No Connection to Client behind corporate firewall "negative cache entry"

Hi there,

Seems to be a big question for many users and I first wanted to give up because it seemed to be impossible to get a connection, but now I’m not sure.

What I have: An ever-running “Server” at home. Ports 22000 (TCP) and 21027 (UDP) open on router. dyndns-Adress available. A Client at office behind a very strict firewall. Added my “home server” and entered tcp :// mydyndns. athomeadress. com:22000 instead of “dynamic” (“dynamic” didn’t work to get anything working) as adress and now I get an error “connection refused” at office.

Checked log at home and there seems to be some kind of connection to my home machine because the log at home shows the identifier from the office’s machine with error message “negative cache entry”. Office’s firewall doesn’t seem to be the problem.

Found a post that my home server checks the identifier of the office machine on the discovery servers and the office machine doesn’t seem to announce its identifier there. Am I right?

Log of the office machine says e.g. “announce POST: Post “https : / / discovery-v4 .syncthing .net /v2/”: dial tcp 139.59.84.212:443: connect: connection refused” But how can that be? I can connect via Port 22000 through our strict firewall to my home machine but I can’t connect so this simple HTTPS-address? I even can’t open https : / / discovery-v4 .syncthing.net /v2/ or https : / / 139.59. 84.212 :443/v2/ in my browser. Shows error message PR_END_OF_FILE_ERROR But I have no problem to open https:// www. google. com, of course. And https : / / discovery-v4 .syncthing. net/v2/ on my mobile phone first gives me a certificate warning and then a blank “Not found” message.

Any ideas on this? Or could I get my home server not to check the identifier of my office syncthing instance on the discovery servers? Or how to turn off discovery function? (I only sync to devices in LAN and this one device in my office which has a static IP. Seems I don’t need any discovery server?)

(Sorry for the spaces in the URLs but I got an error message, that new users only post two links in one post and my spaces were able to bypass that, fortunatelly)

No ideas on why you can’t connect out to the discovery servers. Maybe proxy with strict allow / block lists. But yes, “negative cache entry” on the other side means it’s asked the discovery servers, they said they don’t know anything, and we cache that answer for a short while to avoid asking discovery servers on every connection attempt.

If you configure an address on the remote device, you don’t need discovery for a connection to that device. As Jakob suggests, looks like a very strict corporate firewall that doesn’t allow outgoing connections to port 22000. Therefore the only ones that can give you a real answer is your IT department.

I would like to disagree: If syncthing@home tries to validate the identifier from syncthing@office and gets a "negative cache entry” error and on the other hand syncthing@office gets a “connection refused” error I presume there’s somehow a connection between syncthing@office and syncthing@home, isn’t it? (Otherwise syncthing@home wouldn’t try to validate something that doesn’t connect to it)

When syncthing@office is disabled the log at home doesn’t show the error "negative cache entry” but “globalClient.Lookup https://discovery.syncthing.net/v2/?device=xxxx-xxxx-xxx-xxxx-xxxx 404 Not Found” - that seems to be usual, because it just can’t be found if it’s turned off

How to disable discovery if I don’t need it? So that syncthing@home doesn’t try to validate the identifier from syncthing@office?

I’m not following your reasoning, but a negative cache entry is just a cached 404 response. You can disable discovery in Settings -> Connections.

Is removing the checkmark (red) enough or also by blanking out the “default” (green)?

pref907×532 41.4 KB

The checkbox is enough

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.