025-09-10T124845.040Z INFO livekit service/server.go:242 starting LiveKit server {"portHttp": 7880, "nodeID": "ND_gh3g3zy5VFA4", "nodeIP": "51.20.184.28", "version": "1.5.2", "rtc.portTCP": 7881, "rtc.portICERange": [50000, 50100]} 2025-09-10T124901.745Z INFO livekit service/roomallocator.go:138 selected node for room {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "selectedNodeID": "ND_gh3g3zy5VFA4"} 2025-09-10T124901.779Z INFO livekit service/roommanager.go:810 created TURN password {"username": "RJGOUZ2cyIXbRR2UfKIo4LvyWzuyID", "password": "QzxpRfjKJwWHGz7rAcyUhdlyU4drN7Gpy2Sfav2NYxO"} 2025-09-10T124901.800Z INFO livekit service/rtcservice.go:309 new client WS connected {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "participant": "test-user", "pID": "PA_SdQmr2sfT8bQ", "remote": false, "connID": "CO_Rf7aNsufcyT6", "reconnect": false, "reconnectReason": "RR_UNKNOWN", "adaptiveStream": false, "selectedNodeID": "ND_gh3g3zy5VFA4"} 2025-09-10T124917.096Z INFO livekit.transport rtc/transport.go:656 peer connection failed {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "participant": "test-user", "pID": "PA_SdQmr2sfT8bQ", "remote": false, "transport": "SUBSCRIBER"} 2025-09-10T124917.097Z INFO livekit rtc/participant_signal.go:308 closing signal connection {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "participant": "test-user", "pID": "PA_SdQmr2sfT8bQ", "remote": false, "reason": "TRANSPORT_FAILURE", "connID": "CO_Rf7aNsufcyT6"} 2025-09-10T124917.098Z INFO livekit service/rtcservice.go:269 finishing WS connection {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "participant": "test-user", "pID": "PA_SdQmr2sfT8bQ", "remote": false, "connID": "CO_Rf7aNsufcyT6", "closedByClient": true} 2025-09-10T124917.100Z INFO livekit rtc/participant.go:741 participant closing {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "participant": "test-user", "pID": "PA_SdQmr2sfT8bQ", "remote": false, "sendLeave": false, "reason": "JOIN_FAILED", "isExpectedToResume": false} 2025-09-10T124917.100Z INFO livekit rtc/room.go:545 removing participant without connection {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP", "participant": "test-user", "pID": "PA_SdQmr2sfT8bQ", "remote": false, "subscriberCandidates": ["[local] udp4 host 51.20.184.28:50009", "[local] tcp4 host 51.20.184.28:7881", "[remote] udp4 host 172.28.91.24:55182", "[remote] udp4 host 172.17.0.1:56308", "[remote] udp4 host 192.168.49.1:60789", "[remote] udp4 host 192.168.58.1:58671", "[remote] udp4 host 172.18.0.1:35573", "[remote] udp4 host 172.19.0.1:37971"], "connectionType": "unknown", "reason": "STATE_DISCONNECTED"} 2025-09-10T124937.040Z INFO livekit.room rtc/room.go:742 closing room {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP"} 2025-09-10T124937.040Z INFO livekit service/roommanager.go:145 deleting room state {"room": "test-room"} 2025-09-10T124937.044Z INFO livekit.room service/roommanager.go:552 room closed {"room": "test-room", "roomID": "RM_bHSYtkCf9BQP"} /////////// # namespace.yaml apiVersion: v1 kind: Namespace metadata: name: livekit labels: name: livekit --- # ======================== # Redis Deployment + Service # ======================== apiVersion: apps/v1 kind: Deployment metadata: name: redis namespace: livekit spec: replicas: 1 selector: matchLabels: app: redis template: metadata: labels: app: redis spec: containers: - name: redis image: redis:7-alpine ports: - containerPort: 6379 --- apiVersion: v1 kind: Service metadata: name: redis namespace: livekit spec: selector: app: redis ports: - protocol: TCP port: 6379 targetPort: 6379 # ======================== # LiveKit ConfigMap # ======================== --- apiVersion: v1 kind: ConfigMap metadata: name: livekit-config namespace: livekit data: livekit.yaml: | port: 7880 rtc: tcp_port: 7881 port_range_start: 50000 port_range_end: 50100 use_external_ip: true turn: enabled: true udp_port: 50000 redis: address: redis.livekit.svc.cluster.local:6379 logging: level: info # ======================== # LiveKit Deployment # ======================== --- apiVersion: apps/v1 kind: Deployment metadata: name: livekit-server namespace: livekit labels: app: livekit-server spec: replicas: 1 selector: matchLabels: app: livekit-server template: metadata: labels: app: livekit-server spec: containers: - name: livekit-server image: livekit/livekit-server:v1.5.2 env: - name: LIVEKIT_CONFIG valueFrom: configMapKeyRef: name: livekit-config key: livekit.yaml - name: LIVEKIT_KEYS value: "devkey: my_dev_secret_key_123456789_secret_value" - name: LIVEKIT_RTC_NAT1TO1_IPS value: "nlb-dns" ports: - containerPort: 7880 name: http - containerPort: 7881 name: rtc-tcp - containerPort: 50000 name: turn-udp protocol: UDP # ======================== # LiveKit Internal Service # ======================== --- apiVersion: v1 kind: Service metadata: name: livekit-server namespace: livekit spec: type: ClusterIP selector: app: livekit-server ports: - name: http port: 7880 targetPort: 7880 - name: rtc-tcp port: 7881 targetPort: 7881 # ======================== # NLB Service for TCP # ======================== --- apiVersion: v1 kind: Service metadata: name: livekit-nlb-tcp namespace: livekit annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "stickiness.enabled=true,stickiness.type=source_ip" spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: livekit-server ports: - name: http-api port: 7880 targetPort: 7880 protocol: TCP - name: rtc-tcp port: 7881 targetPort: 7881 protocol: TCP # ======================== # NLB Service for TURN/UDP # ======================== --- apiVersion: v1 kind: Service metadata: name: livekit-nlb-udp namespace: livekit annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "stickiness.enabled=true,stickiness.type=source_ip" spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: livekit-server ports: - name: turn-udp port: 50000 targetPort: 50000 protocol: UDP # ======================== # NLB for UDP Media Range - # ======================== --- apiVersion: v1 kind: Service metadata: name: livekit-udp-range namespace: livekit annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: livekit-server ports: - name: udp-50000 port: 50000 targetPort: 50000 protocol: UDP

Thanks for reaching out, massrylama. I'm an AI assistant and I'm here to help. Give me a moment while I research this topic.

Thanks for the guidance! I’ve checked the connectivity: UDP ports 50000-50100 are open, and the TURN server is reachable. I also tested TCP ports 7880 and 7881—they are accessible. I’ll try using the Connection Test Utility next. Meanwhile, if you have any tips for forcing TURN usage or handling NAT/firewall issues more efficiently, that would be great.

To help you navigate NAT/firewall issues and ensure TURN is used in LiveKit, here’s a friendly step-by-step guide: 1. Enable TURN Server: First, make sure TURN is enabled in your LiveKit setup. For networks that are a bit more restrictive, it’s a good idea to configure TURN/TLS on port 443 to mimic HTTPS traffic:

turn:
  enabled: true
  tls_port: 443
  domain: <http://turn.myhost.com|turn.myhost.com>
  cert_file: /path/to/turn.crt
  key_file: /path/to/turn.key

2. Force TURN Usage: On the client side, you can configure the SDK to use only TURN relays by setting: `connectOpts.rtcConfig = { iceTransportPolicy: 'relay' };`This step makes sure your connection uses only TURN candidates, avoiding direct UDP/TCP connections, which can be blocked in some networks. 3. Firewall Configuration: To keep things flowing smoothly, please open these necessary ports:Also, if you’re using LiveKit’s hosted TURN servers, don’t forget to whitelist domains like

*.turn.livekit.cloud

. ◦ TCP: 443 for WebSocket signaling and TURN/TLS ◦ UDP: 50000-50100 for WebRTC media ◦ TURN/UDP: Port 443 or 3478 1. Test Connectivity: Finally, try out the LiveKit Connection Tester. It’s a handy tool to check WebRTC, WebSocket, and TURN connectivity, helping you spot any lingering network restrictions. Following these steps should really boost your connectivity in those tricky network environments. If you run into any bumps or have questions, I’m here to help—just let me know! Sources: Configuring firewalls | LiveKit Docs | Firewall Tips | Docs::Home | Deploying LiveKit | LiveKit Docs | examples/demo/index.html

2025-09-10T133319.992Z INFO livekit.transport rtc/transport.go:656 peer connection failed {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr", "participant": "test-user", "pID": "PA_ioNtVEYsbymW", "remote": false, "transport": "SUBSCRIBER"} 2025-09-10T133319.992Z INFO livekit.transport rtc/transportmanager.go:595 ignoring prefer candidate check by ICE failure because signal connection interrupted {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr", "participant": "test-user", "pID": "PA_ioNtVEYsbymW", "remote": false, "lastSignalSince": "15.056536137s", "signalValid": true} 2025-09-10T133319.992Z INFO livekit rtc/participant_signal.go:308 closing signal connection {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr", "participant": "test-user", "pID": "PA_ioNtVEYsbymW", "remote": false, "reason": "TRANSPORT_FAILURE", "connID": "CO_HR5XycZkJVWA"} 2025-09-10T133319.994Z INFO livekit service/rtcservice.go:269 finishing WS connection {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr", "participant": "test-user", "pID": "PA_ioNtVEYsbymW", "remote": false, "connID": "CO_HR5XycZkJVWA", "closedByClient": true} 2025-09-10T133319.995Z INFO livekit rtc/participant.go:741 participant closing {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr", "participant": "test-user", "pID": "PA_ioNtVEYsbymW", "remote": false, "sendLeave": false, "reason": "JOIN_FAILED", "isExpectedToResume": false} 2025-09-10T133319.996Z INFO livekit rtc/room.go:545 removing participant without connection {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr", "participant": "test-user", "pID": "PA_ioNtVEYsbymW", "remote": false, "subscriberCandidates": ["[local] udp4 host 51.20.184.28:50003", "[local] tcp4 host 51.20.184.28:7881", "[remote] udp4 host 172.28.91.24:57340", "[remote] udp4 host 172.17.0.1:58062", "[remote] udp4 host 192.168.49.1:44846", "[remote] udp4 host 192.168.58.1:42591", "[remote] udp4 host 172.18.0.1:43071", "[remote] udp4 host 172.19.0.1:37183"], "connectionType": "unknown", "reason": "STATE_DISCONNECTED"} 2025-09-10T133339.746Z INFO livekit.room rtc/room.go:742 closing room {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr"} 2025-09-10T133339.746Z INFO livekit service/roommanager.go:145 deleting room state {"room": "test-room"} 2025-09-10T133339.749Z INFO livekit.room service/roommanager.go:552 room closed {"room": "test-room", "roomID": "RM_ZDnmL89qFAZr"} //////////////////////// # namespace.yaml apiVersion: v1 kind: Namespace metadata: name: livekit labels: name: livekit --- # ======================== # Redis Deployment + Service # ======================== apiVersion: apps/v1 kind: Deployment metadata: name: redis namespace: livekit spec: replicas: 1 selector: matchLabels: app: redis template: metadata: labels: app: redis spec: containers: - name: redis image: redis:7-alpine ports: - containerPort: 6379 --- apiVersion: v1 kind: Service metadata: name: redis namespace: livekit spec: selector: app: redis ports: - protocol: TCP port: 6379 targetPort: 6379 --- # ======================== # LiveKit ConfigMap # ======================== apiVersion: v1 kind: ConfigMap metadata: name: livekit-config namespace: livekit data: livekit.yaml: | port: 7880 rtc: tcp_port: 7881 port_range_start: 50000 port_range_end: 50100 use_external_ip: true turn: enabled: true udp_port: 50000 tls_port: 0 domain: "nlb-dns" redis: address: redis.livekit.svc.cluster.local:6379 logging: level: info --- # ======================== # LiveKit Deployment # ======================== apiVersion: apps/v1 kind: Deployment metadata: name: livekit-server namespace: livekit labels: app: livekit-server spec: replicas: 1 selector: matchLabels: app: livekit-server template: metadata: labels: app: livekit-server spec: containers: - name: livekit-server image: livekit/livekit-server:v1.5.2 env: - name: LIVEKIT_CONFIG valueFrom: configMapKeyRef: name: livekit-config key: livekit.yaml - name: LIVEKIT_KEYS value: "devkey: my_dev_secret_key_123456789_secret_value" - name: LIVEKIT_RTC_NAT1TO1_IPS value: "nlb-dns" ports: - containerPort: 7880 name: http - containerPort: 7881 name: rtc-tcp - containerPort: 50000 name: turn-udp protocol: UDP - containerPort: 443 name: turn-tls protocol: TCP --- # ======================== # LiveKit Internal Service # ======================== apiVersion: v1 kind: Service metadata: name: livekit-server namespace: livekit spec: type: ClusterIP selector: app: livekit-server ports: - name: http port: 7880 targetPort: 7880 - name: rtc-tcp port: 7881 targetPort: 7881 --- # ======================== # NLB Service for TCP # ======================== apiVersion: v1 kind: Service metadata: name: livekit-nlb-tcp namespace: livekit annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "stickiness.enabled=true,stickiness.type=source_ip" spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: livekit-server ports: - name: http-api port: 7880 targetPort: 7880 protocol: TCP - name: rtc-tcp port: 7881 targetPort: 7881 protocol: TCP --- # ======================== # NLB Service for TURN/UDP # ======================== apiVersion: v1 kind: Service metadata: name: livekit-nlb-udp namespace: livekit annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "stickiness.enabled=true,stickiness.type=source_ip" spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: livekit-server ports: - name: turn-udp port: 50000 targetPort: 50000 protocol: UDP - name: turn-tls port: 443 targetPort: 443 protocol: TCP --- # ======================== # NLB for UDP Media Range # ======================== apiVersion: v1 kind: Service metadata: name: livekit-udp-range namespace: livekit annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: livekit-server ports: - name: udp-50000 port: 50000 targetPort: 50000 protocol: UDP

It looks like the "TRANSPORT_FAILURE" error in your logs is pointing to a hiccup with the WebRTC peer connection, which often happens because of network challenges like blocked UDP traffic, DTLS handshake issues, or NAT/firewall restrictions. I understand how frustrating this can be! Here are a few steps that might help resolve this: • Force TURN Usage: You can configure your client to use TURN relays exclusively by setting

iceTransportPolicy: 'relay'

in the RTC configuration. This way, connections will go through TURN servers, avoiding direct UDP/TCP connections that might be blocked. • Enable TURN/TLS: It’s a good idea to update your LiveKit configuration to enable TURN over TLS on port 443. This often gets through restrictive firewalls more easily. Here’s how you can set it up:

turn:
  enabled: true
  tls_port: 443
  domain: <http://turn.myhost.com|turn.myhost.com>
  cert_file: /path/to/turn.crt
  key_file: /path/to/turn.key

• Test Connectivity: I recommend using the LiveKit Connection Tester to check WebRTC, WebSocket, and TURN connectivity. This tool can really help pinpoint any network restrictions still in play. Please don’t hesitate to reach out if you need more help or run into other issues—I’m here to support you! Sources: pkg/rtc/transport_test.go | livekit-ffi/src/conversion/room.rs | Firewall Tips | Diagnosing Connection Errors with Connection Test Utility