The Amazon Connect “ice_collection_timeout” error is one of the most frustrating hurdles for Cloud Contact Center administrators. One moment your agent is ready to take a call; the next, the Contact Control Panel (CCP) hangs, and the logs scream a WebRTC failure.
If you are seeing “Initialization Failed” or missed calls due to ICE timeouts, the issue isn’t Amazon Connect itself—it’s the handshake between your agent’s workstation and the AWS media servers.
In this guide, we’ll break down exactly how to diagnose and fix the ICE collection timeout in Amazon Connect, specifically for complex VDI and VPN environments.
What is the ICE Collection Timeout?
ICE (Interactive Connectivity Establishment) is the framework WebRTC uses to find the best path to connect two endpoints (the agent and the AWS media server).
When you see an ice_collection_timeout, it means the CCP tried to gather “candidates” (IP addresses and ports) to establish an audio stream, but the timer expired before a valid path was found. In simpler terms: The call is signaling, but the audio “pipes” are blocked.
Common Symptoms:
- Agents click “Accept,” but the call never connects.
- The CCP status is stuck on “Connecting” followed by “Missed Call.”
- CCP logs show:
ICE_COLLECTION_TIMEOUT.
1. The Firewall Fix: Port 3478 is Non-Negotiable
The most common cause of an ICE timeout is a firewall blocking STUN/TURN traffic. Amazon Connect uses these protocols to traverse NAT (Network Address Translation).
The Surgical Fix: You must allow UDP Port 3478 outbound from your agent workstations to the Amazon Connect IP ranges.
| Traffic Type | Protocol | Port | Direction |
| Media / Signaling | TCP | 443 | Outbound |
| Control / STUN | UDP | 3478 | Outbound |
| Audio (RTP) | UDP | 1024 – 65535 | Outbound |
Pro Tip: If you use a Stateless Firewall, you must also allow the return traffic for these ports. Many enterprise firewalls drop UDP packets if they don’t see a reciprocal rule.
2. VPN and Split Tunneling
If your agents are working from home via VPN, the “tunnel” often adds too much latency or restricts UDP traffic.
The Fix: Implement Split Tunneling. Ensure that traffic destined for Amazon Connect URLs (e.g., *.awsapps.com or *.my.connect.aws) and AWS IP ranges bypasses the VPN tunnel.
Sending real-time voice traffic through a VPN “double-encrypts” the packets, leading to jitter and—you guessed it—ICE timeouts.
3. Optimizing VDI (Citrix, VMware, AWS WorkSpaces)
Running a CCP inside a Virtual Desktop Infrastructure (VDI) is the “Hard Mode” of Amazon Connect. Because the audio is being processed on a remote server rather than the local machine, the ICE collection often fails.
The Fix:
- Use the Amazon Connect VDI Agent: AWS provides a specific software shim that offloads media processing from the VDI server to the local hardware.
- Enable Media Redirection: Ensure your VDI policy allows browser-based WebRTC redirection to the local client.
4. Troubleshooting with the “Endpoint Test Tool”
Before you start tearing down your network, use the tool AWS built specifically for this.
- Have the affected agent navigate to the Amazon Connect Endpoint Test Tool.
- Run the test.
- Look specifically at the UDP Connectivity and ICE Gathering sections.
If “ICE Gathering” fails or takes longer than 10 seconds, your network is dropping the STUN packets needed to negotiate the connection.
5. Browser-Level Blockers
Sometimes, the browser itself is the bottleneck.
- mDNS Privacy: In Chrome, if
Anonymize local IPs exposed by WebRTCis enabled (often by IT policy), it can delay candidate gathering. - Hardware Acceleration: In rare cases, disabling hardware acceleration in Chrome settings can resolve CCP initialization hangs.
Summary Checklist for Admins
- [ ] Whitelist IP Ranges: Ensure the latest AWS IP address ranges for Amazon Connect are allowed.
- [ ] Prioritize UDP: Prioritize UDP over TCP for media traffic to reduce latency.
- [ ] Check Latency: Ensure Round Trip Time (RTT) to the AWS region is under 200ms.
Fixing the Amazon Connect ICE collection timeout is about clearing the path for WebRTC. By focusing on Port 3478, VPN split tunneling, and VDI optimization, you can eliminate “Initialization Failed” errors and keep your agents focused on the customer.
Also Check – The Amazon Connect 503 Survival Guide: Taming the Peak Volume Beast