Reply
Contributor
mike_cc
Posts: 6
Registered: ‎03-19-2014

Airave Device blocked by comcast network security

Hello Comcast,

 

I have an airave device, which is a femtocell device provided by sprint. The unit has failed to function because of network security actions taken by comcast. Sprint has informed me that comcast is blocking port 68. This page confirms comcast is blocking said port. Is there any work around that comcast can propose to resolve this issue?

 

Michael

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

[ Edited ]

 

This is beyond my experience, but posting anyway.  :smileyhappy:

 

* (someone correct me if this is wrong)

Sure Comcast is blocking port 68,  but that is access on the Wan side of the router, inbound to port 68 from the internet, (blocking attacks).   Comcast can't block port 68 being used on the Lan side, (your router & devices connected to it).

 

I found 2 links where some of the info and concepts mentioned may help, maybe you've already read these. 

ie:  Accessing the Airave's built-in config/setup, turning its DHCP server off, maybe setting a static Lan IP. Also the mention of adding the Airave's Lan IP to the DMZ in your router, sort of makes sense in the context of what these posters are describing.

 

https://community.sprint.com/baw/thread/44059

https://community.sprint.com/baw/thread/59464

 

.

Contributor
mike_cc
Posts: 6
Registered: ‎03-19-2014

Re: Airave Device blocked by comcast network security

Thanks for providing an informative post. It’s been more helpful than sprint at this point.

 

I have tried placing the device in front of my router and behind my router. It still cannot connect to the sprint network. I have seen both the posts you referenced. However, both those posts are over 3 years old and address the fact that sprint says the device can't go behind a router. According to airave technical support it is now acceptable to place the airave behind a router and in some cases necessary.

 

Unfortunately, much of how the airave works seems to be a bit of a blackbox. When airave support mentioned port 68 today, I knew immediately that’s used for DHCP. I mentioned this to tech support and he was unclear what DHCP was. I’m a sysadmin and I’m used to being the person with all the technical information and solving problems myself. But in this case, I’m just another user and there seems to be little information if any about how to solve problems related to the airave.

 

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

[ Edited ]

 

Glad you mentioned those posts being 3 year old.  I got  involved in reading them and didn't notice.

So yes those users & their struggle would have likely then been with a previous generation of Airave, that had a Wan port & a Lan port?  hummm.   I'm learning with you here so be patient.   Poss others have ideas about this & will also reply.  

 

Looked at Sprint site, ... wealth of info there, LOL,  but they had a user manual PDF which doesn't offer up much, but if current and same or similar to model you have, describes now being a model that would go behind a router,  .... so it would include being set internally (hopefully) as a DHCP client  (getting it's IP from router, or it could be set with a static IP).  Having said that, later in the manual it pictures and describes the port on the back as being a Wan port.  Nice added touch there.

 

Edit: would help to add that url,   http://www.sprintenterprise.com/airave/airaveUserGuide.pdf

 

Do you have access to the Airave's internal config/setup screens to see what it's set for and what settings are available ? (if current models have that).

 

With it connected to router, reboot the router & then access the router's setup screens to verify the two are communicating and the router shows it as a connected device.  If so the router will display the IP being used for the Airave, so then try adding it to the router DMZ.   I'd think thats necessary to receive calls as the inbound connection would otherwise be seen as an unsolicited inbound connection? although maybe Airave connects & maintains an active connection. (when it actually works).  

 

Also & i know this sounds  (of course i have), but there were references somewhere there that these come already activated, but included a disclaimer to call Sprint for activation if the device isn't activated. 

(i guess they arn't sure).

 

.

 

 

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

 

ok it depends where one looks on Sprint. 

Do you have Airave, or Airave Acess point?  ... although connecting them behind a router they would both be connected & used the same way it looks like. 

 

Airave

http://www.sprintenterprise.com/airave/airaveUserGuide.pdf  

Airave Acess point   

http://support.sprint.com/global/pdf/user_guides/sprint/airave/airave_by_sprint_ug.pdf

Contributor
mike_cc
Posts: 6
Registered: ‎03-19-2014

Re: Airave Device blocked by comcast network security

I have an airave 2.5 (http://support.sprint.com/global/pdf/user_guides/sprint/airave_2_5/airave_2_5_ug.pdf). After a cursory search the two models you ask about, the Airave or the Airave Access point, I don't see how they differ.

 

At this point I am using tcpdump and wireshark to analyze the packets sent out by the airave device. I started the capture slightly before power cycling the unit. There is some traffice on port 4500 destined for an IP outside of my network. It seems like it is NAT traffice, which isn't strange because I'm using NAT on my network. I'm going to try moving the device to the DMZ and try capturing the data again.

 

Here is a portion of the tcpdump

13:50:36.002773 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.101.21.32.4500 > 68.28.61.122.4500: [udp sum ok] isakmp-nat-keep-alive
13:50:36.002773 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.101.21.32.4500 > 68.28.61.122.4500: [udp sum ok] isakmp-nat-keep-alive
13:50:47.781151 IP (tos 0x0, ttl 64, id 12, offset 0, flags [none], proto UDP (17), length 47) 10.101.21.32.62477 > 10.101.21.1.53: [udp sum ok] 40613+ A? . (19)
13:50:47.781151 IP (tos 0x0, ttl 64, id 12, offset 0, flags [none], proto UDP (17), length 47) 10.101.21.32.62477 > 10.101.21.1.53: [udp sum ok] 40613+ A? . (19)
13:50:47.818011 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 122) 10.101.21.1.53 > 10.101.21.32.62477: 40613 NXDomain q: A? . 0/1/0 ns: . (94)
13:50:47.818048 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 122) 10.101.21.1.53 > 10.101.21.32.62477: 40613 NXDomain q: A? . 0/1/0 ns: . (94)
13:50:47.833734 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 393) 10.101.21.32.500 > 68.28.61.122.500: [|isakmp]
13:50:47.833734 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 393) 10.101.21.32.500 > 68.28.61.122.500: [|isakmp]
13:50:47.897372 IP (tos 0x20, ttl 51, id 17568, offset 0, flags [none], proto UDP (17), length 328) 68.28.61.122.500 > 10.101.21.32.500: [|isakmp]
13:50:47.897402 IP (tos 0x20, ttl 51, id 17568, offset 0, flags [none], proto UDP (17), length 328) 68.28.61.122.500 > 10.101.21.32.500: [|isakmp]
13:50:47.907180 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 284) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:47.907180 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 284) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:47.965595 IP (tos 0x20, ttl 51, id 17625, offset 0, flags [none], proto UDP (17), length 140) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:47.965625 IP (tos 0x20, ttl 51, id 17625, offset 0, flags [none], proto UDP (17), length 140) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:47.966998 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:47.966998 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:48.027972 IP (tos 0x20, ttl 51, id 17661, offset 0, flags [none], proto UDP (17), length 140) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:48.027999 IP (tos 0x20, ttl 51, id 17661, offset 0, flags [none], proto UDP (17), length 140) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:48.028824 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 100) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:48.028824 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 100) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:48.088258 IP (tos 0x20, ttl 51, id 17708, offset 0, flags [none], proto UDP (17), length 124) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:48.088283 IP (tos 0x20, ttl 51, id 17708, offset 0, flags [none], proto UDP (17), length 124) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:48.089132 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:48.089132 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:51.093127 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:51.093127 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:56.005190 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.101.21.32.4500 > 68.28.61.122.4500: [udp sum ok] isakmp-nat-keep-alive
13:50:56.005190 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.101.21.32.4500 > 68.28.61.122.4500: [udp sum ok] isakmp-nat-keep-alive
13:50:56.100034 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:56.100034 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:59.167314 IP (tos 0x20, ttl 51, id 23881, offset 0, flags [none], proto UDP (17), length 108) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:59.167341 IP (tos 0x20, ttl 51, id 23881, offset 0, flags [none], proto UDP (17), length 108) 68.28.61.122.4500 > 10.101.21.32.4500: NONESP-encap: [|isakmp]
13:50:59.168508 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 100) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:50:59.168508 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 100) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:51:02.171659 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 100) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]
13:51:02.171659 IP (tos 0xa0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 100) 10.101.21.32.4500 > 68.28.61.122.4500: NONESP-encap: [|isakmp]

Contributor
mike_cc
Posts: 6
Registered: ‎03-19-2014

Re: Airave Device blocked by comcast network security

So I moved the device to the DMZ and ended up with the same results.

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

[ Edited ]

For the 2 pdf's i posted,  

Airave looks to be a smaller unit with no lan ports, just a wan port. 

Airave Acesspoint (looks to be same as the the 2.5)  has a Wan port & 2 Lan ports, but using it behind a router only the "Wan" port connected to the router would be used.

 

 

Being a sysadmin you already know most anything i'd come up with at this point i think.

Connecting it should normally be everyday networking.

Anyone else i'd check they didn't set the Airave's wan settings to use pppoe & left it as "no(dhcp)",  ISP username - pw blank, .... encapsulation none?  ... other settings there default.

Sounds like you're beyond all the typical things to check though.

So then also have to consider it a bad unit. excpt it looks to attempting to connect out.

 

 

.

Contributor
mike_cc
Posts: 6
Registered: ‎03-19-2014

Re: Airave Device blocked by comcast network security

I think it might be a bad unit. But sprint is convinced its a comcast issue. So getting them to send another unit might be tough.

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

Take it a Sprint store and say, "ok, show me it works",  LOL

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

[ Edited ]

 

so i did find ....

"configure your home router to pass through IPSec VPN Traffic and the AirWave should work fine."

http://www.dslreports.com/forum/r25661950-Airwave-Inside-or-Outside-the-router-firewall- 

but most routers do that by default now, don't they?

 

also "you may need to open the following UDP ports on your switch or router: 500, 4500, 53 and 52428" 

http://support.sprint.com/global/pdf/user_guides/samsung/airave/airave_by_sprint_faq.pdf

... but adding its IP to router's DMZ  accomplishes that, or no?

 

 

Have to go actually do some work, anyone else feel free to join in  :smileyhappy:.

 

.

Contributor
mike_cc
Posts: 6
Registered: ‎03-19-2014

Re: Airave Device blocked by comcast network security

The link showing the packet capture was helpful. Mine looks similar.

2014-03-19_1651.png

 

The device is out in the DMZ  so the router should not have to be configured to pass IPSec. It looks like it may never actually establish the tunnel, which might be related to comcast blocking port 68? I'm really grasping at straws here.

Bronze Problem Solver
Posts: 1,338
Registered: ‎11-16-2003

Re: Airave Device blocked by comcast network security

 

sooooo, i'm out of guessing type ideas.

Except that i noticed all the forum post out there when detailing connections and starting devices, are saying connect with powered off devices, then boot modem first. But when experimenting & switching the device connected to the modem, we want to first boot the modem with the connected device (router or Airave) already on, so that modem gets the Mac of the connected device as it (the modem) boots and  IP address is assigned. After modem boots then restart all the connected devices as needed.


Try also posting in the "Home Networking/Router/& WiFi Gateway Help" area, asking about IPSec VPN & whether Comcast blocking port68 would have any effect, etc., since Sprint is claiming it does.

 

.