SA520/SA540 and ATT Microcell 3G - Brothers that fight?

Unanswered Question
May 5th, 2010
User Badges:

I had a customers network taken down by a routing table corruption issue last night.  Router pushed all traffic to a tunnel I didn't define.

My internal net is 10.1.10.X...The routing table showed a route 10.1.10.1  TeamF1 (yes - a name not a number)


I went to factory config and found that the tunner definition is present in the default config but is un editable in the gui.

I'm including the real config here because it's not a secret - it's default.


The network was running fine up to this point - 100 days without a fault.  The new item on the network was an ATT Microcell 3G.  Which is a router made by Cisco.


When the Microcell came online, it seemed to create this tunnel. Is this coincidental? Does the Microcell have this same default set-up? I don't know.

Coincidently, a company called TeamF1 makes L2TP embedded code that they sell to Cisco. OTOH, the Microcell doesn't require port 1701 to be open on the network so it's less likely they are using L2TP.


It may be unrelated but I really hate the idea of default passwords and secret keys that aren't changeable.

Anyone else have this issue? Do you know how I can get these tunnels out of the config file?


L2tp = {}
L2tp[1] = {}
L2tp[1]["IdleTimeOutValue"] = "1"
L2tp[1]["IdleTimeOutFlag"] = "0"
L2tp[1]["LogicalIfName"] = "WAN1"
L2tp[1]["NetMask"] = "0.0.0.0"
L2tp[1]["Secret"] = "password"
L2tp[1]["Password"] = "teamf1"
L2tp[1]["ServerIp"] = "192.168.1.84"
L2tp[1]["MyIp"] = "192.168.1.41"
L2tp[1]["GetDnsFromIsp"] = "1"
L2tp[1]["GetIpFromIsp"] = "1"
L2tp[1]["UserName"] = "teamf1"
L2tp[1]["_ROWID_"] = "1"
L2tp[1]["StaticIp"] = "0.0.0.0"
L2tp[2] = {}
L2tp[2]["IdleTimeOutValue"] = "1"
L2tp[2]["IdleTimeOutFlag"] = "0"
L2tp[2]["LogicalIfName"] = "WAN2"
L2tp[2]["NetMask"] = "0.0.0.0"
L2tp[2]["Secret"] = "password"
L2tp[2]["Password"] = "teamf2"
L2tp[2]["_ROWID_"] = "2"
L2tp[2]["MyIp"] = "192.168.1.42"
L2tp[2]["GetDnsFromIsp"] = "1"
L2tp[2]["ServerIp"] = "192.168.1.84"
L2tp[2]["UserName"] = "teamf2"
L2tp[2]["GetIpFromIsp"] = "1"
L2tp[2]["StaticIp"] = "0.0.0.0"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hyeh Thu, 05/06/2010 - 07:46
User Badges:

Hi,

We are currently investigating this problem and will get back to you in short time.


Thanks,

Henry

ambleside Mon, 05/10/2010 - 06:39
User Badges:

No update yet from Cisco but I've found out more...


It seems unlikley this tunnel was the cause....Although it shouldn't be in the cfg file...


The leading candidate for the cause is equally annoying but less obscure.


I had the idea to turn on inter-vlan routing between the vlans...But the SA540 just bridges the interfaces - and there are no inter-vlan ACL's so...so the multi-cast traffic from the Microcell ended up taking down a bunch of devices that don''t handle traffic well that were VLAN'd specifically to avoid extra traffic. I could either MAC filters, create a whole lot of ACL's + port forwards on the DMZ side or put in a different router....


Cisco has taken in escalations on a number of fronts but hasn't actually responded to any of this except for the Smart Design team which has been pro-active...


Are others using the SA520 or SA540 in a small business productivley? Between the SSL VPN issues and this, I'm having my doubts that it's ready for much....I could have just put in an 891 and been done....

hyeh Mon, 05/10/2010 - 10:54
User Badges:

Hi

Sorry for the late response regarding to your question.

Our design team has seriously look into this issue

especially for the routing table correction since the day

you post your question. However, It takes time to root cause it.

Because our design team needs to simulate/investigate any

possibilities that could lead to this problem.


We appreciate you for providing us more information about how

it was happen. We will update our design team regarding

to this finding. And, We will address the teamf1 reference and clear

text password issue in the next release.


Thanks

Henry

I also just installed an ATT/Cisco 3G Microcell and WASTED a lot of time troubleshooting with ATT... I started to suspect my SA 520W so I plugged the 3G Microcell into an old PIX 501 on my secondary DSL line and it worked perfectly the first time.


Cisco, please fix this! I have had other issues at customer sites where I've deployed SA 520 units - most issues fixed by latest firmware, but this ATT 3G Microcell is a new and irritating problem. Hopefully fixed soon in next firmware.

ambleside Thu, 07/08/2010 - 08:51
User Badges:

So the firmware with clear-text passwords that are unchangeable has been out for almost 8 months now - when can we expect an upgrade? I completely documented this for Cisco 9 weeks ago and have yet to get a call from the Irvine team that was supposedly hot on the issue.

gattusop Wed, 12/07/2011 - 18:59
User Badges:

I am just got off the phone with AT&T and we have done everything possible on the microcell.  I just decided to lookup and check and see if my SA520 is the cause of my issues.  Can you please update this blog and let me know if you have found a fix for this issue.

I boxed the AT&T Microcell unit up long-ago. It was a disgustingly inept piece of equipment and unless there’s ever a specific posting to clarify the problem and posit the solution I won’t waste another minute on it.


I’ve configured a few in homes but the results are disappointing even when it works.


My advice for people who wish to use a phone in a home or office without AT&T or cellular coverage is to use a land line or internet phone such as MagicJack.


Dan

ambleside Wed, 12/07/2011 - 20:43
User Badges:

I did finally get to a stable implementation in our office but in a fairly "stupid" way.  We put in a UC320 which barely has a firewall.  I put that in front, SA520 behind.  The Microcell works fine behind the UC320.  It works ok behind Linksys product at customer sites - but give it an SA and it fails.  The fact that neither Cisco nor AT&T can document the exact conditions for the product success sucks but I do feel that it's the lack of documentation or disclosure rather than the implemetation itself thats of issue here...


Aaron

rshao Thu, 12/22/2011 - 14:44
User Badges:

Just a quick check... not sure if there is a layer 1 or layer 2 issue between the ATT Microcell and SA500.

I would suggest to check duplex and speed on SA500 to match to whatever the settings on teh ATT Microcell.


You can change duplex and speed under Port Management under Networking.

Otherwise, please open a case to TAC for further troubleshooting.

Actions

This Discussion