Trouble connecting to Elk from work (split from other threads)

Hello,
 
Im hoping someone can assist me. I have an M1 installed at home for about a year and have RP software running on my home laptop on my internal network, as well as from my office via the internet. I also have Elk app running on my phone.
 
The other day i went to connect from work and couldnt, so i checked at home and all is good.
 
I have been speaking with the local Ness office and we have come up against a wall. He has confirmed that there is nothing wrong with my home connection or Panel and that the issue must lie with my office connection.
Interestingly, i can connect on my phone at work through the telephone network, however, when i turn on my wireless connection to the office router, again i cant connect.
 
When i connect from the office i get I get
“Connecting to account...”
“Verifying system identity”
Then “System did not respond. Connection may have terminated”
Click Cancel and get “Disconnecting” then “System returned invalid information”
 
Can anyone shed some light on what i could try to resolve this.

Sounds like your office IT people have installed an firewall that is blocking the ports that you were using to connect to the M1EXP.    

Thanks FlyingDiver, but i believe all outgoing ports are open by default??? I also thought this. My only question is does the port (which one?) need to be opened on the office router so the M1 can talk back to our office?

I'm pretty sure that to talk to your panel via RP you need to open more ports than you'd otherwise want open to the public internet.  To be clear, the ONLY port you should be forwarding would be the XEP's secure port and nothing else, except *maybe* port 80, preferably masqueraded to another port.
 
Many small offices will have wide open outbound access via all ports until you step up security, then they'll limit outbound access to just normal legitimate traffic like 80, 443, maybe ftp, etc; others would be blocked.  Normally a port wouldn't need to be open on the office router for the return traffic since it's initiated on your end - the return traffic will follow (at least for NAT purposes) - but the outbound traffic would need to be permitted.

The default secure port that ElkRP uses is 2601.  Unless you've changed that setting in the M1EXP setup, that's the port that needs to be open from the office network.  You also need to make sure the forwarding for that port in your router hasn't been lost.

It is my understanding that the port forwarding only needs to be done on the gateway that the Elk controller is connected to in your home. You need to forward whatever port numbers are defined in ElkRP. You should not need to forward any ports at the remote site ie your workplace.
 
If you are able to connect to the Elk via ethernet using cell towers and you can not connect using the wifi at your workplace then maybe you have a problem with the wifi connection between your phone and the gateway.
 
Mike.

In all the cases the OP has said don't work, the common factor is he's using his office network to connect to the Internet.  In the cases that do work (home, phone using cellular data connection), he's not.  So the problem has to be with his office network.  And the most likely is that there's now a block on the ports he's trying to use, at the office's router to their ISP.  This would have the same effect from either his desktop computer or his phone using wifi.
 
I should not have even mentioned port forwarding. I forgot that he said it's still working from his phone using the cell data connection.  So the port forwarding is still good.

You're office IT can certainly block parts of your outbound connection. Some companies will block sites (e.g. hosted email so you can't check your personal email from a business asset), but as stated above, they can also block ports. I have a shared site that I pay for hosting of - I can access the site from my workplace (standard HTTP, port 80), but not webmail or the cPanel, which operate on specific ports.

Elk RP requires access to the secure TCP port 2601 although this could be changed.  You can test the connection using telnet or putty from your office to see if you get a connection.  It could also be latency issues, ElkRP may not have been designed and tested to run across long distances and may just be timing out, based on the fact that you are getting to the authentication line, I would guess it is latency related.  You should also try using the IP instead of DNS name to rule that out.
 
If they are blocking the port you could try changing your port forwarding on your router to use 443 if you are not using that port for anything else and then setting that port in ElkRP to try an bypass anything your work is doing.
 
Note your office can also block URLs over standard ports if they have you going through a proxy server, and can even block/filter communication over SSL/encrypted channels if they have control of our client by using proxy clients or by using man-in-the-middle type certificate trusts on your browser.

You can definitely use ElkRP remotely; I've set this up recently for 2 different installations via DDNS services. However, FWIW, you will find in the Elk manual that you are required to be on site for UL installations.

drvnbysound said:

You can definitely use ElkRP remotely; I've set this up recently for 2 different installations via DDNS services. However, FWIW, you will find in the Elk manual that you are required to be on site for UL installations.

Click to expand...

Same here.
 
While not UL, it's great to tweak something for a customer than rolling for it (I used it to change windows to FA the last time)

It seems pretty clear that the problem is with your office network.  Since you can connect from home, and from work through the telephone network, that points to your office network as the source of the problem.  It is not uncommon for businesses to block various ports on their firewall, and/or block connections to certain IP addresses.

rbarnes - your original post was started about a week ago and several people were offering tips - then you posted the same original question in two more threads today.  They've been consolidated to your own thread.  Please work through it here.
 
If you can connect over a cellular network (known to be wide open) but not from the office, then the problem is pretty obvious - something is happening at work to block either the outbound or the return communication.  You can do further investigation to find out which ports are blocked; consider the workarounds suggested above; or proceed from there as you wish.  The people who have responded above know what they're talking about.

I do like the idea of using a commonly-open port such as 443 or seeing if 8080 or 8443 or one of those other common ones is open - on your router you could actually forward two different ports to the same destination so you really wouldn't even need to change it on the XEP.

Update. I have just checked my home router to check the forwarding etc and found that my office connection is getting to my router with the following entry
 
[Elk rule match] from xxx.xxx.xxx.xxx:59824 to xxx.xxx.xxx.xxx:2601 Wednesday, July 16,2014 15:26:38 
 
So to me that appears that i am getting out from my office to my home router.
But what does that mean as far as why i cant connect? Im lost!