I recently purchased the Starfinder Ruleset and I'm trying to get everything set up.
I'm running an Ultimate license of FG, and everything is working fine with e.g. the PFRPG ruleset.

The current person I'm testing with has an Ultimate license of his own, but doesn't own the Starfinder Ruleset.
Shouldn't he be able to join a Starfinder game when I host it?

Whenever he connects, his client starts downloading files, and simply stops at 20% with no error message. After a few minutes his client just exits into the launcher.

Since there are no errors shown anywhere it is damn difficult to troubleshoot this problem, therefore I'm turning to these forums for help.

Does anyone have an idea what could be causing this behaviour?

Couple things to try and to look into:
Have the player delete their cache and try again.
Try creating a new campaign and joining that.
Verify neither router has flood protection enabled.
Make sure the players anti virus has FG whitelisted.
Check the FG directory for a lot or console file (don't remember the correct name). Post the results back here.

Log file, not lot!

Test in a new campaign with nothing shared at all. If there is still an issue then it is likely to be on the player's side. If he can join your game then you may be sharing too much. Make sure you aren't sharing DM only modules or too many player modules. Ask the player to check how much memory FG is using at his end whilst FG is running.

Couple things to try and to look into:
Have the player delete their cache and try again.
Try creating a new campaign and joining that.
Verify neither router has flood protection enabled.
Make sure the players anti virus has FG whitelisted.
Check the FG directory for a lot or console file (don't remember the correct name). Post the results back here.

Cache was deleted, no success.
Also created a completely empty new SFRPG campaign, no change.
At least on my end there is no issue with the router. ("Flood protection" generally refers to ICMP flood attacks, specifically "ICMP Echo floods". This shouldn't have any effect whatsoever on FG)
On my end FG is whitelisted, will verify with the "player".
There are no log entries according to the player, and my own log is useless for this, as mentioned.

"[12.03.2018 12:05:38] Network Notice: 'XX' connected
[12.03.2018 12:06:18] Network Warning: Client connection 'XX' closed
[12.03.2018 12:07:18] Network Notice: 'XX' disconnected"

He used his real name so I "XX"ed it.

I guess I'll launch wireshark on my end, see if I can figure anything out.


Edit:

Test in a new campaign with nothing shared at all. If there is still an issue then it is likely to be on the player's side. If he can join your game then you may be sharing too much. Make sure you aren't sharing DM only modules or too many player modules. Ask the player to check how much memory FG is using at his end whilst FG is running.
I did, Empty campaign, no characters, no modules, nothing.

Looks like some network problems, but why only with SFRPG? I guess because he doesn't need to download the PFRPG ruleset... weird.

Cache was deleted, no success.
Also created a completely empty new SFRPG campaign, no change.
At least on my end there is no issue with the router. ("Flood protection" generally refers to ICMP flood attacks, specifically "ICMP Echo floods". This shouldn't have any effect whatsoever on FG)
On my end FG is whitelisted, will verify with the "player".
There are no log entries according to the player, and my own log is useless for this, as mentioned.

"[12.03.2018 12:05:38] Network Notice: 'XX' connected
[12.03.2018 12:06:18] Network Warning: Client connection 'XX' closed
[12.03.2018 12:07:18] Network Notice: 'XX' disconnected"

He used his real name so I "XX"ed it.

I guess I'll launch wireshark on my end, see if I can figure anything out.


Edit:

I did, Empty campaign, no characters, no modules, nothing.

Looks like some network problems, but why only with SFRPG? I guess because he doesn't need to download the PFRPG ruleset... weird.

TCP Flood is most definitely "a thing" it isnt limited to ICMP or UDP.
Your players router may have some TCP Flood settings in its advanced firewall settings.
Your player may be on a Wifi connection and its not as good a signal as he thinks it is?

TCP Flood is most definitely "a thing" it isnt limited to ICMP or UDP.
Your players router may have some TCP Flood settings in its advanced firewall settings.
Your player may be on a Wifi connection and its not as good a signal as he thinks it is?

You are ofc absolutely right. However, again under normal circumstances, a single program should never ever trigger any flood protections. (Also most routers don't give a damn about outgoing connections, their default security features are designed to protect the internal network from external threats - however bad or good it works is another topic)
I've set up wireshark and will have the player try some more, maybe I can find something but I doubt I'll be able to see anything on my end though.

If FG did trigger flood protection settings in the past, I'd genuinely like to speak with whomever implemented the network part of FG. I might even be able to help fix that. (Combined Network Engineer and Software Engineer here)

That did the trick... There is definitely an issue with FG here.

I'm registering 26+ incoming connection attempts all from different ports from the players IP.
Here's just a snippet that shows what's going on:
from <source IP>:58014 to <target IP>:1802, Monday, March 12,2018 12:06:06
from <source IP>:58008 to <target IP>:1802, Monday, March 12,2018 12:05:51
from <source IP>:57989 to <target IP>:1802, Monday, March 12,2018 12:05:46
from <source IP>:57828 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57826 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57825 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57824 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57827 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57823 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57822 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57821 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57820 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57819 to <target IP>:1802, Monday, March 12,2018 12:05:41
from <source IP>:57816 to <target IP>:1802, Monday, March 12,2018 12:05:33
from <source IP>:57815 to <target IP>:1802, Monday, March 12,2018 12:05:26

I'm sorry but this is... not ok. Why does FG need this many connections to the GM from a single player? What if 4-5 players try to connect simultaneously?
So yeah, this could very well be a SYN flood protection triggering. Might even be in my managed switch with IDS features that sits behind my router and takes care of vlans for me, I'll have to check further logs.

Edit:
Yep, found the issue. My security suite on the switch kicks in and drops the attackers packages before they reach my PC.

Now the question remains if this is intended FG behaviour, because this needs fixing on the software side.

The network architecture of FG is in the process of being re architected ��. It's part of the entire program being rebuilt on the Unity platform. The current networking was done many years ago under a previous owner and developer.

There is no announced release for FUG, but we all hope it is soon. A date will probably not be announced until 3 months prior to release.

The network architecture of FG is in the process of being re architected ��. It's part of the entire program being rebuilt on the Unity platform. The current networking was done many years ago under a previous owner and developer.

There is no announced release for FUG, but we all hope it is soon. A date will probably not be announced until 3 months prior to release.

Thank you very much!

I guess I'll have to temporarily disable my network security whenever a "new player" joins.
We confirmed this to be only an issue during the download of the ruleset to the client, whatever it is that happens there exactly.

After initial connect, I can simply turn back on the security and the player can connect just fine.


Thanks to everyone jumping in with comments and trying to help, it is much appreciated. :)

I'm sorry but this is... not ok. Why does FG need this many connections to the GM from a single player? What if 4-5 players try to connect simultaneously?

When a player connects the first time (or connects after nuking their cache) their client will download everything that is shared with players. This can be ameliorated some by limiting what you share with players.

On the initial connection there can be (depending on what is shared and what was downloaded on the previous session) over 100mb of data being uploaded/downloaded to each client.
On successive connections only the changed data would be transferred.
However for StarFinder its Ruleset and DLC is going thru much faster revisions so this large transfer could happen more frequently...

On the initial connection there can be (depending on what is shared and what was downloaded on the previous session) over 100mb of data being uploaded/downloaded to each client.
On successive connections only the changed data would be transferred.
However for StarFinder its Ruleset and DLC is going thru much faster revisions so this large transfer could happen more frequently...

The amount of data transferred should be completely irrelevant in regards to the number of parallel connections opened. I'm working in an EDI (electronic data interchange) team and one of our largest customers is pushing 4+ Gb of data at once, every 3 weeks. They open exactly one connection for that, not 20+. :)
But as LordEntrails said it's being worked on, that is good enough for me. I'll work around the issue for the time being, won't kill me to turn off my security for short intervals whenever someone needs to download files from my FG, it's a minor nuisance that's all - important was finding where the connection drops and your hint with the TCP SYN floods put me in the right direction - so yay for you! \o/

On a side note: I wouldn't have shelled out the money for an ultimate license if I didn't "believe" in the FG product, even with all it's kinks and small issues it is the most advanced VTT available in my opinion. And the community is really helpful on top of that.

The amount of data transferred should be completely irrelevant in regards to the number of parallel connections opened. I'm working in an EDI (electronic data interchange) team and one of our largest customers is pushing 4+ Gb of data at once, every 3 weeks. They open exactly one connection for that, not 20+. :)

The model used in this software is closer to that used for HTTP connections rather than what you're working with. One connection for each item to be transferred. So, if you're sharing 20 maps, 10 story entries, and 50 tokens, you'll get 80 connections if the client needs to do a full download.

I am currently having this exact issue as well. The download process gets 2% sometimes it goes to about 20%, then just stops. No activity. I am using Unifi's Securtiy Gatewy. Will have to do some digging to see if there is a way to disable security as mentioned above.

Think the FGU beta is around the corner, so this will be a great test to see if the new program will correct this issue or not.

FGU will not fix this sort of issue; security software will likely always be something that will potentially need to be adjusted to allow update programs to work. The changes in FGU are around game networking and server-assisted port forwarding bypass.

Regards,
JPG

So if the problem is some routers see TCP Flood (assuming these are SYN floods) Why does the FG client send so many SYN packets?

I have been having this issue for the five weeks or so and there is no configuration option on my router to shut off TCP Flood protection. I do see FG clients when they connect to the table getting blocked, but not much I can do to change the router config if there is no option. (ATT u-verse with 5268AC router). Old Internet search show config screens with TCP Flood controls, but the current release 11.4.1.532484-att does not have this option.

I see all the impacted FG users with errors like this in the router log. IN=br1 MAC=d4:b2:7a:94:e6:b4 SRC=24.22.158.37 DST=192.168.1.77 LEN=52 TTL=113 PROTO=TCP DPT=1802 TCP flood

So I know exactly what the problem is and have no way to fix it for 3 of my 5 players. The others seem to work fine.

-Mark

Turn off flood protection in your router.

mclancy10006 try a firmware update or even one or two versions earlier (if available) and see if that option might be available again.

I have public IPs. I assigned my laptop one of my public ip's, connected directly to my modem, turn off windows firewall, turn off Defender, Turn off AV. And still no dice. I cant get any more unprotected than that. I did finally get one connection after about 10-15 tries. No go for second connection. Sadly, I think I lost my friends who I had convinced to use FG. If I have to sit at a table connected to an internal network or wireless to get my users to connect, then I might as well use pen and paper.

Other software applications work with out issue or incident under "typical" protection.

Whats your Alias and Ill try and connect?

Hey damned, sent you a PM with the details. I am also on discord today. If that is easier to use.

Thanks for your time in trying to narrow down the issue. For public record it appears to be an issue with AT&T currently. Damned was able to get a connection, but additional connections was an issue as noted above.

For anyone else that might be having this issue, here is the modem info I have, you might have to check with AT&T about this issue.

Model: 5268AC
Current Version 11.3.1.532191-att
Initial Software Version 11.3.1.532191-att

Even though AT&T has the device configured as a "gateway" with the firewall turned off the modem is still dropping packets as if the firewall is still turned on. The event logs on the modem still show logs for the firewall with dropped packets just as if the firewall was on. This leads me to believe that AT&T's modem still acts as a firewall even when disabled.

---
Firewall Status
Firewall Active
The firewall actively blocks access of unwanted activity from the Internet.
---

Looks like the Modem Firewall was enabled after I worked with the AT&T folks. I am on a call with them now (again) to get their firewall disabled (again). So if you run into this issue you might look at the AT&T modem as it may have been factory reset for some reason albeit a software upgrade or something.

Working with the AT&T tech and he is telling me that the status of "Firewall Active" is that the firewall is disabled and not blocking anything. Even though the firewall logs show dropped packets "like what a firewall does". Clearly AT&T doesn't understand what a firewall does or how to configure it.

Bottom line is this:

AT&T wont turn off the Firewall on the modem. Even after you verbally agree to the "Firewall Safety Statement" they are required to read to you and that you have to agree to. They will uncheck some check-box on the configuration page but will not deactivate the firewall. They consider an active blocking firewall as Deactivated and not blocking packets. (Even when you can prove that it is, with their own firewall logs) Also there is no customer facing options to turn it off as well. You can configure firewall rules and add ports to forward to devices. (double NAT) When trying to relay that message to the tech he kept over talking me and telling me that the firewall on the modem was turned off.

I have my own firewall(s) and have paid for public ip's.

So long story short, FantasyGrounds works fine, its AT&T that is blocking the connections and wont do anything about it except take your money. See images below for examples of what I am seeing (and dealing with)

2965029650
29651

What a poor service model they have.

Did you ask for a tier 3 tech? Or use the special codephrase? (https://imgs.xkcd.com/comics/tech_support.png)

Yes, I did. They do not have Tier 3 support. But they are willing to send out Geek Squad (at my expense) to fix my hardware issues. I just spent and hour talking to their "manager" basically another level 1 service tech trying to resolve this issue. They are unable to completely disable the firewall on the AT&T modem because it is a security risk for them. She was trying to tell me that my firewall (Unifi USG) was not compatible with their modem. Then when i told them that I configured my laptop with a public ip address and was able to repeat the exact issue removing my USG from the loop. She told me that my Lenovo laptop was the problem that was not compatible with their AT&T modem. So I told her I was able to take my laptop down the road to the public library and it works fine. She told me that Fantasy Grounds was incompatible with their modem. All she knew how to do was point the finger at me and every time I had concrete proof of why she was wrong. She just said I don't know why your device is not compatible sir

Can you eliminate their modem then?

Edit: After doing some searching it doesn't look like it. :(

Ugh, I can feel your pain, though fortunately I have not experienced it. Would it be worth considering a VPN option to completely bypass AT$T?

Yeah, that's a no-go on the modem replacement. I asked if I could get my own personal modem (like I do for cable companies) and they would not allow it. However, the VPN is an option and I already have a fortigate 60D with VPN option. Think i will toss a public ip on that and see if the VPN works.

By the time this is figured out, FGU will be released and wont be an issue anyways? At least I hope. If not the 60D might be the solution I need and already have that I can use. I will report back my findings when I am done with my testing.

FGU has a new networking model designed to prevent problems like this. But, there is always the possibility that some security can interfere with it. (As you know cyber is always changing)

Yup, I have been playing around with it some. And I agree, FGU's new connection process looks promising. But can't really use that for full play just yet.

I was able to get my Fortinet 60D configured with one of my extra public ip addresses that I have. Spent some time setting up a private network that I can connect to, configured the VPN to allow remote users to connect to firewall and access that private network. I have tested just about every connection combination I can think of, no themes or extension, Wizards Theme, Desktop Decals (none selected to all selected that I have), extensions, modules, images, maps etc and everything worked perfectly. YAY! After the initial connection happened (1-2 seconds) the client downloaded the required files (30-45 seconds) and loaded the session right up. Didn't even blink or pause like it was doing before. First time every time. Was able to close the session (client) and connect right back in. Connected and started right up to session in about 25 seconds.

The VPN option is definitely a solution that appears to have worked in this case. I just happen to have extra equipment (and public ip) to toss at to fix the connection issue. However others might not have this option available to them. I think my kids use LogMeIn Hamachi for their games with their friends. Might be something to look into that that doesn't require a PC Tech or hardware to configure.

Either way, the issue was definitely AT&T and their Disabled (yet enabled and running) Firewall that was blocking the connection.

Well done.

Crappy that you have to do this and lucky you have the skills to configure it up.

So my problem is also AT&T u-verse. I guess I'll have to build a VPN tunnel to a server I have at a co-lo provider to make FG work for all my players. :(
-Mark

So my problem is also AT&T u-verse. I guess I'll have to build a VPN tunnel to a server I have at a co-lo provider to make FG work for all my players. :(
-Mark
Their is a post on VPN solutions including Hamachi, but if you have a co-lo probably means you have more resources and knowledge than needed to go that route :)

Elsewhere Moon Wizard intimated that FGU was not likely to fix this sort of problem. It helps connection problems but not flood protection.

In the end I used the SSH tunnel approach. So far so good in testing, but we will see when game time hits in a few hours.

SSH Port Mapping
https://www.fantasygrounds.com/forum...l=1#post376412