Contivity 221 routers 1

[riteeh]

Hello,

I have 5 of these routers located in various remote sites, some on DSL and some on cable. These routers function perfectly, providing I don't use them for VPN access (which defeats the purpose of originally purchasing them).

My main site is running a Contivity 1010 which is a rock solid piece of hardware. These 221s last for about a week or two and then require power cycling. Before I cycle the power I can attempt to login to the router but it responds very very slowly. Sometimes the VPN tunnels will fail but internet service is uninterrupted. Other times the reverse is true. I experience this problem on all the 221s. The 221 site that experiences the most internet traffic requires more reboots than the other ones (sometimes twice a week). This is the only site that maintains a connection to the 1010 yet all the 221s hang so the problem isn't related to the 1010.

The latest firmware from Nortel for this product is 2+ years old. I think this router has firmware issues such as poor memory management or perhaps some internal tables are being overflowed. I'm surprised Nortel wouldn't address such an obvious issue, unless I'm alone in encountering it. Does anyone else out there experience anything similar to this with a 221?

Here are two messages that I notice in the log quite often:

Firewall session time out, sent TCP RST
^ somewhat frequently seen in the log

Peer TCP state out of order, sent TCP RST
^ very frequently seen in the log

 

[riteeh]

Is anyone out there having reliability issues with the 221s?

 

[MagnaRGP]

Nope. All of mine run flawlessly.

I would actually look at the 1010 as it is the only common piece to this puzzle.

"Peer TCP state out of order, sent TCP RST" -- this message says to me that inbound traffic to the 221 is not in order. If this happens at all of your sites, then I would consider the 1010 as the issue and would look at either it or the intervening network.

I would also look to see if perhaps the 1010 is opening up multiple tunnels to the 221s, causing them to max-out and then hang.

What version of software is on the 1010? It might be worth opening up a Nortel ticket on this one.

 

[riteeh]

Hi MagnaRGP,

First off thanks for the reply. My 1010 is set to responder mode and typically only one 221 site is connected to the 1010 at all times. The others are on-demand for site-to-site VoIP calls. The 221 that I have the most problems with in the only one actively connected to the 1010. This is also my busiest location.

I just checked the log again and there are 50+ of these messages from all different source and destination IPs. (even my mail server IP, etc.) This must be related to the problem.

The 1010 isn't able to open tunnels to the other sites as it is set to responder mode. The 1010 is running 6.0 software which we will be upgrading to 7.0 shortly.

We currently don't have a service agreement with Nortel and their hourly rate of $300 (minimum 2 hours) I cannot justify.

If possible, could you inform me of your firewall settings as I want to see if these could be related... Here are my current settings across all routers:

I am using port forwarding (in the SUA Server screen) for some webcams to be accessible.

LAN to LAN (221):
- FORWARD packets that don't match firewall rules

LAN to WAN:
- FORWARD packets that don't match firewall rules

WAN to LAN:
- FORWARD packets that don't match firewall rules

WAN to WAN (221):
- BLOCK packets that don't match firewall rules

Thank you very much!

 

[MagnaRGP]

I think it's quite easy to justify the $300/hr cost. You get support from the manufacturer to resolve a service affecting issue. The additional side benefit to this would be that you get to ask THEM the questions and pick their brains. I do this all the time when supporting my customers when I need Nortel intervention.

The other thought would be to get yourself a service contract (maybe 5-600/yr) and then you can call them all you want for support and assistance.

IMHO I think you're deluding yourself on that cost. There is nothing wrong in purchasing assistance when you need it. It's not an admission of lack of skill. It's recognizing the lack of a necessary tool to perform your job function.

 

[riteeh]

MagnaRGP,

Thanks for your opinion. Personally I cannot justify paying support charges that double the purchase price of my equipment to speak with a tier 1 tech, but perhaps you can.

I'll work with my vendor instead as they provide free support to me and are familiar with the 221 routers. I figured people here may have input into how I could solve my problem.

 

[SharpAdam]

Work with your vendor for sure! They should have partner access to Nortel docs.

I've set up a 221 to work with a 1010 before, but we did not have it in production long. Not sure of the details of your topology, but our asynchronous branch office tunnel (ABOT) was always built. Even though the 1010 was a responder and the 221 was set to only initiate when traffic required it. The reason it was always up was because we had a phone plugged in that was hitting the pbx regularly. If you've got a pbx at each end and are using IP trunks for site to site, then the abot might be tearing down when not in use.

Just something that I learned when doing the setup. Also, your firewall seems to be pretty opened up so I doubt thats giving you problems. You might want to block the WAN to LAN stuff for security reasons.

I hope that this has helped, at least a little!

 

[curtismo]

I have 5 of the 221s in operation as VPN tunnels to a central 2600 or 3050. They are the most trouble-free units I have.

The problem was when I shifted to the 3050 set up as Branch Office tunnels from the 2600. Periodically, if the DSL lines on the 221 take a hit, or the power goes out and the 221 reboots, the IP portion of the tunnel won't establish. The 3050 shows the tunnel up and in operation but it won't pass data. Do a BO Tunnel Reset on the 3050 and it pops right back up. I have the same problem with 1050/1100 units connected to the 3050 also. Hardly ever problems when we used the 2600, and Nortel can't tell me why; they keep pointing from the NVG group back to being a Contivity group problem.

 

[VPNSteve]

Actually the latest software for the 221 is just a few months old. If your vendor has a contract with Nortel for the Contivity they can get the latest software.

 

[riteeh]

SharpAdam,
I am using the 221s to talk back to the 1010 for the same purpose. I have remote IP phones and the a BCM 50 located at the 1010 site. I've left WAN to LAN open as if I do not port forwarding rules (firewall hole and NAT) don't allow external connections. Thanks for the suggestion.


VPNSteve,
I think there was a new version of 221 software released for the BCM 50 built-in Contivity 221 but I can't find any mention of new software for the stand alone unit. The latest version I can find mention of is VE221_2.5.0.0.014 | 09/16/2005. I've had my vendor check as well but perhaps we're both looking in the wrong places (they do have a Nortel contract).


As for resolving this issue my vendor hasn't been able to pinpoint the problem. I've disabled the tunnel on one site and the router hasn't hung since then. The TCP RST errors have also been reduced by a significant number since I turned off the tunnel. This is a difficult issue to troubleshoot as the router hangs after a period of days, weeks, etc.

Thanks for the input and suggestions thus far!

 

[VPNSteve]

There's also 2.5.0.0.019 - I looked at the spreadsheet we keep of this stuff and found that it's not yet officially released (though we got it about 6 months ago). There's a note that it's the same as the official release but needs somebody's signature (not sure what that means)