coreMQTT Demo (Mutual Authentication) on Windows not work

I am trying to run the coreMQTT Demo (Mutual Authentication), following the configuration as described on MQTT Demo (with TLS – Mutual Authentication) - FreeRTOS, but this demo is not running properly and the log is shown below. Can anyone suggest what can be the possible ways to fix this?

The interface that will be opened is set by "configNETWORK_INTERFACE_TO_USE", which
should be defined in FreeRTOSConfig.h
Attempting to open interface number 2.
Successfully opened interface number 2.
3 3415 [IP-Task] prvInitialiseDHCP: start after 250 ticks
vDHCPProcess: discover
4 4674 [IP-Task] vDHCPProcess: offer 10.201.99.191
vDHCPProcess: reply 10.201.99.191
5 5134 [IP-Task] vDHCPProcess: offer 10.201.99.191
vDHCPProcess: acked 10.201.99.191
6 5134 [IP-Task]
IP Address: 10.201.99.191
Subnet Mask: 255.255.0.0
7 5134 [IP-Task] Gateway Address: 10.201.0.1
DNS Server Address: 172.19.2.1
8 5415 [DemoTask] [INFO] [MqttMutualAuth] [prvConnectToServerWithBackoffRetries:735] Creating a TLS connection to a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com:8883.

9 10434 [DemoTask] FreeRTOS_ProcessDNSCache: add: 'a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com' @ 52.27.62.0 (TTL 60)
DNS[0xD2ED]: The answer to 'a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com' (52.27.62.0) will be stored
10 10434 [DemoTask] [INFO] [SocketsWrapper] [TCP_Sockets_Connect:135] Creating TCP Connection to a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com.
11 10434 [DemoTask] FreeRTOS_connect: 2639 to 52.27.62.0:8883
Socket 2639 -> 52.27.62.0:8883 State eCLOSED->eCONNECT_SYN
12 10434 [IP-Task] prvSocketSetMSS: 1400 bytes for 52.27.62.0:8883
prvWinScaleFactor: uxRxWinSize 1 MSS 1400 Factor 0
13 10434 [IP-Task] Connect[52.27.62.0:8883]: next timeout 1: 3000 ms
prvWinScaleFactor: uxRxWinSize 1 MSS 1400 Factor 0
14 13434 [IP-Task] Connect[52.27.62.0:8883]: next timeout 2: 6000 ms
[ERROR] [SocketsWrapper] [TCP_Sockets_Connect:144] 15 15434 [DemoTask] Failed to connect to server: FreeRTOS_Connect failed: ReturnCode=-116, Hostname=a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com, Port=8883.
16 15434 [IP-Task] FreeRTOS_closesocket[2639 to 52.27.62.0:8883]: buffers 60 socks 0
[ERROR] [MbedtlsTransport] [TLS_FreeRTOS_Connect:678] 17 15434 [DemoTask] Failed to connect to a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com with error -116.
18 15434 [DemoTask] [WARN] [MqttMutualAuth] [prvConnectToServerWithBackoffRetries:760] Connection to the broker failed. Retrying connection with backoff and jitter.
19 15854 [DemoTask] [INFO] [MqttMutualAuth] [prvConnectToServerWithBackoffRetries:735] Creating a TLS connection to a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com:8883.

The DNS resolution seems to be working but the TCP connection cannot be established. Do you have a firewall that may be preventing this connection? Can you capture network traffic using wireshark?

I have disabled the firewall on my computer, and then I took a screenshot while capturing packets with Wireshark, and I have also uploaded the packet capture file.

微信图片_202406061212392555×1388 223 KB

Thank you sharing network capture. As we can see, you do not get any SYNACK for the SYN you send.

It does not have to be a firewall on your computer but a firewall on your network. One possibility is that the firewall does not allow port 8883. You can try port 443 by making the following changes to demo_config.h:

#define democonfigUSE_AWS_IOT_CORE_BROKER    ( 1 )
#define democonfigMQTT_BROKER_PORT    ( 443 )

I have tried this method, but I still have the same issue. The error message and the content captured by Wireshark are the same as before.

Can you try using this TCP example to confirm if you area able to reach any server at all?

OK, thanks. I have tried this example and made some configurations. My computer IP is 10.201.215.137.

In main.c:
#define mainCREATE_SIMPLE_UDP_CLIENT_SERVER_TASKS     0
#define mainCREATE_TCP_ECHO_TASKS_SINGLE              0
#define mainCREATE_TCP_ECHO_SERVER_TASK               1
In FreeRTOSConfig.h:
#define configUDP_LOGGING_ADDR0             10
#define configUDP_LOGGING_ADDR1             201
#define configUDP_LOGGING_ADDR2             215
#define configUDP_LOGGING_ADDR3             137
#define configECHO_SERVER_ADDR0     10
#define configECHO_SERVER_ADDR1     201
#define configECHO_SERVER_ADDR2     215
#define configECHO_SERVER_ADDR3     137
In FreeRTOSIPConfig.h:
#define ipconfigUSE_DHCP                                      1

The output result:

微信图片_202406061401021903×515 54.1 KB

So I want to know if my configurations are correct and how to confirm if my area able to reach any server.

@daofx123

How did you create the device IoT thing? Was it through AWS Command Line Interface (CLI) by running the tools/aws_config_quick_start/SetupAWS.py script. Did it succeed?

Also can you check what is the security policy used in the AWS → IoT Core → Settings

No, I use the AWS IoT console to create the device IoT thing. And the security policy used is TLS12_1_2_2022_10.

@daofx123

Is the AWS IoT policy created as per these steps: Create AWS IoT resources - AWS IoT Core

Please make sure the created policy is attached to the thing and at least one version of the policy is active. [AWS IoT → Security → Policies → All versions]

Yes, I created as those steps, and the policy is attched to the thing, one version of which is active.

policy1917×531 25.5 KB

Can you try creating the thing with the AWS Command Line Interface (CLI) by running the tools/aws_config_quick_start/SetupAWS.py script?

Also, please make sure that your AWS IoT broker is reachable from your region. It seems to be reachable and connecting from where I’m trying:

C:\Users\tonyjosi>ping a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com

Pinging a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com [52.34.148.21] with 32 bytes of data:
Reply from 52.34.148.21: bytes=32 time=240ms TTL=243
Reply from 52.34.148.21: bytes=32 time=241ms TTL=243
Reply from 52.34.148.21: bytes=32 time=240ms TTL=243
Reply from 52.34.148.21: bytes=32 time=240ms TTL=243

Ping statistics for 52.34.148.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 240ms, Maximum = 241ms, Average = 240ms

C:\Users\tonyjosi>ncat a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com 8883 -v
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Connected to 52.34.148.21:8883.

yes, I can ping my AWS IoT broker from my region. And I am trying creating the thing with the AWS Command Line Interface (CLI). But what is the difference between this method and creating the thing by the AWS IoT console?

The script does the same as what’s done through the console, except that its easier and the chances of missing/incorrect steps are lower.

I also tried this method - creating the thing with AWS CLI, but the problem is the same. So what can I do to solve this question?

Can you share the versions of FreeRTOS+TCP library and the demo code?

The version is FreeRTOS 202212.01. I ran the MQTT_Mutual_Auth demo, and I only changed the config file. And this is my demo code.
demo_config.zip (6.1 KB)

Thank you for sharing your demo_config. Since it contains your private creds, I’d recommend to remove it and delete the cert from your AWS account later.

Assuming you are using PowerShell, can you run the following command:

Test-NetConnection -computername <your_broker_endpoint> -port 8883

Replace <your_broker_endpoint> with your AWS IoT Broker endpoint.

Thanks for your recommendation, and this is the output:

PS C:\Users\ASUS> Test-NetConnection -computername a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com -port 8883                                                                                                                                                                                                                                                            ComputerName     : a2vtd9m5hzbrcl-ats.iot.us-west-2.amazonaws.com
RemoteAddress    : 2620:108:700f::22d7:2366
RemotePort       : 8883
InterfaceAlias   : 以太网
SourceAddress    : 2001:da8:1002:6001::3:4a2b
TcpTestSucceeded : True