Hi!
A customer experienced problems today with the remaining ~100 modems of model Motorola SB5101E. They all got stuck in reject(pk) or reject(pt) and possibly online(un) for some time. CMTS is a BSR2000. We tried it all but eventually set the date back to 2020 instead of 2021 and all modems came up. The modem logs showed a lot of "Time requested - no response received" or similar, but we verified that the time server did send correctly stamped time responses.
If anyone knows if this is due to the old firmware in the modems (at least some had SB5101-2.7.7.0-GA-00-NOSH-NNDMN) or a bug in the BSR2000 firmware (unknown version, could be BSR2000 1.0.0P59.07) I'd appreciate a heads up on that! Customer is good with backing the date but I'd like to deliver a more robust solution if possible.
Thanks! /Fredrik
did you check the expiration of the certificate in the modems ?
Yes, I checked the cert and it expired in 2013 (the one I checked), so if it worked for 7 years, why stop today and not back then :) Also, backdating the time on the time server and the CMTS to 2020 helped, so that puzzles me even more.
I read up on this and it seems other vendors have a config entry that tells the CMTS to ignore the cert expiration, like Cisco's "cable privacy revocation skip-cm-cert" and/or "skip-validity-period" (no experience with that).
Dam... that's going way back... in interface cable, cable dynamic-service authorization-mode . I believe that may let them work without bpi or simply remove the bpi from the modem file. granted data isn't encrypted between the modem and cmts, but it's not after it leave the cmts anyway unless the customer uses a vpn service. when in interface cable 0/0, cable dynamic-service ? to confirm options.
I think that's it though
Thanks! Yes, it's old times for me too :) I still entertain a couple of customers with DOCSIS gear, but it's getting rare. Quitting BPI all together might be a bad idea as all the TV network will be able to tune in to the traffic (like in the CB radio days), so I'll see if I can set some auth mode as you suggested to get it going with BPI and without checking the cert validity.
I found the command thanks to suggestions here and in other posts:
configure
interface cable 0/0
cable privacy cert valid false
end
write memory
Make sure the time is correct on the CMTS and the time server.
Reboot the modems that are stuck.
/Fredrik
PS Still curious as to why this happened yesterday when the certs are all invalid since years back...
Perhaps you are talking about the manufacturer CVC certificate expiring years ago? (used the CM config file for firmware upgrades)
The manufacturer CVC is different to the modem's PKI certificate
A variety of modems have PKI certificates expiring in 2021, as discussed here https://www.docsis.org/forums/docsis-chat/pki-certificates
Noticed the software is not the last one, two releases before. if you like, post your email for appImage_100P5914TRCU
cmcaldas, thanks!
serykh (.) mobile@gmail.com