What's new

RT-AC86U: "PCP MAP: failed to add mapping TCP" error every 15 minutes

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Uluqat

New Around Here
I am running Merlin's 384.14_2 on my ASUS RT-AC86U and the router log is showing an error every 15 minutes that I don't understand:

Jan 27 14:35:49 miniupnpd[1460]: PCP MAP: failed to add mapping TCP 9->192.168.50.162:9 'PCP MAP 68e9e3fadbd4ca8c3e79352b'
Jan 27 14:50:49 miniupnpd[1460]: PCP MAP: failed to add mapping TCP 9->192.168.50.162:9 'PCP MAP 68e9e3fadbd4ca8c3e79352b'

192.168.50.162 is my Mac Mini running macOS 10.15.2 (Catalina). The only application I have running is Firefox.
I've tried restarting the Mac Mini, and changing the “Enable secure UPnP mode” setting from “Yes” to “No” but the error still occurs. When I change the “Enable UPnP mode” setting from “Yes” to “No”, miniupnpd shuts down and stays shut down and the error stops, but when I re-enable UPnP, the error starts again.

I don't know what my Mac is doing to make these errors happen or how to check, and I don't really understand UPnP very well so I don't know what I am losing by disabling it or if this error matters at all.
 
Port 9 is typically used for WOL. Are you using that for your Mac Mini?

Didn't think I was using Wake On LAN, certainly have never had any need for it. I had to google how to turn it on in macOS. So I go to System Preferences -> Energy Saver and "Wake for network access" is on. WTF? I have turned it off now.

Thank you!

Edit: After doing that, I hit the "Restore Defaults" button and, among other things, WOL turned back on. Mac users should be aware that this is a default setting. I certainly wasn't.
 
After turning off WOL, I rebooted the Mac and rebooted the router, but the error is still occurring.
 
WOL is usually turned on for most PC/laptops. All my computers have it enabled. That's not a problem in itself because it's something that is only applicable to devices on the local network.

It would only be an issue if someone/something was trying to enable remotely sending WOL packets from the internet to a device on your LAN. Do you have some sort of app that tries to do this?
 
No, I don't know of anything like that. Our mobile devices are two iPhones and an iPad, and it seems like we would need to have installed an app specifically to do that, and we have no reason to do that.
 
OK I've had a search around and I don't think this is anything to do with WOL (which normally uses UDP not TCP).

According to RFC 6887 a client can use PCP on port 9 to obtain the external IP address of a gateway device. This is used for things like updating DDNS addresses.

https://tools.ietf.org/id/draft-boucadair-pcp-flow-examples-04.html#rfc.section.4
https://tools.ietf.org/html/rfc6887#section-11.6

So I suspect this is a fairly benign action but it is creating an error because by default the router is set to not allow mapping of ports <1024. See WAN > Internet Connection > UPNP: Allowed internal port range.
 
After some fumbling around until I could force the error to happen, I found some log entries that seem to go with the error. I don't know if they add any useful information.

Jan 28 03:10:44 miniupnpd[7810]: PCP MAP: failed to add mapping TCP 9->192.168.50.162:9 'PCP MAP 26e9b7655f0b7ba17c2f8138'
Jan 28 03:10:44 miniupnpd[7810]: sendto(natpmp): Network is unreachable
Jan 28 03:10:44 miniupnpd[7810]: PCP MAP: failed to add mapping TCP 9->192.168.50.162:9 'PCP MAP e7cdb67956c93909dcd9d423'
Jan 28 03:10:44 miniupnpd[7810]: sendto(pcpserver): Network is unreachable

Jan 28 03:12:35 miniupnpd[8886]: PCP: External IP in request didn't match interface IP
Jan 28 03:12:35 miniupnpd[8886]: PCP MAP: failed to add mapping TCP 9->192.168.50.162:9 'PCP MAP ffe6bf07c8c2e73169bea86c'

Allowing the mapping of ports < 1024 via the Allowed Internal Port Range does stop the error from happening, but no alternative log messages of a successful action occur. I am not going to leave it that way. I tried port forwarding TCP port 9 instead, but that did not stop the error from happening.
 
I'm not a Mac person, but isn't there some sort of log file on the Mac Mini that you can look at (like the Windows Event Log). That would seem to be the logical place to try and track down the problem.
 
I found some log entries on the Mac that matched timestamps with an instance of the error. These 8 entries seemed to be consistent in other instances of the error. The four "private" entries are all the same, and so are the four "Stealth Mode" entries.

RG0eXNg.png


Oy3g5Lo.png
 
I tried turning off Stealth Mode in the Mac's firewall settings, but that didn't fix the error.

However, I think I finally got the right phrase to google: "mdnsresponder pcp map failed". That led me to this thread:

https://superuser.com/questions/1089370/osx-mdnsresponder-opening-all-ports-on-billion

which has a link to this thread:

https://forums.whirlpool.net.au/archive/2180205

The upshot seems to be that this is probably a long-standing bug in the part of macOS's mDNSResponder that does Bonjour.
 
@Uluqat, I've been ignoring "PCP MAP: failed to add mapping TCP 9" for years. Luckily @RMerlin provides a simple way to solve it with custom config files.
If you find it still useful I added the following upnp.postconf file to /jffs/scripts folder:
Bash:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_insert "allow 1-65535 192.168.0.1/255.255.255.0 1024-65535" "allow 1-65535 192.168.0.1/255.255.255.0 9" $CONFIG
The IP/mask and the exact location of the line might be slightly different in your particular case. You might need to look at /etc/upnp/config to find out which IP/mask you have and where to insert the line. Anyways, the line "allow 1-65535 192.168.0.1/255.255.255.0 9" should appear before the final "deny" statement according to miniupnpd developers' recommendations.
And don't forget to make upnp.postconf script executable with # chmod +x upnp.postconf command.:)
 
Last edited:
@Uluqat, I've been ignoring "PCP MAP: failed to add mapping TCP 9" for years. Luckily @RMerlin provides a simple way to solve it with custom config files.
If you find it still useful I added the following upnp.postconf file to /jffs/scripts folder:
Bash:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_insert "allow 1-65535 192.168.0.1/255.255.255.0 1024-65535" "allow 1-65535 192.168.0.1/255.255.255.0 9" $CONFIG
The IP/mask and the exact location of the line might be slightly different in your particular case. You might need to look at /etc/upnp/config to find out which IP/mask you have and where to insert the line. Anyways, the line "allow 1-65535 192.168.0.1/255.255.255.0 9" should appear before the final "deny" statement according to miniupnpd developers' recommendations.
And don't forget to make upnp.postconf script executable with # chmod +x upnp.postconf command.:)
Hi there, I am getting the same error, but I am using tailscale in docker (synology), in dual wan mode...

Would this script work for me?
 
You need to try it and see if it works for you, imho.
Instead of 192.168.0.1/255.255.255.0 you need to use the IP of your dhcp server and the mask for your network.
Thanks, but I solved the issue by deleting the tailscale from my Synology (the issue disappeared)…
 
By default miniupnpd does not allow mapping a privileged port (i.e. port below 1024), for security reasons. This is configurable on the WAN page, no need for a custom config file.
 
By default miniupnpd does not allow mapping a privileged port (i.e. port below 1024), for security reasons. This is configurable on the WAN page, no need for a custom config file.
Got it, thanks!
 
By default miniupnpd does not allow mapping a privileged port (i.e. port below 1024), for security reasons. This is configurable on the WAN page, no need for a custom config file.
Do you mean these settings?
ssht1.png

But what if all ports below 1024 need to remain blocked except for just one?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top