RTP Forwarding and SRTP auth_fail errors

We are experiencing a serious SRTP auth_fail issue in production where we are RTP forwarding a video or an audio stream, then stop the forwarding and forward again the same feed id to the same streaming plugin mid.

In a long meeting sometimes we see the following SRTP auth error in the Janus log and the users subscribed to the streaming plugin see a grey screen or do not hear the audio.The SRTP auth error is flooding the logs and the seq keeps increasing in them. Unfortunately I cannot give concrete steps to reproduce - have been trying for 2 hours and somehow I reproduced only twice. Could you give some guidance what exactly could that error be caused by? Should I try to set a new SSRC for every rtp forward even if it’s the same feed id and stream? That’s how I fixed a SRTP replay issue before, but here we have an SRTP auth issue.

[Fri Jan 30 16:39:18 2026] [ERR] [plugins/janus_streaming.c:janus_streaming_relay_thread:10081] [mp-6e54abcd-c28e-454f-be75-a767c9deb0b3] Video (#1) SRTP unprotect error: srtp_err_status_auth_fail (len=1193–>1193, ts=183456450, seq=59195)

Found the issue: It’s the ROC (Roll over Counter) which increases after 65536. You need to stream for quite some time till you hit that amount of packets. And after restarting stream the ROC is 0 on publisher side, but Streaming plugin has cached in the SRTP context for the SSRC that ROC is 1. That mismatch causes the error. A new SSRC on every rtp forward fixes it, cause it resets the Streaming Plugin SRTP context.

Apologies for the late answer, I was at FOSDEM and I’m only now flying back home. Yes, that’s the issue and why changing SSRC fixes it, but not because it resets anything, simply because counters are stream-specific, and so bound to the SSRC (at least that’s how they’re implemented in libsrtp I think).