unable to connect to Online Features - Now understood.

[NoXú]

Version and language
6.10 (509827), (EN, RU - whatever)

Whether or not your game is modified using any third party scripts or mods
None at all

Game start being played
Not relevant - after new game, load save, or right after game start

Exact nature of the problem, where and when it occurs and what you were doing at the time
At the Online Features menu, filled Username (with email of account linked to steam where the game bought and the forum see the game bought at my steam account) and Password, terms of the Privacy Policy checked, hit Log In, but the game shows "Unable to connect". And what is remarkable that if I entering wrong Username/Password, the game shows "Incorrect username or password", also, Venture Extension is installed/validated! So, my internet connection is fine. Also, I'm ready to provide the traffic dump between me and xon.egosoft.com, auth.egosoft.com=egosoft.com - but I don't know how to do it privately or if you ever need it. Also, I switched to another (very different) ISP, but it does not helped.

Any possibly relevant changes you have made to your game, system, or software before the issue occurred
Generic Win10, the game launched normally via Steam, nothing special. There is no side antivirus/firewall software, also was disabled Win firewall completely via settings but it does not helped

Where appropriate, additional symptoms, error messages, links to saves *, screenshots and crash dump files
Not a crash, saves not relevant

Your system specifications in the form of a DxDiag report and vulkaninfo
DxDiag and vulkaninfo

[BurnIt!]

Hi,

We've investigated and can verify that the login on the authentication server has worked successfully (and hasn't when you intentionally entered incorrect credentials)
However we don't see a successful connection to the actual xon server. Instead we are seeing this error in the logs:

http: TLS handshake error from <your ip>:<random port>: EOF

Logging in with that game version from Steam is not generally broken, as I also just logged in successfully.
So somehow establishing a secure connection between your machine and the server fails. This could be caused by a number of reasons, including a local system clock that is out of sync, a proxy server using a http (instead of https) connection or possibly also a VPN.

Maybe this information can help you identify the issue as it appears a malformed request is reaching our servers and is therefore rejected and nothing is wrong on the server side.

[Daemonjax]

Another thing you can try is to reset your network card's advanced features back to default.

I've seen that cause weird crap like this, but it's super rare (only seen it affect connecting to optonline email servers).

[NoXú]

Another thing you can try is to reset your network card's advanced features back to default.

1. I don't touched that network card's advanced features, also checked - it's all is default.
2. My second computer (laptop) has same issue, so, looks like, issue is related to ISP connection.

We've investigated ...
... and nothing is wrong on the server side.

Big thanks for the investigation. I have no proxy nor VPN nor traffic mangling software (only unmodified Linux as router, changing some TCP headers in the way as it does as doing NAT according to RFC). I checked & synchronized system clock, used different ISPs to connections to internet, even launched the game on different PCs. I can even agree there is nothing generally wrong on my side or on Egosoft's side, but TLS connection to xon.egosoft.com is not completing (it's what I see in a traffic dumps) - the game drops the connection right after it get certificate and key exchange from server, so the only reasonable guess is the game doing TLS connection to xon.egosoft.com very tricky, failing in such rare cases like my.
I will send you a private message in which I will describe all my assumptions and tries that I made based on traffic dumps, and also attach the traffic dumps themselves. Or who should I send this information to?

[Daemonjax]

2. My second computer (laptop) has same issue, so, looks like, issue is related to ISP connection.

If you bring your laptop to somewhere else... like your workplace or friend's house or whatever... does it have the same issue?

That would rule out the networking hardware at your house and your ISP.

EDIT:

When I enabled online features, I needed to create some windows firewall rules (I have my pc pretty locked down):

1) rules for X4.exe (obviously)
2) a rule for lsass.exe (which was unexpected)

This is win7 so things may be different for you, but C:\windows\system32\lsass.exe needed outbound access to 2 ip addresses over tpc port 80 (I just did it with one rule restricting it to 184.87.173.0/24) before the login worked. That might be helpful to you, or maybe not. It was unexpected because I've had that exe blocked for (12?) years without it needing internet access.

NetRange: 184.84.0.0 - 184.87.255.255
CIDR: 184.84.0.0/14
NetName: AKAMAI
NetHandle: NET-184-84-0-0-1
Parent: NET184 (NET-184-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Akamai Technologies, Inc. (AKAMAI)

I might have to change it to 184.84.0.0/14, but that's too broad for my taste -- I'd probably just disable this game's online features instead.

[NoXú]

TL;DR: problem is solved, it was need to install latest Win updates; after updating W10 to 22H2 I've successfully logged in at the Online Features. Looks like Egosoft encoded the game to use very latest/modern encryption to connect their server.

...rule out the networking hardware at your house and your ISP...

I thank you for trying to help me with the resolution of the issue, however, you, like me, introduced the inscription "Unable to connect" into a strong delusion and I also sought the problem with the network for a very long time. And why did I have to suffer so much, trying to overcome options to find a solution to the problem? Due to the fact that the developers of the game from Egosoft decided not to bother with the explanation of the cause of the error in the case when the game cannot build a TLS connection with their server. What was the error? Who cares? "Unable to connect" - this is what the players who bought their game are worthy. "Unable to connect, check your internet connection" (with a working internet connection, in fact) - an impudent lies showing a neglect of players. In the meantime - I have the hope Egosoft will make the error message more detailed and the game will begin to report what happened wrong, in the case when something went wrong in "Online Features" and in other possible cases.
Although, I really like the game X4: Foundations, as well as the amount of content that was added to it.

[Alan Phipps]

Whilst perhaps an entertaining conspiracy theory, the idea that Egosoft would deliberately change the code of their game or server to respond only to the very latest upgrade of a nearing obsolescence OS is rather implausible. Game update timings are not in any way tied to the various OS update timings. Besides, it would have affected every player on Win10 that delays updates for whatever reasons.

A rather more plausible hypothesis is that an OS, settings, permissions or corruption issue was corrected when installing the OS update. It may even be that the latest OS update included a fix to a known issue with a previous OS update. <shrugs>

Anyway, I'm glad to hear the issue is resolved for you. Enjoy the game.

[NoXú]

Thus, only a feature-request for developers remains from my resolved problem: please detail the errors - this and the like. So that the player can see not a lie such as "Unable to connect / check your internet connection", but the essence of the error, for example: "TLS-connection to xon.egosoft.com fails to complete by reason: "+SysErrorMessage(GetLastError), where

Code: Select all

//Delphi code
function SysErrorMessage(ErrorCode: DWORD): UnicodeString;
var Len: Integer; Buffer: array[0..255] of WideChar;
begin
Len:=FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM or FORMAT_MESSAGE_ARGUMENT_ARRAY,nil,ErrorCode,0,Buffer,SizeOf(Buffer),nil);
while (Len>0) and (AnsiChar(Buffer[Len-1]) in [#0..#32,'.']) do Dec(Len);
SetString(Result,Buffer,Len)
end;

It definitely will be better for a players to be able to see the cause of problems to faster and solo solve them, maybe, by googling a little. There is no need to worry about players who suddenly can see the technical terms in error codes.
If this is wrong place for feature request, moderators, please, copy/move the thread.

[Daemonjax]

Most developers have crap error messages.

For example -- Intel.

Intel has a cool little program you can download that will scan your computer and tell you what intel driver updates are available.

It doesn't work on Win7 anymore. Why?

The error is: No working internet connection.

But you have a working internet connection.

The problem is that intel configured their servers to only respond to TLS 1.3+, but Win7 only can do TLS 1.2 (thanks Micro$oft).

You'd never know that from the error message, though.

[NoXú]

TL;DR: that filthy error popped up again
The story in detail was not just "I got updated W10 to 22H2(preview) and it's worked!", there was much more suffering. I tried to update W10, but got error that I can't fix despite the fact that I tried long and hard. Reinstalled, updated, checked the game, ensure the Online Features works. But, you know, all that's programs I still have to reinstall, so much settings...
In general, I tweaked Windows a little more and continued to play the game in full confidence that I would earn some more game credits and get involved in ventures, but recently I check and make sure that the problem has returned again!
So, once again, please! Do the sane error handling at least in just one specified place (when the game is connecting to xon) so it will display error code/description/whatever so we can advance in this issue resolving! I will get error code and toss it here (in case I can not cope with the elimination of the issue myself).
Because I'm really don't know what is actually wrong with the bundle [Win10 - X4.exe_TLS]. Because after all was fine I was just installed MS_Office, VCredist and a little more small software which are just cannot break the OS TLS.

...
You'd never know that from the error message, though.

I know I may not get informative error code, but it's worth to try.

Most developers have crap error messages.
...

I propose to be equal to the best, not the worst. Because we can. Can we? Or your final answer is to reject my feature-request? And I have to struggle solo: reinstall Win10 again , check the game, further, backup-W10-at-every-step/install-something/check-the-game/backup-W10...

And maybe (just maybe) you can check for the difference in auth & xon configuration - their certificate chains, chiphers, hashings... There must be a reason the connection to auth is works for me, but to xon - is not.

[Alan Phipps]

A recent problem of that type may have been something entirely different. Please check again now.

[NoXú]

Let's put this on hold for a while. Looks like I've found the root of the issue. Soon™ I will finish my investigation about and describe in detail what was actually cause the issue.

[NoXú]

TL;DR: It's finally works for me, and now I know what I did missed.
Yes, I'm a paranoid and I was configured the firewall to filter outgoing connections (of course I should have mentioned it from the beginning), but, I thought I took everything into account by enabling all traffic for Steam EXEs, X4.exe and others I need. But you've managed to surprise me because I didn't expect you involve some third-party utilities (like M$ service, yep) into communication with your services. I've managed to find out that if I temporarily allow ALL outgoing traffic _before_ starting the game, then I can log in at Online Features menu. It would never have occurred to me to assume that it is already too late, and therefore it is useless, having already entered the Online Features menu, to try to allow all outgoing traffic and try something there, because the game does not even report that the main failure has already occurred - the failure in which the Windows [looks like] "XblAuthManager" service is involved. Start of XblAuthManager happens at the game start up (looks like even before the game go fullscreen) - [looks like] it resolves something via UDP request to port #53, but for now, I'm too lazy to find out what exactly. And after this silent failure (when that request didn't work because the service didn't have access to the network), I get described error about "internet connection" no matter what I trying to do later in Online Features menu. My theory about the third-party utilities you're using was confirmed when I used the Process Monitor:
[ external image ]
Now it’s clear to me that you first start the XblAuthManager service and the connection with xon depends on how the DNS request using this(?) service went. Of course, I didn't know about it! Of course, I did not allow Internet access to that service and get this issue (there was no need to whitelist it before - all was worked). Alas, without reinstalling windows, I will not be able to confirm whether windows updates are relevant or not - most likely it was just a coincidence (you may want to fix the thread name). Also, there is no certainty that system DLLs somehow affect, because now I've made sure that both my Win10 don't have this error anymore.
Thus, what's is remains to me is to allow mentioned service traffic to UDP#53. And, in addition to my feature request, don't ignore communication errors from XblAuthManager service you use - tell the player error details if error is happened there.

<offtop>Holy crap, I was right from the beginning that you communicate to your servers kinda tricky (not simply) and now it also turned out the communication involves another process (in particular, a service)! How was I to know...</offtop>

Also, it's too hard to confirm that exactly XblAuthManager service is doing DNS request because right now I have outgoing connection filter turned on like before, the XblAuthManager service is still NOT whitelisted, and game is fine! It's looks like mentioned service have some cache. When the game will fail to log into Online Features again, I will know what to do / what to whitelist. When I will confirm about XblAuthManager service, I'll try to not forget to drop the line here. Of course, you can to tell much more than me what Win services the game use but you just not mentioned it. So, mostly, resolved.

[Daemonjax]

Your solution looks similar to the post I made about having to let the lsass service go outbound on win7 to some weirdo servers for this game to connect.

Except in your situation on win10/11 it's an xboxlive service trying to request dns info... maybe for those same weirdo servers? Which is a little weird by itself, because you'd figure xboxlive should still use your dnscache service for dns requests -- which should be running, and allowed outbound access to whatever your dns server is (probably your router, like me, which is the sane choice because a non-crap router will be running a persistent dns cache server and you have the option to encrypt dns traffic from your router to the dns server it uses).

I'm using a win10 pc now, but I haven't even bothered to try and enable online features for this game yet on this pc... So I can't give specific instructions as to exactly what firewall rules are necessary for this game to connect to its online stuff. Yet.

But right now... For the operating system (as in not considering applications/vpn I installed), I have literally ONE firewall rule to make everything work:
dnscache service outbound access on port 53 from my static ip address to my router's ip address -- *Everything* else is blocked by default because nothing else is essential. I'm loathe to make exceptions to that for one specific game.

Do you even need xboxlive services? Have your tried disabling them completely? You probably don't need them since they're blocked in your firewall rules anyways. I have all my xbox services disabled.

Your solution (temporarilly disabling all outbound firewall rules) isn't a real solution, btw. Don't do that. Just my opinion. For testing to see if it's even a firewall issue, it's fine... But how do you know for sure that it's really the xboxlive service dns query failure that causes the issue without properly fixing it with the appropriate manual firewall rules? It could be a red herring and it's really lsass that you needed to give outbound access to.

[NoXú]

Do you even need xboxlive services? Have your tried disabling them completely?

No, I was wrong. Just noticed that service XblAuthManager starts with the game. Maybe Win10 itself doing it. Anyway, it's not relevant.

Your solution (temporarilly disabling all outbound firewall rules) isn't a real solution, btw. Don't do that. Just my opinion.

I had a need for this, because I somehow needed to check whether authorization in the game would work for me at all or not. Of course, it was not my real solution, just for testing.

<hr/>
So, finally, what you exactly need if you have outbound connections filtering enabled:

• Dnscache service must have access to UDP#53 (I was ensured it's enabled for me long ago)
• X4.exe, Steam EXEs must have access to internet (also, I was already configured that)
• CryptSvc service must have access to TCP#80 (figured out investigating hard today)
• lsass.exe also must have access to TCP#80 (also, done today). I find it difficult to specify exact service need that access, because I have 3 services shares same lsass.exe PID in my Win10: KeyIso, SamSs, VaultSvc

I'm so happy it works now, after I spend much time and complete my investigation! For me the all I need to enable TCP#80 access for CryptSvc service and for lsass.exe. Looks like API the game uses checks certificates for validity via CryptSvc service and lsass.exe. I apologize for my misconceptions and assumptions made earlier, which do not correspond to the real state of affairs. However, it was quite difficult to analyze such a non-trivial issue because the game does not produce adequate errors to this day (game version: 6.20 (511811)). Thus, in order to conduct an investigation, I had to use only third-party tools. So, my feature-request... Ah, I not even hope.

[Daemonjax]

<hr/>
So, finally, what you exactly need if you have outbound connections filtering enabled:

• Dnscache service must have access to UDP#53 (I was ensured it's enabled for me long ago)
• X4.exe, Steam EXEs must have access to internet (also, I was already configured that)
• CryptSvc service must have access to TCP#80 (figured out investigating hard today)
• lsass.exe also must have access to TCP#80 (also, done today). I find it difficult to specify exact service need that access, because I have 3 services shares same lsass.exe PID in my Win10: KeyIso, SamSs, VaultSvc

I can probably tighten that up for you. I'll give it a shot this weekend. I wouldn't want to give anything outbound access on port 80.
EDIT: I see that on win7 I needed to give lsass access to 184.87.173.0/24 over port 80. I trust myself that that was the bare minimum needed, so you probably got that (port 80) right too.

Update: Cryptsrv over port 80 isn't required... it wants to, but you can just block it always for everything... want isn't the same thing as need. I've never had to give that outbound internet access for anything ever. lsass over port 80 is required... but you can at least restrict it to the outbound addresses 184.87.173.0/24 (same thing as 184.87.173.0/255.255.255.0 -- whatever works for you in whatever firewall you're using). This is the only application I've ever installed ever that needs lsass to have outbound internet access. Teamviewer works without it. My VPN works without it. SSL works. TLS works. Encrypted DNS works. etc.

[NoXú]

...Cryptsrv over port 80 isn't required...

CryptSvc is required TCP#80 and lsass.exe is also required - this is what I got under Win10. If one of them have no access, then, we got the issue. You can restrict them to exact networks, but, maybe, this path is not for me. I don't want to struggle each time with every new application that uses cryptographic APIs.