Archived and Closed
This conversation is no longer open for comments or replies and is no longer visible to community members.
- 17 Posts
- 0 Reply Likes
Posted 4 years ago
- 17 Posts
- 0 Reply Likes
- 879 Posts
- 202 Reply Likes
- 17 Posts
- 0 Reply Likes
Procedure
NOTE: Please be advised that the router manufacture or the ISP provider will not provide support for AT&T Microcell, but they can assist with configuring the router settings.
- DHCP is on
- Data is not restricted from passing through ports 4500 and 500 (AKA Port Blocking).
- MTU size is set to 1492
- MAC address filtering is either turned off or allowing the MAC address of the AT&T Microcell
- IPSec Pass-Through is Enabled
- Block Fragmented Packets is Disabled
- If using multiple routers, the Microcell must be connected to the first router connected to the broadband modem
- If the Microcell is connected to a router that is connected to a modem and both the router and the modem have NAT (Network Address Translation) enabled, disable NAT either in the router or the modem.
- Ensure the modem / router is using the latest software (firmware). Please see the manufacturer's documentation.
-
TCP/UDP Ports
NOTE: All ports listed need to be configured for inbound and outbound connections. - 123/UDP: NTP timing (NTP traffic)
- 443/TCP: Https over TLS/SSL for provisioning and management traffic
- 4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
- 500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
- 4500/UDP: After NAT detection, 4500/UDP is used
- 9 Posts
- 0 Reply Likes
-
TCP/UDP Ports
NOTE: All ports listed need to be configured for inbound and outbound connections. - 123/UDP: NTP timing (NTP traffic)
- 443/TCP: Https over TLS/SSL for provisioning and management traffic
- 4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
- 500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
- 4500/UDP: After NAT detection, 4500/UDP is used
- 9 Posts
- 0 Reply Likes
- 17 Posts
- 0 Reply Likes
- 9 Posts
- 0 Reply Likes
- 17 Posts
- 0 Reply Likes
- 9 Posts
- 0 Reply Likes
172.26.241.1:29169 (sctp) [this is private address space, so I'm not sure why it's hitting my network, perhaps because the tunnel endpoint is not established so it's following the default route]
12.230.209.137:443 (https)
12.230.209.133:123 (ntp)
12.230.208.133:123 (ntp)
12.230.209.5:123 (ntp)
12.230.209.134:4500 (ipsec NAT traversal)
12.230.209.134:500 (isakmp)
It also does misc ARP requests to announce itself on the network, but that's not relevant.
I verified that all three NTP servers are responding appropriately. At least in my case the AT&T rep indicated it was an IKE authentication failure. I can see that attempted over and over, but can't really tell what's it's doing (ports 500/4500):
09:48:27.680056 IP 192.168.1.249.isakmp > 12.230.209.134.isakmp: isakmp: parent_sa ikev2_init[I]
09:48:28.423738 IP 192.168.1.249.4500 > 12.230.209.134.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
09:48:28.423804 IP 192.168.1.249 > 12.230.209.134: udp
09:48:38.390248 IP 192.168.1.249.4500 > 12.230.209.134.4500: isakmp-nat-keep-alive
09:48:38.425314 IP 192.168.1.249.4500 > 12.230.209.134.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
09:48:38.425358 IP 192.168.1.249 > 12.230.209.134: udp
Anyway, maybe that's useful info.......
- 17 Posts
- 0 Reply Likes
- 17 Posts
- 0 Reply Likes
- 9 Posts
- 0 Reply Likes
$ traceroute 172.26.244.1
traceroute to 172.26.244.1 (172.26.244.1), 30 hops max, 60 byte packets
1 openwrt (192.168.1.1) 0.413 ms 0.494 ms 0.587 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
$
However, when I run the same test outside of Viasat, I get a better trace, but it still terminates prematurely.
$ traceroute 172.26.244.1
traceroute to 172.26.244.1 (172.26.244.1), 30 hops max, 40 byte packets
1 REDACTED (REDACTED) 0.366 ms 1.907 ms 1.882 ms
2 ae2.car02.dllstx2.networklayer.com (67.18.7.93) 0.242 ms 0.237 ms 0.207 ms
3 po102.dsr02.dllstx2.networklayer.com (70.87.254.85) 1.815 ms 1.791 ms 1.775 ms
4 po22.dsr02.dllstx3.networklayer.com (70.87.255.69) 1.667 ms 1.653 ms 1.568 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
$
I'm pretty tempted to blame this one on AT&T.
- 17 Posts
- 0 Reply Likes
- 847 Posts
- 243 Reply Likes
- 9 Posts
- 0 Reply Likes
- 847 Posts
- 243 Reply Likes
Dog gone it. I must be tired, Johnson Family gets geek of the week award for catching the fact it is a private IP address (RFC1918) and hence the reason it is not reachable. Good catch. Hopefully they will get you straight with this.
I know with dealing with Verizon and Comcast both, they will put blocks in their systems that we have had to go to Level 3 techs to get information. Clients are yelling at us because something that worked yesterday doesn't work today and it was the ISP changing something that most of their front line support folks didn't know about.
Good luck.
- 17 Posts
- 0 Reply Likes
- 8 Posts
- 2 Reply Likes
- 847 Posts
- 243 Reply Likes
- 17 Posts
- 0 Reply Likes
- 847 Posts
- 243 Reply Likes
I will post any future information here so no more double posting. This thread has the most info in it. Here is what I posted in the other thread:
This is an interesting read - seems it has happened before. Read about half of it, but seems to have been tied to a firmware update on the modems at some point. If Viasaat recently updated modem firmware on their systems on the same day, that might explain it. It is a LOT to read through, but perhaps someone can reference this and get the fix rolling more quickly.
Hope this helps a bit.
http://www.wildblueworld.com/forum/archive/index.php/t-7067.html
- 17 Posts
- 0 Reply Likes
There is a great deal of technical detail in the thread. It seems as if the ports are open, but the key exchange to open the tunnel is failing. There are at least 6 others in the same position who are posting, and it seems this also happened in 2013. Link to the old post is:
http://www.wildblueworld.com/forum/archive/index.php/t-7067.html
My contact information is below. Please advise and post if possible. There are a lot of angry customers, especially over the silence.Perhaps if other do the same, we can get this escalated as there is clearly nothing we as end users can do to fix this problem.
- 290 Posts
- 221 Reply Likes
- 17 Posts
- 0 Reply Likes
- 1 Post
- 0 Reply Likes
- 17 Posts
- 0 Reply Likes
ExedeNeil, Official Rep
- 41 Posts
- 26 Reply Likes
Several customers had similar issues and for some of them, things started working in the past two weeks.
My diagnosis so far is that the handshake between the Microcell and the ATT servers works with certain ATT servers, but not with others. There seems to be an issue with IPSec key exchange handshakes and packets larger than 1500 bytes sent by some servers, which the microcell probably rejects.
If you can send me your account number or the modem MAC address by private email on the wildblue forum (this forum does not seem to have a private email facility), I can inspect your modems and see if your modem has similar symptoms.
Of course, you have to make sure that you have opened ports 500 and 4500 on the router, as described in the ATT microcell web site http://www.att.com/esupport/article.jsp?sid=KB110286&cv=820. Exede does not block these ports.
We are looking into various options on how we can make this work. Will keep you posted as we make progress. Meanwhile, restarting the microcell may help, if it manages to hook up with a different ATT server.
ExedeNeil
- 17 Posts
- 0 Reply Likes
- 8 Posts
- 2 Reply Likes
https://www.wildblueworld.com/forum/showthread.php?8836-ATT-Microcell/page8
- 17 Posts
- 0 Reply Likes
This conversation is no longer open for comments or replies.
This conversation is no longer open for comments or replies.