interfere. This article provides an overview of known causes for connectivity problems and potential solutions or workarounds that can be implemented.

If you are interested in the technical aspects of WebRTC, please visit https://webrtc.org/


General Network Connectivity Requirements


Back to Top

For a WebRTC connection to be established, the conditions listed below must be met by both networks: the one where the Protect controller is connected, as well as the one where the client is connected. The client may refer to your home network, your cellular carrier’s network, or your remote WiFi network such as the one at your workplace or public WiFi.

  • Reliable access to Internet and DNS service.
  • Adequate bandwidth for basic connectivity and video transport.
  • Ability to establish outbound TCP connections on port 443 (no need to port forward).
  • Ability to establish outbound UDP connections on ports 0 - 65535 (no need to port forward).
  • Firewall configured to accept solicited inbound UDP traffic.
  • No network security appliances (IPS) or services blocking WebRTC (STUN or DTLS).
  • No gateways configured to use Symmetric NAT (uncommon), as this will cause the peer-to-peer connection to fail forcing the use of a relay (TURN) server or failing altogether.

If you are using UniFi Protect in an isolated environment (where Protect has no access to the Internet), WebRTC is still used for connectivity. In this case, only browser-based access is available by connecting directly to the Protect controller/*- IP address on port 7443 ( https://<your-protect-ip>:7443 ).


Initial Connectivity Diagnostics


Back to Top

In order to focus troubleshooting efforts efficiently, it is best practice to try to identify any patterns to the connectivity issues by attempting to connect using different methods. Try the following and take note of results:

  • Use different mobile devices, such as different phones or tablets, ideally running different operating systems (Android / iOS) if possible.
  • Use different supported browsers, such as Chrome, Firefox, or Safari, on different computers.
  • Connect from different client locations:
    • From the local network (same subnet as Protect).
    • From the mobile carrier network (on a mobile device, or via tethering).
    • From a remote network (such as workplace or public WiFi network).

If you can isolate which scenarios work or do not work, you can focus your troubleshooting accordingly:

  • If a mobile device fails to connect regardless of network location, but browser-based devices work, the problem is likely specific to your mobile device, its configuration, or the software installed.
  • If a browser-based device fails to connect regardless of network location, but mobile devices work, and the experience is consistent across multiple browsers (Chrome, Firefox, Safari), the problem is likely specific to your computer’s configuration or installed software.
  • If a browser-based device fails to connect, but works in one browser but not the other, then the problem is likely specific to the browser’s configuration or environment.
  • If any connection methods (browser or mobile devices) work from one network location but not another, then the problem is likely caused by the network configuration or environment for that location.
  • If no connection methods work regardless of the device or location, the problem is likely caused by either the Protect Controller, its host device or, most likely, its local network configuration. See Network Troubleshooting.

Network Troubleshooting


Back to Top

If you can isolate connectivity problems to a particular network (for example, you can connect to your business Protect deployment from your home, but can’t connect while at a friend’s house), focus troubleshooting on the network where the connection fails. If the connection fails from any remote location, focus troubleshooting first on the network where Protect is located. Perform the following troubleshooting:

  1. Verify that both the device hosting UniFi Protect, as well as the client device have proper Internet access, including a valid gateway IP and DNS servers.  Please note that some DNS providers have been known to cause problems, such as 1.1.1.1.  Try changing to Google's 8.8.8.8.
  2. Verify that selected DNS servers properly resolve the following domains:
    • device.svc.ubnt.com
    • device.amplifi.com
    • global.stun.twilio.com
    • global.turn.twilio.com
  3. Review the firewall configuration to ensure the connectivity requirements established in the section “General Network Connectivity Requirements” are met. If you have custom firewall rules configured, try disabling them temporarily to test.
  4. Remove any port forwards for UniFi Protect, which may have been mistakenly configured.
  5. Disable any network-level security appliance or service rules intended to block WebRTC’s internal protocols: STUN or DTLS.  If you are using a UniFi Gateway, the UniFi Intrusion Prevention System (IPS) does not require specific configuration to prevent blocking WebRTC connectivity.

Symmetric NAT

While uncommon, Symmetric NAT poses a challenge for WebRTC (and most other peer-to-peer connections). Symmetric NAT does not maintain a 1:1 port mapping for established connections, which in all cases will cause the WebRTC peer-to-peer connection to fail. WebRTC will then attempt to fall back to connecting via a relay (TURN) server, providing a degraded user experience and in some cases may not work at all.

If you are behind a Symmetric NAT, the only solution is to either establish a VPN connection between the client and Protect, or configure the router in question to a mode other than Symmetric NAT (typically Cone NAT).

The UniFi Protect Controller detects and logs if the controller-side connection is behind a Symmetric NAT, but is unable to determine the NAT type on the client side. If you suspect Symmetric NAT on the controller-side connection, connect to the Cloud Key via SSH and execute the following command:

grep -Ri "symmetric" /srv/unifi-protect/logs

Any results will reveal evidence that the connection failed due to Symmetric NAT.


Troubleshooting Android Devices


Back to Top

Follow these steps to troubleshoot the Android mobile device that has the UniFi Protect app installed on it:

  1. Verify that the Android UniFi Protect application is up to date and running the latest version available in the Play Store.
  2. Ensure that the UniFi Protect application has not been restricted from accessing WiFi or Cellular data. On most Android phones this can be configured by going to Settings > WiFi & Internet > Data Usage > Cellular Data Usage > select UniFi Protect, and in App data usage make sure WiFi and Cellular data has not been disabled.
  3. If a VPN is configured and enabled, try disabling it. Some VPNs and VPN services will block WebRTC connectivity.
  4. If enabled, try disabling Private DNS under Settings > WiFi & Internet > Private DNS. On some networks and carrier networks, certain Private DNS providers such as CloudFlare’s 1dot1dot1dot1 may interfere with WebRTC.
  5. Disable or remove any third-party applications that may interfere with network connectivity. Many security and privacy applications such as Blockada will block WebRTC connections in their default configuration.
  6. Force quit the UniFi Protect application and attempt to connect again.
  7. Uninstall the UniFi Protect application, re-install, and attempt to connect again.

Troubleshooting iOS Devices


Back to Top

Follow these steps to troubleshoot the iOS mobile device that has the UniFi Protect app installed on it:

  1. Verify that the iOS UniFi Protect application is up to date and running the latest version available in the Apple Store.
  2. Ensure that the UniFi Protect application has not been restricted from accessing WiFi or Cellular data. In iOS, go to Settings > Cellular Data and make sure UniFi Protect is toggled ON.
  3. If a VPN is configured and enabled, try disabling it. Some VPNs and VPN services will block WebRTC connectivity.
  4. Force quit the UniFi Protect application and attempt to connect again.
  5. Uninstall the UniFi Protect application, re-install, and attempt to connect again.

Troubleshooting Browser Connectivity


Back to Top

In most cases, browser-specific failures to connect are typically caused by third-party software installed either as an extension in the browser, or an application on the host computer. To troubleshoot browser issues try the following:

  1. Disable all suspected third-party extensions and security or privacy software installed on the computer. If connectivity is restored, re-enable extensions or software one at a time, testing each time, until the extension or software causing the problem is identified.
  2. Once the extension or software has been identified as the cause, either leave it disabled or uninstall it. You may reach out to that software's support team for further assistance on how to configure it so it does not interfere with UniFi Protect. Unfortunately, we are unable to provide assistance on how to configure third-party software.

Common extensions known to cause issues include uBlock Origin and WebRTC Leak Prevent. Various VPN services such as Tunnelbear, as well as ad blockers or general tracking blockers are likely to interfere with WebRTC connectivity across all platforms that use the technology. If you identify conflicting software that is not included in this list, please let us know by emailing helpcenter_feedback@ui.com so it can be added.

If using Chrome, please disable the following feature flag "Anonymize local IPs exposed by WebRTC." by copying and pasting the following address into the address bar, selecting Disabled, then restarting the browser:

chrome://flags/#enable-webrtc-hide-local-ips-with-mdns

We're sorry to hear that!