Ask
Reply
Solution
06-12-2012 10:00 PM
Please note that this is a different problem to the one raised for a different serial number v3 unit.
I am trying to install 40124108412 and 40124107836 at PE31 8AE.
The FAQ does not appear to be relevant due to not covering v3 and also not covering the symptom.
I previously had a v1 box 21196758813 working here fine.
On both V3s I get a flashing red and a solid amber on the service light. No sign of internet and user lights.
I have amended the router to allow port access for:
Port 50 - TCP/IP
Port 4500 - UDP
Port 500 - UDP
Port 123 - UDP
Port 8 - TCP/IP
Port 1723 (BT Customers only) - TCP/UDP
My IP Address is:86.133.19.212
Speednet - 38ms Download 6.8mbps Upload 0.34mbps
Pingtest - 0% lost, Ping 37ms, Jitter 9ms
I have put one in the DMZ but this makes no difference.
Traceroute via the router shows:
traceroute to 212.183.133.177, 30 hops max
1 217.47.93.250 40 ms
2 217.47.93.161 30 ms
3 213.1.69.86 30 ms
4 217.41.168.102 40 ms
5 217.41.168.49 30 ms
6 217.41.168.107 30 ms
7 109.159.249.64 30 ms
8 109.159.249.33 40 ms
9 213.121.193.97 30 ms
10 195.66.224.124 40 ms
11 85.205.116.6 40 ms
12 Request timed out. *
13 Request timed out. *
Trace complete.
Please can you help
07-01-2013 07:00 PM
Hi Mark_B,
Thanks for your interest...
lets see.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.
C:\>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.0.1
> set type=AAAA
> initial-ipsecrouter.vap.vodafone.co.uk
Server: UnKnown
Address: 192.168.0.1
Name: initial-ipsecrouter.vap.vodafone.co.uk
> google.co.uk
Server: UnKnown
Address: 192.168.0.1
Non-authoritative answer:
Name: google.co.uk
Address: 2a00:1450:400c:c03::5e
> set type=A
> initial-ipsecrouter.vap.vodafone.co.uk
Server: UnKnown
Address: 192.168.0.1
Non-authoritative answer:
Name: initial-ipsecrouter.vap.vodafone.co.uk
Address: 212.183.131.137
> set type=A
07-01-2013 07:55 PM
Ok. Good news is that you don't have exactly the same issue as you get a response to the type AAAA (IPv6) lookup. What I don't understand from your trace is that you seem to get just one IP address from the last test, where the VSS makes use of a number of addresses. My DNS server gives 14 responses as follows:
> set type=A
> initial-ipsecrouter.vap.vodafone.co.uk
Server: dns-cluster-2.bir.opaltelecom.net
Address: 62.24.139.7
Non-authoritative answer:
Name: initial-ipsecrouter.vap.vodafone.co.uk
Addresses: 212.183.131.139
88.82.13.169
88.82.13.170
88.82.13.171
88.82.13.177
88.82.13.178
88.82.13.179
212.183.133.178
212.183.133.177
212.183.133.179
212.183.131.129
212.183.131.130
212.183.131.131
212.183.131.137
212.183.131.138
I don't know how important this is to the VSS as I've not decoded the network traffic long enough but it could indicate a problem.
Your router is acting as a DNS proxy, which is why you get the timeout when you run nslookup. Do you know if your router has a feature to manually set the DNS server IP address. If so then you could try and set it to Googles DNS at 8.8.8.8
I've just tried google's DNS server out of interest and it gives the same response as my ISP DNS. You can try it as well with the following
nslookup
server 8.8.8.8
initial-ipsecrouter.vap.vodafone.co.uk
Cheers,
Mark.
07-01-2013 12:48 PM
Great, that's the correct response from the DNS server for the AAAA of initial-ipsecrouter.vap.vodafone.co.uk; previously you got a timeout. This would explain why it's now working with the new modem.
Interesting that you got a timeout when you ran nslookup. At this point nslookup does a reverse DNS lookup, I expect to 1.0.168.192.in-addr.arpa and no surprise that there is no DNS entry for this private IP address on the ISPs DNS servers, but it should return a result according to the standards. The VSS does the same reverse DNS lookup but only tries this 4 times before trying the IPv6 entry, which for you now responds.
If you want to use your NetGear then you will need to ask another machine on your network to be the DHCP server for your network and to advertise the ISP's DNS servers. This machine will need to be always on. Do you have such an option?
Mark.
07-01-2013 01:49 PM
@Mark_B wrote:If you want to use your NetGear then you will need to ask another machine on your network to be the DHCP server for your network and to advertise the ISP's DNS servers. This machine will need to be always on. Do you have such an option?
Mark.
No - that's mad - i shouldn't have to be doing that. I appreciate the work-around but i think i'm going to give up on the Netgear. Netgear have gone dark on me - i just get an auto-reply about my case being escalated. Sounds to me like a little bit of love from Vodafone and a little bit from Netgear and it could all be resolved - but if it's all working for most people without our specific combination then i guess they're not all that interested.
07-01-2013 07:37 PM
I fully agree, it's a work-around not a fix. Larger networks woudn't use the router as a DHCP anyway but neither would they have a VSS. I happen to have a server set up so all I had to do was move the VSS from one network to another but, like you, I would still like the problem fixed so I can put the VSS in the right security domain.
Cheers,
Mark.
07-01-2013 02:15 PM
If you switch off the router DHCP and set and PC to be the DHCP server you reckon it will work ?
Why ?
07-01-2013 08:07 PM
If you look at the network traces I posted earlier in this thread you will see that my NetGear acting as a DNS redirection is not responding to AAAA (IPv6) query type DNS requests from the VSS. The VSS then gives up and restarts from the DHCP requests. When I point the VSS directly to my ISP DNS then it does get a response and moves on to make a type A (IPv4) request. This gives 14 IP addresses for which the VSS then does a reverse DNS lookup on each. Only then does it make contact with Vodafone's IPSEC router.
The VSS uses DHCP to get its DNS server address and some routers will allow you to enter this manually and some will not. The NetGear claims to support this features but it does not actually do it. Therefore for the NetGear you would have to use a separate DHCP server that you can change the DNS address to directly use your ISP's DNS or send it to somewhere like Google's DNS on 8.8.8.8. I have a separate Linux server doing my DHCP in a separate security domain and it provides my ISPs DNS directly in to the VSS.
This is not a DHCP problem, it is a DNS redirection problem and the solution is just a work around, a proper fix is required.
First you need to see if you have the DNS problem, you can use the nslookup tests I've posted in this thread to see if you have. Let me know the results.
Hope this helps,
Mark.
10-01-2013 02:16 PM - edited 10-01-2013 02:20 PM
So, it sounds like this IPv6 query change was part of the update back in November on the VSSv2. My DGND3700 worked up untill then on the VSSv2. Does not work on either a VSSv2 or a VSSv3 now! So, we either need a firmware update to roll-back from IPv6 to IPv4 from Vodafone, or a firmware update on the Netgear to permit this DNS IPv6 requests? Which is most likely I wonder? Surely the N600 should be fully IPv6 ready by now?
Are you aware of any Netgear routers of this era (N600 N900) that are compatible, or is this purely a DGND3700 only issue?
I used a Billion 7402NX and it seemed to be work OK with a VSSv3.
I assume that any further NAT and firewall changes/trials will not make a difference as this is purely a DNS routing issue... ?
10-01-2013 04:37 PM
Having been inspired this afternoon to have another go, I now have a working VSSv3 on a DGND3700v1 router!!!!
Hardware Version | DGND3700 |
Firmware Version | V1.0.0.17_1.0.17 |
GUI Language Version | V1.0.0.15 |
The only thing I did today, was...
1- Used to different DNS servers to what I have previously used, i.e. 217.32.171.21 and 217.32.171.22
2- Changed the Encapulation type from PPPoE to PPPoA.
3- Changed the multiplexing method from LLC-Based to VC Based.
Reset the VSSv3 and left it for two hours....Bingo! Now, this may be coincidental, and I haven't yet undone the changes to see if it really is the above.
10-01-2013 07:53 PM