HELP - 3G light is flashing, microcell was previously working fine

They're not going to send a Field Engineer out to your house or ISP so don't plan on that. It's not AT&T's responsibility to make sure your connection between you and AT&T's servers is clean. You know the MicroCell works by taking it to a different location. They can't tell another ISP how to run their connections to AT&T. I've seen ISPs (Charter for example) do upgrades on their network boxes for specific areas which affects AT&T's VoIP service. We were fortunate enough at one time to have one of Charter's Network Engineers work with AT&T to correct the problem. But, as he explained it to me, the upgrades had to do with newly implemented security measures and was not allowed to tell me exactly what they had done nor could he mention that to Charter customers. It wouldn't surprise me if something is going on (upgrades, what ever) between Kansas Net and Comcast, if they are sharing load, so somewhere along the line a port has been blocked or configured wrong.

It could be a corruped database segment on AT&T's side. That has happened in the past. In which case it's IT that has to fix it, not Field Engineers. You could deactivate/reactivate your account and see if you get the "GPS coordinates don't match address on file" error message. If not, then it has something to do with your connection between you and the AT&T servers.

EDIT: I see reading back up to your earlier posts that you have already done the deactivation/reactivation process "over 50 times". If you didn't get the address error message ( I don't think you said you did or didn't) then that points back to your ISP and/or your connection. Doesn't rule out a corrupted database but if it worked before......

Hi, Well only upgrades done here (and I checked) prior to this happening were months earlier and didn't break anything.......only upgrades done on my ISP line's since is on my Line to make sure everything was open.

They are now playing the "It's your IP Card" again. I guess Monday I will call corporate.

Here is my latest message to them:

On 7/27/2014 12:41 PM, ATT Social Care wrote:

That's all fine...........Now how about an IP or Domain Name I can ping on to insure That I have open what needs to be here.........All required ports are Forwarded and NATed, Firewall Ruled Wide Open to MicroCell Static IP. Outbound NAT has 2 Rules........1st Is for port 500 for ISAKMP, the 2nd is Source DMZ Lan, Ports All, Destination ALL, NAT address WAN, NAT port ALL.
My ISP has already opened ALL ports on my Line (and upgraded some equipment from here to them)

I don't know how More I get this thing open for send and Receive short of running a Cat6 cable straight into the Authorization BackEnd.
But trying to troubleshoot from this end without a defined Target is like trying to Walk a Maze blind folded with both hands behind my back with my shoe laces tied together.

I don't have the proper equipment to properly run Line Checks from this end....that's your issue, you SHOULD be able to punch in my STATIC IP and access the box as long as my ports are open, forwarded and NAT'd. I guess i could do some checking and try to set up the DMZ with Transparent Bridging to the WAN, but from what I've read that is not really Necessary (or should not be necessary)

Ball back to you.

P.S. I sent them another email Below:

This is my Static IP 205.XXX.XXX.XX..............it is on HTTP for the time being. Have a Network guy bring it up....I have when out of town, it is easily accessable. Heck, I'll even make a special passwork for to to Access the Interface......let your Network Guy Check my Settings..............He can even ping out from the Firewall Router to Check things. Have him run my Ports, to check, surely you are capable of that????

But I suspect your people will try and dump it all back on me and the ISP again. Trust me, I won't be mad if you can show me where I messed up. I am NOT a network professional I'm entitled to be imperfect on these issues. Your organization's Engineer's do not have that luxury...they have Professional Training.

I will give them access to my Admin Interface on the Firewall/Router. Having that IP they should be able to ping any port on my system to check. It will also allow them to visually check the network configuration over all..............guess what, it doesn't require and Network Engineer to come out..................he can do anything from his office that I can do here...all remotely.

Like I said this system is not your Garden Variety Router. More Options, more access.

Now I forgot that I have previously tunneled through a VPN to other server locations and tried to get Micro Cell to authorize off their system. If its my ISP, then it's a WHOLE lot of them having the exact same problem. Got the Exact Same Response's from their system's too, not Just my ISP.

If I could ping the domain name of their server, then I'd know if the ports are open at my End and in between. If they are not then I'll go to the ISP Backend Server's and Hook it up try pinging from there. If everything pings through, then we are open. If it still doesn't ping from there, then it is something upstream.

This would accomplish the guilt so to say of upstream. Then my ISP would have definitive proof and could push the upstream to investigate.

You're free to call Corporate if you think that will get more traction. I can't do anything with my contacts until Monday. If your service connects to Comcast it's possible that that's where the problem may lie, and good luck getting Comcast to do anything for you if you're not a customer of theirs. By an chance, do you have Vonage?

Not sure about traction, but satitraction would go a long way. Not in any real hurry, I may wait until Tuesday or Wednesday to Call Corporate...... a few more ducks to line up yet. My Call our Corporation Commission First (they set rates for all the carrier's) and register my complaint's first. I do appreciate the help though. Wondering if smoke signal's still work?

Going to talking with my ISP (and landline provider) Monday or Tuesday, he's gotten in to my old Netgear Router several times to look around in the past (with no effort at all) that's one reason I know AT&T could do much more serious troubleshooting, even without having someon physically come out.......THEY just flat don't want to and it's very obvious.....going to do a little head meeting with them soon, if I can, maybe he'll have time to poke around in this new one.

Their store (they also run a Radio Shack associate store) also carry's the Wilson Celluar Amps---that work with nearly All Carrier's..wink....wink. and they have them in stock. Not sure how to pay for it, but something's going to have to give soon. If you can't work with them....work over them.....funny thing is ..this Firewall/Router is my main router and right now is running video on 2 TV's, 3 computers, has been running since last reboot 19 straight days, no lost packets, no dropped packets ......and everything is running smooth as glass.

So my gut tells me that AT&T service for me is in it's twilight year's.............or days.

If the equipment wasn't so expensive and the difficulty of finding a reliable place to install phone interface equipment I'd just get my tech license, load up on 2 meter ham gear and go....we have bookoo 2 meter repeaters in this state... more range and at least as good of coverage.

AT&T's lack of any REAL concern and expertise is disappointing....back in the 70's and 80's I use to Service and install Dictation Equipment for Dr.'s, Lawyer's Hospital's, Large Corporation's and such. The Dial in Dictation Always had to Interface with the (SW Bell at the time) Phone Carrier's Specialized Interface Equipment, and I worked side by side with many of their field tech's and they'd bend over backward's to help you make sure something worked..and worked right. They and their supervisor's (who were mostly Real Engineers) were some great, sharp cookies...................They have really gone down hill...at least to me.

Yea, heard that about Comcast.....that's exactly the reason my ISP said they are only backup and high useage overflow when Kansas Net gets to 70% they start slipping traffic over, which mainly occur's on weekend's here....they don't trust their system either. We only have 2 REAL IT techs here and their pretty sharp pencil's and evidently they spend some time with the kids on the call in help desk....as they can walk their way around most regular problems quickly and efficiently...much more so that the majority of AT&T help desk support.

Vonage? Thats a VOIP carrier isn't it? No don't have them, mainly use Skype (which I don't really care for, much more so since Microidiots bought them) for long distance when at the house. The Cells are mainly for our Dr.'s to contact us as out here we are not always tied to the phone in the house or close and don't want to miss important calls.

Will try to work with AT&T a little longer.........if possible.

The only reason I asked about Vonage is that there can be a problem if you try to use Vonage with the MicroCell on the same line.

Again, AT&T is only responsible for what hits their servers. The requirments to do that are well known and published. Any changes that happen to your network that interferes with that is not AT&T's responsibility.

It's apparent that all you really want to do is bash AT&T, and not let us try to help you. I will still try to see if we can do anything to help you next week but given your attitude that it's all AT&T's problem, I have my doubts that we'll be able to come to a resoution.

Bash....Oh contrare.......Express my disappointment yes.

I realize that they are only responsible for what hit's their server's. A week or so back one of the Advance Support techs? did all the re-entering of the Unit into the system and for a little while it looked like it might take....the Web Page showed a Power up, went software update, went right along to the activating please wait stage...that's when Support said OK, I will call you back in 2 hrs to verify that it activated.....................I still haven't gotten that call.. Anyway after about 30-35 minutes the MicroCell errored out with an error Code of FTC-101...obviously it was doing some kind of talking to the AT&T servers.

Now until tonight I had changed NO settings or made any changes to configurations here. Yet today earlier they said they couldn't see any access.

Now If I didn't change anything on my end and 2 weeks or so ago it tryed and today it is invisible what conclusion would you come to?

Now just an hour or two ago I DID make some Changes in the Firewall Rules and NAT to further Insure that everything is more that wide open to Internet.....

I did go to the site (and correct the INCORRECT address that evidently one of the Tech's had entered) in another attempt to get activation.

I got the same thing as I had earlier it wouldn't even show a power up stage and I did a hard reset after correcting the address.

I offered to let them have total access to my system for THEIR benefit not being smart. By seeing my system and setup and working from MY end of the link I thought it might help them (and me of course) determine If it is my setup, the ISP setup or their setup.....

After all, I assumed that they want it working too....am I wrong? Guess they aren't real happy with me either from the tone.

I have been working this problem on and off now for 4 months rather consistently, reading, web search, trolling any forum for information on these type issue's.....I feel that some major disappointment  on my part was well earned. I really do believe that by now most people would have already given up, but over the year's I've very rarely let a technical problem totally beat me, as the information I learn rooting the stubborn problems out will down the road be a nice new sharp tool in my toolkit.....win, lose or draw. Knowledge is Golden.

It is up to them....and you of course if you want to keep helping.....trust me if I am given some concrete information as to the type of blocking and where it is I will pursue it..with help or not.

Like I said earlier....I will be re-visiting my ISP and picking their brains again and see if I can come at this from another angle (fresh view).

Yes the requirement's are well know...especially to me, seeing the time and effort I am putting into this. I have tried (and am stll trying) to insure that everything here that I have control of is wide open to those requirements.

Now one requirement I am not sure that any of us can change....the fact that the uCell try's to establish location with the NLS.. you stated that even without it, the MicroCell will use GPS to activate anyway.......could the fact that I get very little usable signal for the MicroCell AND that there were (are?) some significant error's in GPS be coming together to cause an additional issue?

The Admins received my message with the link to your post so we are now approaching this from two fronts. Things move slowly within AT&T, painfully slow as you have seen.

In theory, the weaker your macrocell signal (tower), the stronger the output from the MicroCell. The MicroCell doesn't really need a local tower for calls. The tower is used for service area ID, adjusting the MicroCell's transmission strength, and handing off. The tower is also used at times during the nightly maintenance when your location needs to be determined and if AT&T can't verify that with the GPS coordinates, it will use the tower signal.

I know you said your service has worked before but if your router is as sophisticated as you've indicated, could it be a setting somewhere that you've overlooked or are unaware of? Just asking. The MicroCell is a fairly simple device but it works best when there is very little between it and your modem/gateway. Simple protocol rules, no switches, and as a direct physical connection as possible.

I'm not sure I completely understand your question but I would say that the Mcell will not use just it's GPS location to activate.  The Mcell has to compare the GPS location it determines with the address you entered when attempting to activate it.  As stated before, if the coordinates as determined by your address entry do not match the coordinates as determined by the Mcell's GPS hardware, then you will get a FTC-101 error message.

We know there is nothing wrong with the Mcell as you've been able to activate it in OKC with no problem.  I'm assuming that the ISP at your relative's home where the Mcell did activate is different than your ISP.  Yes? No?

So what's different?  Your ISP, your network and your physical location.

My understanding is that pfSense is an open-source router/firewall software that is typically installed on a PC to act as a dedicated router and firewall for a network.  Is this what you've done or do you have pfSense embedded in some other piece of hardware?

I see that pfSense has known problems with other VOIP products like OnSIP.  The default UDP timeouts in pfSense are too low for some VOIP services and need to be increased to avoid disconnects.  There are other pfSense settings that may need to be changed from default to insure VOIP stability.

However, you've indicated that your Mcell worked previously before having problems.  Did the Mcell ever work while using pfSense or were you using something else before the Mcell stopped working and switched to pfSense after the Mcell stopped working?  If you are currently using a router embedded with pfSense, is it the same router you were using before only with different open-source firmware like DD-DRT?

Thanks Avedis53. Me thinks it's a config issue somewhere that is now having a conflict.

However, you've indicated that your Mcell worked previously before having problems.  Did the Mcell ever work while using pfSense or were you using something else before the Mcell stopped working and switched to pfSense after the Mcell stopped working?  If you are currently using a router embedded with pfSense, is it the same router you were using before only with different open-source firmware like DD-DRT?

This Authorization problem has been occuring since I was using a basic Netgear WR 2000 Router, stock no DD-WRT, last year (way before problems) I did flash another Netgear I had and played with it, but didn't experence any problems then, went back to stock one long before this started. I didn't move my home networking over to the Pfsense until about 3-4 weeks ago, after I had pretty much given up on AT&T.

All they could parrot was ports closed, your ISP etc.

I decided at that point to go ahead and switch over and work on the problem from there.

Finally got someone in Networking to Correct the GPS error's and monitor the bootup and activation process with the right tools to get a somewhat definitive error not just it didn't activate.

It appear's that everything is working now on GPS (fingers crossed) and there also may have been a bandwith issue as we moved the MCell from a 100mp (the Netgear speed, so somewhere MCell got picky on bandwith) over to a Gigabit Port and things improved tremendously, it almost got there. But the MCell is now throwing an error of IPSec Tunnel failed to establish. At least it knows where it is Now, any progress is good. Apparently 2 problems down...hopefully only one more.........................

Evidently the MCell is using so much bandwith that it is barely compatible with 100mb Fast Internet. My advice to anyone having any issue at all with MCell...........Move to Gigabit Now!

Then worry about it.

There appear's have been more than a single issue at play here...... If I hadn't moved to the new box I wouldn't have had a gigabit link to use. Coma Se Como So.

Question: What type of IPSec implementation does the MCell use? IPSec with shared keys or IPSec the OpenVPN way (which elimnates the MIM attacks)

For now this is the issue I will be pursuing until I after talking with my ISP and get back with Networking.

Any additional idea's or link's for intellectual enhancement?

Update Edit:

Have done some Further checking. The NAT rule allowing ISAKMP in Pfsense if Raccoon (pfsense IPSEC program name) when enabled set's up NAT Transversal on BOTH 500 & 4500. Therefore if you have a a firewall rule set to allow it (I set ALL, ALLOW ALL) Pfsense Let the MCell through the Firewall and IF MCell is Setup up right at Start EndPoint to Ending EndPoint, There is Nothing to Prevent the Establishment of a Tunnel for the VOIP Traffic and Data. IF all the Data and VOIP traffic is routed through the Cisco MCell established Tunnel, then Pfsense has no control over the timing, SIP, or any other factors of a VOIP call taking place in a Tunnel, other than maintaining that Tunnel by flushing the States Buffer so that on reconnect by the MCell there are no error's.

Now if the Call is just run open over TCP-IP, then yes they may be some things that will need to be tweaked. But from my understanding most if not all VOIP provider's software setup's setup some kind of IPSec Tunnel.....this allows the most compatibility by not really requiring port forwards...thus making it easier for computer challenged individual's to use them.

The activation process went all the way through to stage four again, just as today when on with Networking, and then errored out.

Further investigation and Googling indicates that at this stage is when account, gps location, is compared to account database and leads to final activation completion......therefore the information leads me to believe that...................................................................................................pardon the pause, just had a small earthquake..............that the problem still lies somewhere in the bowels of AT&T land.

I did find a setting to enable this raccoon IPSec and enabled it, checked firewall setting, it showed the racoon setup 500 and 4500 set up for NAT-T (NAT Transversal). I then did a Hard reset and allowed it to try and authorize................

It failed again at step 4.

Also from what I have read, that IPSec is basically setup to automatically allow NAT Transversal if a NAT-T firewall is detected at Stage 1 of the IPSec setup execution Prior to Stage 2 the actual establishment of said tunnel.......in other words, although setting port forwards for 500 and 4500, although a good idea, is NOT necessary for the IPSec Tunnel to be established.

So there it is for what its worth...........................I am continuing to investigate and do some tweaking here and there and see if I can do any work arounds to this, but I fear that there is little that I or my ISP are going to be able to do about it....it all still keeps coming back to the AT&T Network, somewhere, somehow.

Now if I had all the information and settings, including the public keys, IP info, etc I could go in an Manually setup A IPSec Tunnel for the MCell, but that would require a way to set the MCell to use MY tunnel instead of creating its own....but sense Cisco and AT&T won't let that information out (probably for good reason), there is nothing I can do about it.

Even if this was doable........if the failure is due to Account, Location errors, etc failing to match for whatever reason it is an exercise in futility to try.

I will be waiting to see If Networking finds out more....Since it failed again today they are supposed to be escalating this another level.........