We are a small university with a PA 2050. Since we installed the box, our XBOX live gamers have complained that they can't connect to XBOX live, or that if they ever DO connect, it takes a long time. The message they receive, in particular, is that their NAT setting was set to "strict".
I've allowed xbox traffic in the PA, I've even gone and specifically opened XBOX ports, but no luck. A last setting that Xbox live suggests is turning on UPnP, which doesn't seem to be an option in my PA, and even if it was, I wouldn't really want to enable because of the security problems that might cause.
Does anyone have any insight into this problem?
I assume you are using a pool NAT, where multiple internal systems are NATed behind a single external NAT. In this situation the XBOX NAT test will come back as strict. This is normal and the XBOX should still work and users should still be able to connect and play games. You shouldn't need the inbound ports open, because the PAN should detect the XBOX traffic and be able to handle the return traffic gracefully.
You're outbound policy should allow the XBOX live application out. In the service column you should either be using application default or any. You might want to create a specific policy allowing XBOX application only.
As a test you might try configuring a static (one-to-one) NAT for a device and see if this improves things.
What game are they having trouble with?
If you still have problems you should open a support case.
Kerberos is an authentication protocol. So there is probably a separate session created for your XBOX Live login. They probably also exchange some information on port 80 so this is the "Web Browsing" requirement. As long as the XBox has the ability to Send/Receive web and Kerberos you will be OK. These can separate rules or one rule with all dependencies. Separation will give you better visibility if you need to investigate or run reports.
We are similiar in that we just switched to a PA2020 from a PIX525 a week ago.
I believe this is a NAT problem, not a port/application problem.
On the Pix I was able to get the Xbox to show up as moderate NAT which is good enough for our students as achieving open is probably not safe or even possible in an enterprise network.
The three levels are strict, moderate, open.
I used my xbox originally when I setup game consoles to work on the PIX so I am going to bring my console back in soon and experiment with it directly.
If anyone has any success in solving this though, please let us know. If I come up with a solution I'll update my post.
The XBox most definitely does use Kerberos traffic (it actually does use port 88) in communication with the Live servers, so you don't want to block that (and if you don't have a list-ending "Allow all," then you want to explictly add Kerberos for the Xboxen). It wouldn't surprise me if some of the traffic decodes as http/web-browsing, although it may not necessarily use port 80.
In a typical home environment, the XBox will attempt to use UPnP to communicate to the router that it wants one single port open for itself. It will use a dynamic high-numbered port, and UPnP will simply forward this off the router back to the XBox. It does a combination of TCP and UDP traffic over that port.
I have not gotten to try a PA device at home so I'm not sure how well the decoders and NAT functionality handle this process. In the absence of UPnP, the XBox will never show "Open NAT" (unless there is a 1:1 NAT or some other setup in place where all of its traffic passes transparently). At least, this has been my experience with a bunch of other firewalls. I currently use a pfSense device at home, specifically because it does support UPnP (along with some enterprise grade features) so I can have my nerdy IT cake (RRDTool graphs and advanced rulesets) and eat it too (no problems with XBoxen or DirecTV receivers or the like due to UPnP). pfSense even allows you to limit UPnP functionality to specific subnets/IPs, so I could potentially see it being an answer for a university (use DHCP to restrict your Xboxes to a specific subnet, and then only allow that subnet to use UPnP, and rate limit / traffic shape it so it is only good for game traffic and not bulk downloads).
After all of the hell I went through with bug #32846, I'd love for PA to send me a 500 with lifetime definitions to experiment with at home.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!