08-29-2013 4:24 PM
I have an interesting issue with the microcell. ATT has not been much help. I have the cell connected to my network and my network device config is as correct as I know to make it. Activation fails, just sits with the singal bars light flashing. So I use network packet analyzer and watch as I restart the cell. After GPS lock, the cell tries to contact 184.108.40.206 on port 443. This I expected as it was indicated as an early step in the process by some posts I read. However, the attempt to connect to this IP address times out. There is no reply from 220.127.116.11. The cell will retry this address and 18.104.22.168, which is apparently shutdown as I get an ICMP for that indicating it is blocked on purpose. A tracert of 22.214.171.124 shows the route going into series of att servers and finally to 126.96.36.199 and then the tracert times out.
Now it seems if this connection is not made, activiation cannot proceed. ATT ignores this and runs me through all kinds of other stuff before telling me my connection speed is too low and that is why it fails. Really?
ATT did confirm that 188.8.131.52 is the correct IP but thats about all I got out of them.
Any ideas on why I am not getting any further than the failed connect to 184.108.40.206:443?
08-29-2013 5:09 PM
There are 4 ports that should be open at all times. 443 seems to be the most troublesome. I have seen an upstream switch between the ISP and AT&T's servers fail which will cause the symptoms that you are describing. Unfortunately, it takes some footwork to figure this out. You might want to PM CustomerCare (see the link in my sig), explain the problem, give them your account info, and include a copy of your traceroute to show where it appears to be failing. You might also want to look at my MicroCell Technical Guide for further information (the link is in my sig). Let us know what happens.
I am not an AT&T employee.
08-30-2013 12:31 PM
I want to confirm, port 443 needs to be open for incomming connection? If so, does this mean ATT will try to contact the MC on 443?
Separately, I have a friend, who has an MC (the reason I got one) and he installed it, made no changes to router/modem (no port forwarding) turned it on and it worked first time and ever since. I had him do the tracert on his connection (comcast) and the tracert failed exactly the same as mine...that baffles me. My network traces show the MC failing to get a connection to 220.127.116.11 (this appears to be a connection timeout) and that is as far as the MC start up gets. tracert shows path to 18.104.22.168 ends at 22.214.171.124 with "Destination Net Unreachable".
- edited 08-30-2013 12:47 PM
The ports that need to be open are 123 UDP, 443 TCP, 500 UDP, and 4500 UDP (all public and private). IPSec Pass-through has to be enabled and Block Fragmented Packets needs to be disabled. If you have a separate router and modem, only one of them can be handling NAT. 123 is for NTP traffic, 443 is for HTTPS over TLS/SSL, 500 is for IPSec Phase 1 prior to NAT detection, and 4500 is for IPSec NAT Traversal.
Most of the time, the MicroCell is plug and play with little to none configuring. But, depending on how you have your LAN setup, the router you use, your ISP, etc it may take a little more work to get it up and running. I don't have an answer for the confusing traceroute results. Make sure that your home address is correct. You may have to either reset the MicroCell or deactivate/reactivate your account. Is this a new MicroCell or did you buy it off of eBay or someplace else. You may find some useful information in my MicroCell Guide. See the link in my sig.
I am not an AT&T employee.
08-30-2013 4:25 PM
So here is an interesting twist to all this. I was watching my router logs and saw a ping comming to my router from an ATT ip address which I have previously seen as the source of the icmp message stating the target att IP 126.96.36.199 or 188.8.131.52 cant be reached. My router was blocking that icmp from reaching the MC and so I have opened that up. We will see what happens. as an aside, until today my MC would get GPS lock in about 2 min, today its taking an hour or more...the fun never stops.
08-30-2013 6:01 PM
08-30-2013 6:17 PM
09-03-2013 5:46 PM
lets ignore my home setup for now. I have the MC at my office where I have more control and tools to research this problem. The setup is actiontec dsl modem doing pretty much 100% passthru to a Windows 2000 box running ISA server as the gateway and firewall. The 2000 box serves my office lan via a second nic.
Now using packet analyzer to monitor my network, both inside and on the outgoing nic to the dsl modem, when the MC gets GPS lock, it tries to connect TCP to 184.108.40.206:443. This appears to be expected based on my readings on this forum and elsewhere. The problem is, that connect never completes. It times out and in looking at the packets, I get an ICMP message sent back to me by an att server saying that 220.127.116.11 is administratively blocked. Given that this connection fails, the MC never goes any further. It does try 18.104.22.168 after an hour and then back to 22.214.171.124 after an hour and this just repeats failing each time. At my home, I see the same thing, tho in less detail...MC trys to connect to 126.96.36.199:443 but fails.
It appears to me that all the configuration info about ports and fragmentation and etc does not yet apply here as the MC needs to complete that connection to 188.8.131.52 in order to move forward with configuration and eventually reach a point where that other stuff would come into play. It suggests the ATT server for MC has changed at some point and my MC (used) has old firmware or ??
As one might expect, regular ATT MC support has been useless. I have received a response to my PM posted here saying I will be contacted by a tech at some point soon.
09-03-2013 5:48 PM
As an additional data point, I had my ISP check things out and they pointed out that a tracert on 184.108.40.206 goes into s series of ATT systems before the tracert stops with the ICMP indicating the IP is not available.
09-03-2013 6:12 PM
Ok. The MicroCell is basically a simple, dumb device. The more you put in front of it, the more it is apt not to work. It is for home use and not for work use (but there are some who successfully use it at work).Your home setup is important for us to troubleshoot the issues so that is why we asked. See the MicroCell Technical Guide link in my sig for more information.
I am not an AT&T employee.
09-03-2013 6:19 PM
A further correction...when trying to contact 220.127.116.11:443, there is no reply at all. When contacting 18.104.22.168:443, there is an ICMP reply stating the address is administratively denied. Thats not the exact text but it will take another hour for retry on that addr so will get the exact text and source of the ICMP tomorrow.
09-03-2013 8:58 PM
I wouldn't worry too much about the addies you're connecting to, or trying to connect to. It's interesting to see what the communication is but it's not going to help you much. Most people don't have the ability to do what you can do so we have to work from that premise to keep the help as universal as possible. For your home, how do you have the MicroCell setup?
I am not an AT&T employee.
09-04-2014 9:46 AM
I am seeing the same exact simptoms. I see traffic leaving my fw/router destined to two netblocks of ATT (22.214.171.124/24, 126.96.36.199/24). I am not see any traffic coming back to the device. Are these network block even valid for Microcells anymore?
Any help would be greatful. I only get 1-2 bars inside my house.
09-04-2014 11:10 AM
Like I said before I see the packets leave my network just nothing comes back. I also noticed that the 443 connection require a cert to connect. It would be amusing if they issued new certs for heartbleed and not able to update microcells that are trying to connect.
This is very frustrating. Having this device outside my network is unacceptable and see nothing blocking outbound initiated traffic. Creating rules from untrust(internet) to the device to me is silly as the only ports open on the device are 22,80, and 8080. Which all are filtered.