Community home

It's unlikely to be the same problem - in my case, it just plain refuses to work. Unfortunately the SureSignal provides precious little information to determine what's going on - you really need to get down to packet level to see what it's up to. I guess there are a few possibilities in your case: a firmware upgrade to the BT hub could have caused problems (this issue from March looks interesting) - another possibility is that the BT dynamic IP address might not be in a known range to Vodafone, and needs whitelisting.

Initially, we upgraded our SS1 to a SS3 in the hope that they would have fixed the firmware - this was before we understood where the problem was in our case.

This issue always strikes me as very odd. I've used an SS2 and an SS3 with a HH4 and HH5 with both ADSL and Infinity and never had an issue with connectivity.

I agree that it is strange. If the MTU on the HH was set to 1500, you wouldn't see the problem. Also - it's not beyond the realms of possibility that only some of BT's PPP concentrators are affected by this issue, which could also contribute to the randomness of the problem.

We did have a SS1 working on a BT ADSL connection using an old 2-wire hub. When we changed to a different router and modem combination, it stopped working. The extra 8 bytes associated with the PPPoE header was the cause. The SS would not work on my home (infinity) connection because I can't set an MTU higher than 1492 with the BT business hub 3.

If you've got time, it would be very interesting to perform an inbound tracepath to your BT public IP address. You can find your public IP address here and run a tracepath from here. If your path MTU is in the region of 1492, it suggests that you're connected to a concentrator that is returning the correct ICMP packets. If your path MTU is 1500, either your router's MTU is set to 1500, or the concentrator is returning the correct ICMP packets.

Ultimately I'm trying to provide the results of my investigation to try and get to the bottom of this once and for all. It is a problem that seems to have affected some users since the SS1 was first released, and BT/Vodafone don't seem to be able to fix it. Hopefully the information in this thread will help someone on the BT or Vodafone side to home in on the actual problem.

I'll be sure to let you know the result of my communication with BT. Sadly they only seem to want to communicate by letter, so I'm not holding out much hope that it will reach the right person to deal with this.

Patrick,

Did you ever manage to solve your issue here?

I encountered problems with Sure Signal the moment I upgraded from ADSL to VSDL (BT Infinity).  I did exactly the same as you and upgraded from SS1 to SS3 but with no luck either.

After staggering around between BT and VF support trying to find a solution, I have come to exactly the same conslusion as you.  Shame I didn't find you post 2 weeks ago.

Anyhow, I would be very interested to hear how you've got on.

BN

Was the issue ever solved? Not at all, however I have learnt quite a bit more about what's going on.

I actually have two connections in different locations - one is a BT infinity connection, and the other is a BT ADSL broadband connection. Neither connection worked with the standard BT business hub.

Since I posted this, I've done quite a bit of work to determine what I think is going on. Now - here's the thing: I can only theorise as to what's going on here, as both Vodafone and BT tech support are about as useful as a used teabag - neither is able (or willing) to answer the technical questions that I have posed - which means that I can't confirm whether what I'm seeing is in fact true or not.

I replaced the router on both connections with a Mikrotik RB2011-series router. This isn't your average consumer-grade device - it has more functionality than you can imagine, and has been used to successfully get a VSS working in both locations. I wouldn't consider the issue resolved by the way - it's working in spite of Vodafone and BT, not because of them, if that makes sense.

Anyway - my BT infinity connection eventually (and, funnily enough after leaning on BT) suddenly started working. The VSS connected and has remained connected for several months now. Happy days. However, the ADSL connection stubbornly refused to connect. Now - both of these connections should (technically) be the same - so why does it only work in one location? I suspect this may be down to BT configuration on the BRAS (Broadband Remote Access Server).

Many people have observed that Vodafone requires an MTU of 1500 all the way to the VSS on the customer site. When a large UDP packet is sent (as is the case when the Vodafone server starts to negotiate the IPSec tunnel encryption), the payload is split into several 1500-byte packets. When a BT ADSL (or infinity) connection is set up, the MTU is actually a little smaller than this to account for the additional PPP headers. This shouldn't normally present a problem as there are mechanisms to deal with this, but Vodafone have helpfully blocked this mechanism on their firewall.

What's supposed to happen is this: when a large packet arrives at a router which has a lower MTU on the other side, an ICMP 'fragmentation required' packet is generated, and sent back to the sending host. This should in turn cause the sender to reduce the size of the packet and re-send. This process should not be confused with TCP MSS clamping - the VSS boxes use UDP to negotiate tunnel encryption - so MSS clamping isn't relevant here. Now - here's the killer: have you ever tried to ping the servers that the VSS boxes try to contact? No reply? This is very bad. What this means is that Vodafone have helpfully blocked inbound ICMP packets which are used by both ping and, critically, the 'fragmentation required' mechanism. Let me say that again: Vodafone have blocked the very packets that would allow their servers to deal with differing MTU values.

I asked Vodafone tech support about this, and was told that it had been blocked for ''security'. Clearly Vodafone's network technicians have no clue about low-level network protocols. But given Vodafone's track record with customer service elsewhere, this isn't really a surprise. Note also that BT could still be involved here, but it's impossible for me to sniff packets on BT's network side, so I can't 100% prove that my theory is correct.

Effectively this means that Vodafone's servers require the MTU to be 1500 to the VSS because their servers don't know any different. Clever, eh?

So what options do you have? Several, but none of them are fixing the problem - they are all workarounds:

• Use a router which can negotiate a higher MTU with the BRAS. This will work for both ADSL and infinity connections, but depends on the router. Only a select few do this (Mikrotik doesn't at present). Negotiating an MTU of 1508 (also known as baby jumbo frames) means that once the PPPoE header has been removed, full 1500-byte packets will get to the VSS. I think the later BT hubs do this - mine is a BT business hub 3, and it doesn't
• Find someone who has a working connection and persuade them to let you set up a tunnel to it. This is what I've done from my non-working site: I route the VSS via an ethernet-over-ip tunnel to my working infinity connection. An ethernet-over-ip tunnel is like connecting the two sites with a very long piece of Cat5 cable - the device doesn't know any different. The tunnel automatically fragments and reassembles packets in transit

Personally, I'd rather that Vodafone simply removed the ICMP block on their firewall. Anyone who blocks the entire ICMP protocol for 'security' deserves to be re-employed elsewhere. This issue, which seems to affect hundreds of customers (and, incidentally has made Vodafone millions in revenue from selling the VSS boxes) could be fixed for everyone in less than 5 minutes by a competent network engineer.

Sorry for the length - hope there was some useful information...