FAQs

CradlePoint Services (24)

View category →

Multi-Carrier Software-Defined Radio Switching

Products Supported: Any Cradlepoint router or modem with a LPE designation.

Firmware Version: 5.3.0 or newer – for information on upgrading firmware

Summary

With firmware 5.3.0 all LPE devices can switch the modem firmware to a different carrier. This Multi-Carrier Software-Defined Radio functionality is unique to Cradlepoint products and provides customers the flexibility to expand their coverage options, reduce inventory risk, and future-proof their carrier networks.

Please note that this only changes the modem firmware. To connect with this modem, you must also have an activated SIM from the new carrier in the device. Some LPE devices allow you to insert two SIM cards, so you can include SIMs from two different carriers in a single modem and remotely switch the modem firmware with ECM.

Although a single Cradlepoint modem may have two SIM card slots (e.g., IBR1100 integrated modem), it can only have one modem firmware version on that modem, and therefore only one carrier at a time. The exception is that the AER 2100 could have two distinct, integrated MC400 modems, each with two SIM slots. So while each modem by itself can only have one firmware version, the AER 2100 can support two integrated modems – on distinct carriers- simultaneously.

Select from the following methods for instructions on switching the carrier of the modem firmware.
1. USB flash drive
2. Local administration pages
3. ECM Carrier Switching


Configuration

Configuration Difficulty: Intermediate

Manual Carrier Switching

Preparation:

To update the Modem Carrier (switching the modem between Verizon, AT&T, Sprint or Generic (T-Mobile in USA and Rogers, Bell, Telus in Canada), the following conditions must be met:

  • Compatible product with a Cradlepoint “LPE” modem. (designated in the router or modem Part Number)
  • Router Firmware version of v5.3.0 or newer.
  • USB flash drive (at least 256MB capacity) or a computer locally connected to the router.
  • An activated SIM card for carrier being changed to and provisioned for the IMEI of the modem being changed. (This is especially important for Sprint)
Manual Carrier switching using USB drive:

Note: This process will force all attached LPE modems to the updated modem firmware. In the case of an AER 2100 with two MC400 integrated modems, you may not want both modems to have the same firmware. Either use one of the other methods to update modem firmware or remove one of the MC400s during this process.

  1. Download the appropriate Modem Carrier firmware from the CradlePoint connect portal. This will be a ZIP file labeled specifically for each carrier or Generic:
    • “MC7354_Sprint.zip” for Sprint in North America.
    • “MC7354_Verizon.zip” for Verizon in North America.
    • “MC7354_AT&T.zip” for AT&T in North America.
    • “MC7354_Generic.zip” for T-Mobile, Rogers, Bell and Telus in North America.
  2. Save the file to your computer.
  3. Unzip the file contents to extract the files to your computer.
  4. Locate the extracted files. There will be an “MDM” file and a “JSON” file.
  5. Copy the “MDM” and “JSON” files from the extracted location to the root of your USB stick. The files must be in the root of the flash drive.
  6. Safely eject the USB flash drive from your computer.
  7. Locate the SIM slot, door, or panel on the Cradlepoint router or modem, and insert the new SIM (this must be performed while the power is OFF).
  8. Power on the Cradlepoint router (and connect the modem if it is not embedded in the router).
  9. Wait for the router to start-up completely. This can be verified by navigating to the router’s admin page (192.168.0.1 by default).
  10. Plug the USB flash drive into any of the router’s spare USB ports.
  11. The MODEM firmware update process begins automatically
    • PLEASE WAIT. Do NOT remove the USB flash drive at this time. The router will reboot immediately if the USB flash drive is removed. The process takes up to 10 minutes.
  12. PRIOR TO REMOVING THE USB DRIVE, verify the modem is attempting to connect with the new carrier and SIM: In a browser, log into the router’s administration page, 192.168.0.1 by default. Enter the password when prompted.
  13. Browse to Internet > Connection Manager and watch for the Internal LPE connection status to progress from “Connecting” to “Connected”.
  14. If you receive an error:
    • Consider that you may have to manually update the APN if your SIM is provisioned for one other than the carrier’s default APN. Instructions on how to do this can be found here.
    • You may also need to make sure you are trying to use the same interface and SIM slot. Some products contain two SIM slots, and, therefore, there are two “Internal LPE” interfaces displayed in Connection Manager. If your active SIM is in slot 1, the “Internal LPE (SIM1)” will be the one to connect with that SIM; SIM slot 2 will correspond to “Internal LPE (SIM2)”.
    • Other troubleshooting steps may be found on Cradlepoint’s Support site or by contacting Cradlepoint Support.
  15. Regardless of the status at this time, the USB flash drive can be removed.
  16. The router will reboot itself, and attempt to connect using the new carrier/SIM.

Manual Carrier switching using a PC:
  1. Download the appropriate Modem Carrier firmware from the CradlePoint Connect Portal. This will be a ZIP file labeled specifically for each carrier or Generic:
    • “MC7354_Sprint.zip” for Sprint in North America.
    • “MC7354_Verizon.zip” for Verizon in North America.
    • “MC7354_AT&T.zip” for AT&T in North America.
    • “MC7354_Generic.zip” for T-Mobile, Rogers, Bell and Telus in North America.
  2. Save the file to your computer.
  3. Unzip the file contents to extract the files to your computer.
  4. Login to the router admin page and navigate to Internet > Connection Manager.
  5. In the WAN Interfaces table, select the desired LPE modem. *Note that for modems with two SIM slots, changing the firmware affects both SIM cards.
  6. Click Control.                                                                                                                                                                                                                                                                                                  User-added image
  7. Click Firmware.                                                                                                                                                                                                                                                                                                 User-added image
  8. Then click Manual Firmware Upgrade.                                                                                                                                                                                                                                                               User-added image
  9. Locate the files extracted in step 3 and select the .MDM file.
  10. The router UI will provide the progress status for every step and will eventually reboot. This process will take several minutes.
  11. After the router reboots it will, then attempt to connect to the new carrier.
  12. The new carrier SIM can be inserted either before or after doing the above steps. Remember that inserting a SIM on a COR model requires the router to be powered off.
  13. If you receive an error:
    • Consider that you may have to manually update the APN if your SIM is provisioned for one other than the carrier’s default APN. Instructions on how to do this can be found here.
    • You may also need to make sure you are trying to use the same interface and SIM slot. Some products contain two SIM slots, and, therefore, there are two “Internal LPE” interfaces displayed in Connection Manager. If your active SIM is in slot 1, the “Internal LPE (SIM1)” will be the one to connect with that SIM; SIM slot 2 will correspond to “Internal LPE (SIM2)”.
    • Other troubleshooting steps may be found on Cradlepoint’s Support site or by contacting Cradlepoint Support.

ECM Carrier Switching

Preparation:
  • Compatible product with a Cradlepoint “LPE” modem (designated in the router or modem Part Number)
  • Router Firmware version of v5.3.0 or newer
  • An activated SIM card for carrier being changed to, and provisioned for the IMEI of the modem being changed (This is especially important for Sprint)
ECM Carrier switching steps:
  1. Log into Enterprise Cloud Manager.
  2. Select the devices tab and then Network Interfaces from the drop down menu at the top.                                                                                                                                                                                        User-added image
  3. At the far right side of the page click the User-added image icon and make sure Modem FW, Modem FW Status, SIM, and Model fields are selected then close the column select window. The Modem FW column will show you which carrier the modem is configured for and the SIM column displays the carrier of the SIM card.
  4. Next we need to locate the modem we want to switch to another carrier. The easiest way to do this is by sorting the Router Name or Router ID column, or to search by a specific router name using the search tool.
  5. In the example shown below, the grid is filtered using the search tool (searched by a specific router name, IBR1100LPE) and the filter tool (selected Modems) in the top toolbar so that only the two relevant interfaces display.                                                                                                                                                                                                                                                                                                              User-added image
  6. To switch the carrier of the modem firmware, first select the desired interface. *Note that integrated modems with two SIM slots show two interfaces in the grid. Both will always have the same modem firmware, so selecting either one will have the same results.
  7. Once you have selected an interface, click Commands in the top toolbar and Switch Carrier in the drop down menu.                                                                                                                                                User-added image
  8. Please review the agreement notes before proceeding. This process could knock your device offline.
  9. Once you click the I Agree button, you can now select the desired carrier. *Note that the Generic modem firmware is equivalent, regardless of whether you select T-Mobile, Bell, Rogers, or Telus.                               User-added image

 

  1. After the selection, ECM checks one more time to make sure you want to change the firmware because of the risk of disconnecting the modem. Click OK to continue.
  2. The modem firmware switch takes a few minutes. The Modem FW Status column shows the state of the update, e.g., “Downloading (38%),” and the Modem FW column shows the update that is in the process:        User-added image
  3. Once complete, the Modem FW Status column says, “Upgrade Successful” and the Modem FW column is updated with the new firmware version:                                                                                                    User-added image
  4. If the update fails for some reason, reboot the router before trying again.

Troubleshooting

  • You may have to manually update the APN if your SIM is provisioned for one other than the carrier’s default APN. Instructions on how to do this can be found here.
  • You may also need to make sure you are trying to use the same interface and SIM slot. Some products contain two SIM slots, and, therefore, there are two “Internal LPE” interfaces displayed in Connection Manager. If your active SIM is in slot 1, the “Internal LPE (SIM1)” will be the one to connect with that SIM; SIM slot 2 will correspond to “Internal LPE (SIM2)”.
  • A factory reset will not affect the software defined radio.

 

Permalink

0 Comments - Leave a Comment

CradlePoint Enterprise Cloud Manager (ECM) is a cloud-based management service for configuring, monitoring, and organizing your CradlePoint routers. Key features include the following:

  • Group based configuration management
  • Health monitoring of router connectivity and data usage
  • Remote management and control of routers
  • Historical record keeping of device logs and status

Visit http://cradlepoint.com/ecm to learn more about CradlePoint ECM. If you do not have ECM credentials, sign up at: http://cradlepoint.com/ecm-signup.

image

Registering Your Router – Once you have signed up for ECM, click on the Register Router button to begin managing the router through ECM. Input your ECM Username and ECM Password and click Register. You have now registered the device with Enterprise Cloud Manager.

Suspending the ECM Client – Click on the Suspend Client button to stop communication between the device and ECM. Suspending the client will make it stop any current activity and go dormant. It will not attempt to contact the server while suspended. This is a temporary setting that will not survive a router reboot; to disable the client altogether use the Advanced Enterprise Cloud Manager Settings panel (below).

Enterprise Cloud Manager Settings (Advanced)

image

  • Enabled: Enable the ECM client to contact the server. While this box is unchecked, the ECM client will never attempt to contact the server. (Default: Enabled)
  • Server Host:Port: The DNS hostname and port number for your ECM server. (Default: stream.cradlepoint.com)
  • Session Retry Timer: How long to wait, in seconds, before starting a new ECM session following a connection drop or connectivity failure. Note that this value is a starting point for an internal backoff timer that prevents superfluous retries during connectivity loss.
  • Unmanaged Checkin Timer: How often, in seconds, the router checks with ECM to see if the router is remotely activated. Note that this value is a starting point for an internal backoff timer that reduces network usage over time.
  • Maximum Alerts Buffer: The maximum number of alerts to buffer when offline.

Permalink

0 Comments - Leave a Comment

Summary

This article provides a list of questions commonly asked about Enterprise Cloud Manager (ECM), and the answers to those questions. The Configuration Examples sections includes links to articles that demonstrate the function of the ECM service.

Enterprise Cloud Manager is Cradlepoint’s next generation network management solution. Rapidly deploy and dynamically manage networks at geographically distributed locations with Enterprise Cloud Manager, Cradlepoint’s next generation application platform. Improve productivity, reduce costs, and enhance the intelligence of your network and business operations.

A detailed explanation of the Enterprise Cloud Manager service can be found on the ECM product page.


 

Requirements

To establish a successful connection to Enterprise Cloud Manager, a Cradlepoint router must meet the following requirements:

1. Supported Product: Only the following router models can currently be added to ECM: AER2100, MBR1400v2, MBR1400v1, CBA850, CBA750B, IBR1100, IBR1150, IBR600, IBR650, IBR350, MBR1200B, CBR400, and CBR450.

2. Minimum Firmware: 4.3.2 (CBR4x0 only) and 4.4.0 (all other models). Using most recent available firmware version is recommended.

Note: Product support is planned for the following router models: CBA750, MBR1200, MBR1000, MBR900, MBR800, CTR500, and CBA250. Expected minimum firmware requirement for Series 2 products is 2.0.0.

Click here to identify your router. For information on upgrading firmware, click here.

3. NTP Server Connection: Routers must sync with a time server before they can communicate with Enterprise Cloud Manager. ECM uses standard TLS-based encryption along with a proper signed certificate in our servers. This system has date range restrictions – devices must have a valid clock time in the 21st century. By default, the routers boot up at Unix epoch 0 (January 1, 1970), which leads the TLS client to think the certificate is invalid without a time sync.

 

Frequently Asked Questions

What level of redundancy and reliability features do the Enterprise Cloud Manager Servers have?

Enterprise Cloud Manager servers are located within a physically secured area at a Tier IV datacenter that is SAS70 (SSAE Type II) certified. Only Rackspace authorized personnel have access to the secured area. Redundancy of the system includes the following:

Datacenter Redundancy and Reliability:

  • 24x7x365 onsite staff
  • Dual power circuits tied to N+1 redundant datacenter UPS systems
  • Onsite diesel backup power generators
  • Fully redundant enterprise-class core routing with connectivity to 3+ internet backbone carriers
  • Fiber carriers enter datacenters at disparate points to guard against service failure
  • N+1 redundant HVAC systems (Heating Ventilation Air Conditioning) with air filtering

Server and Software Redundancy:

  • Redundant load balanced application servers
  • Master database in isolated private network with one-hour replacement
  • Full nightly backups
  • Rackspace SLA guaranteeing network availability and critical infrastructure systems including power and HVAC 100% of the time in a given month excluding scheduled maintenance.

What are the security measures for the Enterprise Cloud Manager Servers?

Enterprise Cloud Manager servers are located within a physically secured area at a Tier IV datacenter with SSAE Type II certification (formerly SAS 70). Security features include the following:

Datacenter Security:

  • Cradlepoint servers are located in a secured area within a Tier IV datacenter.
  • Keycard protocols, biometric scanning protocols and round-the-clock interior and exterior surveillance monitoring
  • 24x7x365 onsite staff
  • Only authorized data center personnel are granted access credentials. No one else can enter the production area of the datacenter without prior clearance and an appropriate escort.

Hardware and Software Security:

  • CISCO ASA Firewall
  • Only authorized Rackspace operations personnel are allowed physical access to production ECM servers.
  • Patch Management: Patches are applied quarterly, unless a high vulnerability issue is identified whereupon the process is expedited.

Event and Log Management:

  • All URL traffic is logged. These logs are kept for 90 calendar days for review by network security management.
  • Automated logs track and log changes, including backups of this data.

Does Cradlepoint perform vulnerability assessment of the ECM servers?

Cradlepoint uses a PCI Approved Scanning Vendor (ASV) service for external penetration testing of the ECM servers. Scans are run at minimum monthly, with remediation reports provided to management. Corrective actions are implemented based upon severity of potential threats.

How many devices can your system support and how many do you have on the system now?

Cradlepoint manages more than 80,000 devices on WiPipe Central today. ECM has a scalable, service-oriented architecture that can support many more customers with many thousands of devices under management.

As a System Integrator, can I have multiple primary accounts that I can use to manage my customers’ devices, and can I see all of my customers’ devices?

Yes, with ECM you can have multiple subaccounts for your customers. Your Account Administrator can manage all accounts, while creating other administrators to manage separate subaccounts (customers).

When an ECM account password is lost, how is it reset?

The user navigates to the “Request new password” page (link on the ECM central login page) where an email address is entered. If the email address entered matches an email address associated with an ECM user, an email with a unique link is sent to the user. Upon receiving the email, the user clicks on the link that will take them to a page to select a new password for their account. If the email address entered does not match any account email addresses, a message will be displayed noting the email address isn’t recognized.

Cradlepoint support personnel do not have access to ECM user passwords and thus cannot provide any passwords over the phone.

How strong are ECM passwords and how long do they last?

The following password options are available:

  • Password minimum length (default = 8)
  • Require one or more CAPITALIZED letters in the password (default = yes)
  • Require one or more symbols or numbers in the password (default = yes)

The administrator can set a session timeout (default = 120 minutes) for each user under the User Settings.

How are passwords stored within the ECM Servers?

All passwords are stored in encrypted form using the NIST/FIPS Secure Hash Standard known as SHA-2. SHA-2 is a set of cryptographic hash functions designed by the National Security Agency (NSA) and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. Our user passwords encryption uses thePBKDF2 algorithm with a SHA-256 hash.

Is User Data stored within the Cradlepoint devices?

No user data is stored on the Cradlepoint devices.

Do new users receive a unique password?

When a new account is set up, the Account Administrator will receive an email from Cradlepoint with a unique link to take them to a page to select a new password for their account.

When the Account Administrator sets up a new user account, the user will receive an email with a unique link that upon selecting will take them to a page to select a new password for their account.

How do you integrate with Network Management Systems?

Enterprise Cloud Manager can be integrated with any Network Management System via the Enterprise Cloud Manager API. The ECM API is accessed via HTTPS to the XML/JSON RESTful interface. We have customers doing this today using the WiPipe Central API.

How many levels of user account privileges does ECM support?

ECM supports three levels of user access privileges for a customer.

  • Account Administrator – has full access to all accounts and sub-accounts and can create accounts and users at any level within the account hierarchy. Only the Account Administrator can create accounts or users.
  • Full Access User – has access to resources within their account and any sub-accounts below their account. The Full Access User cannot create new accounts or users.
  • Read-Only User – has read-only access for their account and any sub-account(s) below their account.

How much data does being connected to Enterprise Cloud Manager consume?

Recent data shows that the average data usage is approximately 5–10 MB per router per month. This reflects what we expect to see in “typical” scenarios when routers have mostly default settings. Many settings could affect this amount, including generating lots of alerts, exporting lots of logs, and especially editing the connection pulse interval (default 120 seconds). A significantly faster connection pulse (e.g., 10 seconds) could increase data usage to 50 or even 100 MB per router per month, whereas a significantly slower pulse (e.g., 900 seconds) could decrease data usage to less than 1 MB per router per month (but runs the risk of slowing down the connection so much that the connection is broken and needs to reestablish itself, which uses additional data).
There are many variables that affect data usage and therefore Cradlepoint does not guarantee that a router will use any particular amount of data. These numbers are only provided to give a rough estimate of the amount of data usage you should expect based on data from other routers in the field.

How do you support Private Networks (cellular or wired)?

ECM can support a customer’s Private Network (3G/4G or wired networks). For device management, ECM uses a full-duplex, asynchronous SSL protocol to manage the Cradlepoint routers over a single TCP connection (port 8001).

Support for Private Networks can be achieve by either of the following:

  • Customers create a firewall rule to allow ECM management SSL traffic routed over the Internet to the Cradlepoint cloud datacenter (single TCP connection – port 8001).
ECM Private Network Support

Permalink

0 Comments - Leave a Comment


Getting Started

Status Menus

Router Configuration

Enterprise Cloud Manager

Troubleshooting


Getting Started

Take it out of the box and plug it in!

Connecting a Computer to a CradlePoint Router

Accessing the CradlePoint Admin Pages

Enterprise Cloud Manager Registration

Product Manual – First Time Setup Wizard

Product Manual – Status – Dashboard


Status Menus


Router Config

Network Settings

Internet

System Settings


Enterprise Cloud Manager

Enterprise Cloud Manager Main Page

Enterprise Cloud Manager FAQ

Perparing to migrate from WPC to ECM

How to migrate GROUPS from WPC to ECM

How to migrate DEVICES from WPC to ECM

Upgrading router firmware for ECM compatibility

Tracking modem data usage with ECM

Using a LAN gateway to connect a device to ECM

Configuration priority in ECM

Multi-Factor Authentication


Troubleshooting

Troubleshooting DNS

Troubleshooting wired WAN problems

Troubleshooting WiFi as WAN

Troubleshooting prior to RMA

Gaming console firewall problems

Permalink

0 Comments - Leave a Comment

Summary

Upgrading the modem firmware regularly is important to keep a secure and reliable internet connection. This can be done manually or through ECM, this document focuses on upgrading through ECM.

Please note that this only upgrades the modem firmware, to upgrade the router firmware click here. To connect with this modem you must also have an activated SIM from the carrier in the device. During the upgrade process the modem will restart: the router may go offline for a few minutes if this modem is it’s primary WAN connection.

Although a single Cradlepoint modem may have two SIM card slots (e.g., IBR1100 integrated modem), it is one modem module and can only have one modem firmware version, and therefore only one carrier at a time. The exception is that the AER 2100 could have two distinct integrated MC400 modems, each with two SIM slots. So while each modem by itself can only have one firmware version, the AER 2100 can support two integrated modems – on distinct carriers- simultaneously.


Configuration

Configuration Difficulty: Beginner
  • Step 1: Log in to Enterprise Cloud Manager.
  • Step 2: Select the Devices tab and then Network Interfaces from the drop down menu at the top.

User-added image

  • Step 3: Next we need to locate the modem we want to upgrade. The easiest way to do this is by sorting the Router Name or Router ID column, or to search by a specific router name using the search tool.
  • Step 4: In the example shown below, the grid is filtered using the search tool (searched by a specific router name, IBR1100LPE) and the filter tool (selected Modems) in the top toolbar so that only the two relevant interfaces display.

User-added image

  • Step 5: To check if the modem firmware is current, first select the desired interface. *Note that integrated modems with two SIM slots show two interfaces in the grid. Both will always have the same modem firmware, so selecting either one will have the same results.
  • Step 6: Once you have selected an interface, click Commands in the top toolbar and Upgrade Modem Firmware in the drop down menu. *Note that you can also check if your modem has the latest firmware by selecting Check for New Modem Firmware

User-added image

  • Step 7: Please review the agreement notes before proceeding. The modem will restart after this point.

User-added image

  • Step 8: Once you click the OK button, the firmware upgrade will begin.
  • Step 9: The modem firmware upgrade takes a few minutes. The Modem FW Status column shows the state of the update, e.g., “Downloading (38%),” and the Modem FW column shows the update that is in process.

User-added image

  • Step 11: Once complete, the Modem FW Status column says, “Upgrade Successful” and the Modem FW column is updated with the new firmware version:

User-added image

  • Step 12: If the update fails for some reason, reboot the router before trying again.

Troubleshooting

  • You may also need to make sure you are trying to use the same interface and SIM slot. Some products contain two SIM slots, and therefore there are two “Internal LPE” interfaces displayed in Connection Manager. If your active SIM is in slot 1, the “Internal LPE (SIM1)” will be the one to connect with that SIM; SIM slot 2 will correspond to “Internal LPE (SIM2)”.
  • If the modem is unable to complete the upgrade and no internet connection remains, local access to update the modem will be necessary. Click here to upgrade the modem firmware manually.

Permalink

0 Comments - Leave a Comment

General M2M Question (24)

View category →

The Sierra Wireless AirLink® products that support ALEOS Application Framework or AAF are the Sierra Wireless AirLink® GX440, the Sierra Wireless AirLink® GX400 and the Sierra Wireless AirLink® LS-300. USAT carries these products designed for the Verizon, AT&T, and Sprint carrier networks as well as through USAT’s Express M2M network services (ExpressM2M.com).

USAT has ALEOS Application Framework engineering teams on staff. Bring us your project for AAF, and we will bring intelligence to the edge for you.

You can view our Sierra Wireless AirLink GX440 and GX400 and LS300 products in the USAT web store.

Permalink


A custom AAF application can be used to collect and measure data and send custom alerts to many different destinations. This can allow you to push something that may have been server side processing down to the modem. Alternatively, you may have previously needed another computer connected in your solution to do this type of monitoring and response. Now with a custom AAF solution from USAT, you no longer need the expense of purchasing and maintaining the additional hardware. Also with fewer points of potential failure, the reliability of the solution increases.

Permalink

0 Comments - Leave a Comment

M2M stands for “”machine-to-machine”” communications. Essentially, it is the exchange of data between a remote machine and a back-end IT infrastructure. The transfer of data can be two-way:

  • Uplink to collect product and usage information
  • Downlink to send instructions or software updates, or to remotely monitor equipment

In the past, the high cost of deploying M2M technology made it the exclusive domain of large organizations that could afford to build and maintain their own dedicated data networks. Today, the widespread adoption of cellular technology has made wireless M2M technology available to manufacturers all over the world.

Wireless M2M applications include connectivity-enabled devices that use a cellular data link to communicate with the computer server. A database to store collected data and a software application that allows the data to be analyzed, reported, and acted upon are also key components of a successful end-to-end solution.

Permalink

0 Comments - Leave a Comment

Four LEDs are visible from the front and top of the AirLink GX400. Labeled (from left to right) Network, Signal, Activity, and Power, each LED can display one of three colors: green, yellow, or red.

  • LED Operation:
  • Off – No activity
  • Green – Full function
  • Yellow – Limited Function
  • Red – Not functional
  • Blinking – Where needed, blinking is used to indicate altered functionality
  • Network LED:
  • Green – On the network
  • Flashing Green – Roaming
  • Yellow – Found service, attempting to connect
  • Flashing Yellow – Link down
  • Red – No data connection available
  • Signal LED – Light shows the strength of the signal and may be nearly solid
    (strong signal) or flashing (weaker signal). A slow flash indicates a very weak
    signal
  • Green – Good signal
  • Yellow – Marginal signal
  • Red – Bad signal
  • Flashing Red – No signal
  • ActivityLED – Pulse green on packet transmit/receive on radio link.
    Otherwise, LED is off
  • Power LED:
  • Off – No power (or above 36V or below 7.5V)
  • Red – System not operational
  • Green – Normal operation
  • Green, Occasional Yellow – GPS Lock
  • Yellow – Low power mode or system booting

Caution: If you need to reset the device configuration using the Reset button, hold the button depressed until the LEDs start cycling yellow, and then release the button.

Light Patterns

The LEDs on the front of the device respond with different light patterns to indicate device states.

    Normal – Each LED is lit as applicable

  • Start up and Device Reboot – All LEDS simultaneously cycle red, yellow, and green at the start. Various light patterns continue until the Power LED turns yellow, and then a solid green, to indicate an active device
  • Radio Passthrough (H/W) – Network LED is a solid red
  • Factory Reset – All LEDs cycle yellow back and forth when the Reset pin is briefly depressed and released. Returns the device’s software to the factory default state
  • Data Retry, Failed Auth, and Retrying – The Network LED blinks red every 3 seconds

Learn More about the Sierra Wireless Gx440

 

Permalink


The Sierra Wireless GX400/440 has two visible Ethernet LEDs on the rear panel of the GX400 and GX440 devices:

  • Left LED (Activity) – Blinks Yellow when there is activity
  • Right LED (Link Speed):
    • Green – 100 Mbps
    • Orange – 10 Mbps

AirLink GX400 + GX440 FAQ

Permalink


Cradlepoint Products (5)

View category →

IPv6 Settings

This is the product manual section for IPv6 Settings for the WAN. To edit these settings, go to Internet → Connection Manager. Select a WAN Interface and click on Edit to open up the WAN Configuration editor. IPv6 Settings is one of the tabs:

IPv6 configuration window


The IPv6 configuration allows you to enable and configure IPv6 for a WAN device. These settings should be configured in combination with the IPv6 LAN settings (go to Network Settings → WiFi / Local Networks, select the LAN under Local IP Networks, and click Edit) to achieve the desired result.

This is a dual-stacked implementation of IPv6, so IPv6 and IPv4 are used alongside each other. If you enable IPv6, the router will not allow connections via IPv4. When IPv6 is enabled, some router features are no longer supported. These are:

  • RADIUS/TACACS+ accounting for wireless clients and admin/CLI login
  • IP Passthrough (not needed with IPv6)
  • NAT (not needed with IPv6)
  • Bounce pages
  • UPnP
  • Network Mobility
  • DHCP Relay
  • VRRP, GRE, GRE over IPSec, OSPF, NHRP
  • Syslog
  • SNMP over the WAN (LAN works)

There are two main types of IPv6 WAN connectivity: native (Auto and Static) and tunneling over IPv4 (6to4, 6in4, and 6rd).

  • Native – (Auto and Static) The upstream ISP routes IPv6 packets directly.
  • IPv6 tunneling – (6to4, 6in4, and 6rd) Each IPv6 packet is encapsulated by the router in an IPv4 packet and routed over an IPv4 route to a tunnel endpoint that decapsulates it and routes the IPv6 packet natively. The reply is encapsulated by the tunnel endpoint in an IPv4 packet and routed back over an IPv4 route. Some tunnel modes do not require upstream ISPs to route or even be aware of IPv6 traffic at all. Some modes are utilized by upstream ISPs to simplify the configuration and rollout of IPv6.

Enable IPv6 and select the desired IPv6 connection method for this WAN interface.

  • Disabled (default) – IPv6 disabled on this interface.
  • Auto – IPv6 will use automatic connection settings (if available).
  • Static – Input a specific IPv6 address for your WAN connection. This is provided by the ISP if it is supported.
  • 6to4 Tunnel – Encapsulates the IPv6 data and transfers it to an automatic tunnel provider (if your ISP supports it).
  • 6in4 Tunnel – Encapsulates the IPv6 data and sends it to the configured tunnel provider.
  • 6rd Tunnel (IPv6 rapid deployment) – Encapsulates the IPv6 data and sends it to a relay server provided by your ISP.

When you configure IPv6, you have the option to designate DNS Servers and Delegated Networks. Because of the dual-stack setup, these settings are optional: when configured for IPv6, the router will fall back to IPv4 settings when necessary.

DNS Servers

Each WAN device is required to connect IPv4 before connecting IPv6. Because of this, DNS servers are optional, as most IPv4 DNS servers will respond with AAAA records (128-bit IPv6 DNS records, most commonly used to map hostnames to the IPv6 address of the host) if requested. If no IPv6 DNS servers are configured, the system will fall back to the DNS servers provided by the IPv4 configuration.

Delegated Networks

A delegated network is an IPv6 network that is inherently provided by or closely tied to a WAN IP configuration. The IPv6 model is for each device to have end-to-end IP connectivity without relying on any translation mechanism. In order to achieve this, each client device on the LAN network needs to have a publicly routable IPv6 address.

Auto

IPv6 auto-configuration mode uses DHCPv6 and/or SLAAC to configure the IPv6 networks. When you select Auto, all of the following settings are optional (depending on your provider’s requirements):

  • PD Request Size – Prefix Delegation request size. This is the size of IPv6 network that will be requested from the ISP to delegate to LAN networks. (Default: 63)
  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

Static

As with IPv4, static configuration is available for situations where the WAN IPv6 topology is fixed.

  • IPv6 Address/CIDR – Input the IPv6 static IP address and mask length provided by your ISP (see the Wikipedia explanation of CIDR).
  • IPv6 Gateway IP – Input the IPv6 remote gateway IP address provided by your ISP.
  • Primary IPv6 DNS Server – (optional) Depending on your provider/setup, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

6to4 Tunnel

Out of the box, 6to4 is the simplest mode to enable full end-to-end IPv6 connectivity in an organization if the upstream ISP properly routes packets to and from the 6to4 unicast relay servers.

  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

6in4 Tunnel

The 6in4 tunnel mode utilizes explicit IPv4 tunnel endpoints and encapsulates IPv6 packets using 41 as the specified protocol type in the IP header. A 6in4 tunnel broker provides a static IPv4 server endpoint, decapsulates packets, and provides routing for both egress and ingress IPv6 packets. Most tunnel brokers provide a facility to request delegated networks for use through the tunnel.

  • Tunnel Server IP – Input the tunnel server IP address provided by your tunnel service.
  • Local IPv6 Address – Input the local IPv6 address provided by your tunnel service.
  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

6rd Tunnel

IPv6 Rapid Deployment (6rd) is a method of IPv6 site configuration derived from 6to4. It is different from 6to4 in that the ISP provides explicit 6rd infrastructure that handles the IPv4 ↔ IPv6 translation within the ISP network. 6rd is considered more reliable than 6to4 as the ISP explicitly maintains infrastructure to support tunneled IPv6 traffic over their IPv4 network.

  • 6rd Prefix – The 6rd prefix and prefix length should be supplied by your ISP.
  • IPv4 Border Router Address – This address should be supplied by your ISP.
  • IPv4 Common Prefix Mask – Input the number of common prefix bits that you can mask off of the WAN’s IPv4 address.
  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

Permalink


Connection Manager


The router can establish an uplink via Ethernet, WiFi as WAN, or 3G/4G modems (integrated or external USB). If the primary WAN connection fails, the router will automatically attempt to bring up a new link on another device: this feature is called failover. If Load Balance is enabled, multiple WAN devices may establish a link concurrently.

WAN Interfaces

This is a list of the available interfaces used to access the Internet. You can enable, stop, or start devices from this section. By using the priority arrows (the arrows in the boxes to the left – these show if you have more than one available interface), you can set the interface the router uses by default and the order that it allows failover.

In the example shown, Ethernet is set as the primary Internet source, while a 4G LTE modem is attached for failover. The Ethernet is “Connected” while the LTE modem is “Available” for failover. A WiFi-as-WAN interface is also attached and “Available”.

  • Load Balance: If this is enabled, the router will use multiple WAN interfaces to increase the data transfer throughput by using any connected WAN interface consecutively. Selecting Load Balance will automatically start the WAN interface and add it to the pool of WAN interfaces to use for data transfer. Turning off Load Balance for an active WAN interface may require the user to restart any current browsing session.
  • Enabled: Selected by default. Deselect to disable an interface.

Click on the small box at the top of the list to select/deselect all devices for either Load Balance or Enabled.

Click on a device in the list to reveal additional information about that device.

Selecting a device reveals the following information:

  • State (Connected, Available, etc.)
  • Port
  • UID (Unique identifier. This could be a name or number/letter combination.)
  • IP Address
  • Gateway
  • Netmask
  • Stats: bytes in, bytes out
  • Uptime

Click “Edit” to view configuration options for the selected device. For 3G/4G modems, click “Control” to view options to activate or update the device.

WAN Configuration

Select a WAN interface and click on Edit to open the WAN Configuration editor. The tabs available in this editor are specific to the particular WAN interface types.

General Settings

Device Settings
  • Enabled: Select/deselect to enable/disable.
  • Force NAT: Normally NAT is part of the Routing Mode setting which is selected on the LAN side in Network Settings → WiFi / Local Networks. Select this option to force NAT whenever this WAN device is being used.
  • Priority: This number controls failover and failback order. The lower the number, the higher the priority and the more use the device will get. This number will change when you move devices around with the priority arrows in the WAN Interfaces list.
  • Load Balance: Select to allow this device to be available for the Load Balance pool.
  • Download bandwidth: Defines the default download bandwidth for use in Load Balance and QoS (quality of service, or traffic shaping) algorithms. (Range: 128 Kb/s to 1 Gb/s.)
  • Upload bandwidth: Defines the default upload bandwidth for use in Load Balance and QoS (quality of service, or traffic shaping) algorithms. (Range: 128 Kb/s to 1 Gb/s.)
  • MTU: Maximum transmission unit. This is the size of the largest protocol data unit that the device can pass. (Range: 46 to 1500 Bytes.)
  • Hostname (This only shows for certain devices.)
IPv4 Failure Check (Advanced)

If this is enabled, the router will check that the highest priority active WAN interface can get to the Internet even if the WAN connection is not actively being used. If the interface goes down, the router will switch to the next highest priority interface available. If this is not selected, the router will still failover to the next highest priority interface but only after the user has attempted to get out to the Internet and failed.

Idle Check Interval: The amount of time between each check. (Default: 30 seconds. Range: 10-3600 seconds.)

Monitor while connected: (Default: Off) Select from the following dropdown options:

  • Passive DNS (modem only): The router will take no action until data is detected that is destined for the WAN. When this data is detected, the data will be sent and the router will check for received data for 2 seconds. If no data is received the router behaves as described below under Active DNS.
  • Active DNS (modem only): A DNS request will be sent to the DNS servers. If no data is received, the DNS request will be retried 4 times at 5-second intervals. (The first 2 requests will be directed at the Primary DNS server and the second 2 requests will be directed at the Secondary DNS server.) If still no data is received, the device will be disconnected and failover will occur.
  • Active Ping: A ping request will be sent to the Ping Target. If no data is received, the ping request will be retried 4 times at 5-second intervals. If still no data is received, the device will be disconnected and failover will occur. When “Active Ping” is selected, the next line gives an estimate of data usage in this form: “Active Ping could use as much as 9.3 MB of data per month.” This amount depends on the Idle Check Interval.
  • Off: Once the link is established the router takes no action to verify that it is still up.

Ping IP Address: If you selected “Active Ping”, you will need to input an IP address. This must be an address that can be reached through your WAN connection (modem/Ethernet). Some ISPs/Carriers block certain addresses, so choose an address that all of your WAN connections can use. For best results, select an established public IP address. For example, you might ping Google Public DNS at 8.8.8.8 or Level 3 Communications at 4.2.2.2.

IPv6 Failure Check (Advanced)

The settings for IPv6 Failure Check match those for IPv4 Failure Check except that the IP address for Active Ping is an IPv6 address.

Failback Configuration (Advanced)

This is used to configure failback, which is the ability to go back to a higher priority WAN interface if it regains connection to its network.

Select the Failback Mode from the following options:

  • Usage
  • Time
  • Disabled

Usage: Fail back based on the amount of data passed over time. This is a good setting for when you have a dual-mode EVDO/WiMAX modem and you are going in and out of WiMAX coverage. If the router has failed over to EVDO it will wait until you have low data usage before bringing down the EVDO connection to check if a WiMAX connection can be made.

  • High (Rate: 80 KB/s. Time Period: 30 seconds.)
  • Normal (Rate: 20 KB/s. Time Period: 90 seconds.)
  • Low (Rate: 10 KB/s. Time Period: 240 seconds.)
  • Custom (Rate range: 1-100 KB/s. Time Period range: 10-300 seconds.)

Time: Fail back only after a set period of time. (Default: 90 seconds. Range: 10-300 seconds.) This is a good setting if you have a primary wired WAN connection and only use a modem for failover when your wired connection goes down. This ensures that the higher priority interface has remained online for a set period of time before it becomes active (in case the connection is dropping in and out, for example).

Disabled: Deactivate failback mode.

Immediate Mode: Fail back immediately whenever a higher priority interface is plugged in or when there is a priority change. Immediate failback returns you to the use of your preferred Internet source more quickly which may have advantages such as reducing the cost of a failover data plan, but it may cause more interruptions in your network than Usage or Time modes.

IP Overrides

IP overrides allow you to override IP settings after a device’s IP settings have been configured.

Only the fields that you fill out will be overridden. Override any of the following fields:

  • IP Address
  • Subnet Mask
  • Gateway IP
  • Primary DNS Server
  • Secondary DNS Server

IPv6 Settings

The IPv6 configuration allows you to enable and configure IPv6 for a WAN device. These settings should be configured in combination with the IPv6 LAN settings (go to Network Settings → WiFi / Local Networks, select the LAN under Local IP Networks, and click Edit) to achieve the desired result.

This is a dual-stacked implementation of IPv6, so IPv6 and IPv4 are used alongside each other. If you enable IPv6, the router will not allow connections via IPv4. When IPv6 is enabled, some router features are no longer supported. These are:

  • RADIUS/TACACS+ accounting for wireless clients and admin/CLI login
  • IP Passthrough (not needed with IPv6)
  • NAT (not needed with IPv6)
  • Bounce pages
  • UPnP
  • Network Mobility
  • DHCP Relay
  • VRRP, GRE, GRE over IPSec, OSPF, NHRP
  • Syslog
  • SNMP over the WAN (LAN works)

There are two main types of IPv6 WAN connectivity: native (Auto and Static) and tunneling over IPv4 (6to4, 6in4, and 6rd).

  • Native – (Auto and Static) The upstream ISP routes IPv6 packets directly.
  • IPv6 tunneling – (6to4, 6in4, and 6rd) Each IPv6 packet is encapsulated by the router in an IPv4 packet and routed over an IPv4 route to a tunnel endpoint that decapsulates it and routes the IPv6 packet natively. The reply is encapsulated by the tunnel endpoint in an IPv4 packet and routed back over an IPv4 route. Some tunnel modes do not require upstream ISPs to route or even be aware of IPv6 traffic at all. Some modes are utilized by upstream ISPs to simplify the configuration and rollout of IPv6.

Enable IPv6 and select the desired IPv6 connection method for this WAN interface.

  • Disabled (default) – IPv6 disabled on this interface.
  • Auto – IPv6 will use automatic connection settings (if available).
  • Static – Input a specific IPv6 address for your WAN connection. This is provided by the ISP if it is supported.
  • 6to4 Tunnel – Encapsulates the IPv6 data and transfers it to an automatic tunnel provider (if your ISP supports it).
  • 6in4 Tunnel – Encapsulates the IPv6 data and sends it to the configured tunnel provider.
  • 6rd Tunnel (IPv6 rapid deployment) – Encapsulates the IPv6 data and sends it to a relay server provided by your ISP.

When you configure IPv6, you have the option to designate DNS Servers and Delegated Networks. Because of the dual-stack setup, these settings are optional: when configured for IPv6, the router will fall back to IPv4 settings when necessary.

DNS Servers

Each WAN device is required to connect IPv4 before connecting IPv6. Because of this, DNS servers are optional, as most IPv4 DNS servers will respond with AAAA records (128-bit IPv6 DNS records, most commonly used to map hostnames to the IPv6 address of the host) if requested. If no IPv6 DNS servers are configured, the system will fall back to the DNS servers provided by the IPv4 configuration.

Delegated Networks

A delegated network is an IPv6 network that is inherently provided by or closely tied to a WAN IP configuration. The IPv6 model is for each device to have end-to-end IP connectivity without relying on any translation mechanism. In order to achieve this, each client device on the LAN network needs to have a publicly routable IPv6 address.

Auto

IPv6 auto-configuration mode uses DHCPv6 and/or SLAAC to configure the IPv6 networks. When you select Auto, all of the following settings are optional (depending on your provider’s requirements):

  • PD Request Size – Prefix Delegation request size. This is the size of IPv6 network that will be requested from the ISP to delegate to LAN networks. (Default: 63)
  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

Static

As with IPv4, static configuration is available for situations where the WAN IPv6 topology is fixed.

  • IPv6 Address/CIDR – Input the IPv6 static IP address and mask length provided by your ISP (see the Wikipedia explanation of CIDR).
  • IPv6 Gateway IP – Input the IPv6 remote gateway IP address provided by your ISP.
  • Primary IPv6 DNS Server – (optional) Depending on your provider/setup, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

6to4 Tunnel

Out of the box, 6to4 is the simplest mode to enable full end-to-end IPv6 connectivity in an organization if the upstream ISP properly routes packets to and from the 6to4 unicast relay servers.

  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

6in4 Tunnel

The 6in4 tunnel mode utilizes explicit IPv4 tunnel endpoints and encapsulates IPv6 packets using 41 as the specified protocol type in the IP header. A 6in4 tunnel broker provides a static IPv4 server endpoint, decapsulates packets, and provides routing for both egress and ingress IPv6 packets. Most tunnel brokers provide a facility to request delegated networks for use through the tunnel.

  • Tunnel Server IP – Input the tunnel server IP address provided by your tunnel service.
  • Local IPv6 Address – Input the local IPv6 address provided by your tunnel service.
  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

6rd Tunnel

IPv6 Rapid Deployment (6rd) is a method of IPv6 site configuration derived from 6to4. It is different from 6to4 in that the ISP provides explicit 6rd infrastructure that handles the IPv4 ↔ IPv6 translation within the ISP network. 6rd is considered more reliable than 6to4 as the ISP explicitly maintains infrastructure to support tunneled IPv6 traffic over their IPv4 network.

  • 6rd Prefix – The 6rd prefix and prefix length should be supplied by your ISP.
  • IPv4 Border Router Address – This address should be supplied by your ISP.
  • IPv4 Common Prefix Mask – Input the number of common prefix bits that you can mask off of the WAN’s IPv4 address.
  • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings → DNS page is “Automatic”.
  • Additional IPv6 DNS Server – Secondary DNS server.
  • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs.
  • Delegated IPv6 Network – Additional network available for delegation to LANs.

Example Configuration:

Ethernet Settings

While default settings for each WAN Ethernet port will be sufficient in most circumstances, you have the ability to control the following:

  • Connect Method: DHCP (Automatic), Static (Manual), or PPPoE (Point-to-Point Protocol over Ethernet).
  • MAC Address: You have the ability to change the MAC address, but typically this is unnecessary. You can match this address with your device’s address by clicking: “Clone Your PC’s MAC Address”.

Connect Method

Select the connection type that you need for this WAN connection. You may need to check with your ISP or system administrator for this information.

  • DHCP (Dynamic Host Configuration Protocol) is the most common configuration. Your router’s Ethernet ports are automatically configured for DHCP connection. DHCP automatically assigns dynamic IP addresses to devices in your networks. This is preferable in most circumstances.
  • Static allows you to input a specific IP address for your WAN connection; this should be provided by the ISP if supported.
  • PPPoE should be configured with the username, password, and other settings provided by your ISP.

If you want to use a Static (Manual) or PPPoE connection, you will need to fill out additional information.

Static (Manual):

  • IPv4 Address
  • Subnet Mask
  • Gateway IP
  • Primary DNS Server
  • Secondary DNS Server

PPPoE:

  • Username
  • Password
  • Password Confirm
  • Service
  • Auth Type: None, PAP, or CHAP

Modem Settings

Not all modems will have all of the options shown below; the available options are specific to the modem type.

On Demand: When this mode is selected a connection to the Internet is made as needed. When this mode is not selected a connection to the Internet is always maintained.

IP WAN Subnet Filter: This feature will filter out any packets going to the modem that do not match the network (address and netmask).

Aggressive Reset: When Aggressive Reset is enabled the system will attempt to maintain a good modem connection. If the Internet has been unreachable for a period of time, a reset of the modem will occur in attempt to re-establish the connection.

Automatically check for new firmware: (Default: selected) The modem will automatically check for firmware updates by default.

Enable Aux Antenna: (Default: selected) Enable or disable the modem’s auxiliary diversity antenna. This should normally be left enabled.

GPS Signal Source: Select the antenna to be used for receiving GPS coordinates. Some products support a dedicated GPS antenna, while others use the auxiliary diversity antenna only (and some products support both).

Enable eHRPD: (Default: selected) Enable or disable the modem’s ability to connect via eHRPD (enhanced High Rate Packet Data) when connecting to a 3G EVDO network on Sprint. eHRPD routes EVDO traffic through the LTE systems, enabling easy transitions between LTE and EVDO. In rare cases it may make sense to bypass the LTE core, so this field allows you to disable eHRPD.

Modem Connection Mode: Specify how the modem should connect to the network. Not all options are available for all modems; this will default to Auto if an incompatible mode is selected.

  • Auto (all modes): Let the modem decide which network to use.
  • Auto 3G (3G or less): Let the modem decide which 2G or 3G network to use. Do not attempt to connect to LTE.
  • Force LTE: Connect to LTE only and do not attempt to connect to 3G or WiMAX.
  • Force WiMAX: Connect to WiMAX only and do not attempt to connect tot 3G or LTE.
  • Force 3G (EVDO, UMTS, HSPA): Connect to 3G network only.
  • Force 2G (1xRTT, EDGE, GPRS): Connect to 2G network only.

Network Selection Mode: Wireless carriers are assigned unique network identifying codes known as PLMN (Public Land Mobile Network). To manually select a particular carrier, select the Manual radio button and enter the network PLMN. Choose from the following options:

  • None/No Change
  • Auto: Selected by default
  • Home only
  • Manual: Input the PLMN code

Functional Mode: Selects the functional mode of the modem. IPPT (IP passthrough) mode causes the modem to act as a transport, passing Internet data and IP address information between the modem and the Internet directly. NAT mode causes the modem to NAT the IP address information. Consequently, IPPT mode does not allow user access to the modem web UI and NAT mode does allow user access to the modem web UI.

  • None/No Change
  • IPPT
  • NAT

Network-Initiated Alerts: This field controls whether the Sprint network can disconnect the modem to apply updates, such as for PRL, modem firmware, or configuration events. These activities do not change any router settings, but the modem connection may be unavailable for periods of time while these updates occur. The modem may also require a reset after a modem firmware update is complete.

  • Disabled: The request to update will be refused.
  • When Disconnected: The request to update will only be performed when the modem is either in a disconnected state or dormant state. If the modem is not in one of these states when the request is received, then the router will remember the request and perform the update when the modem becomes disconnected/dormant.
  • On Schedule: The request to update will only be performed at the specified scheduled time, no matter what the state of the modem is.

Network-Initiated Schedule: When you select “On Schedule” for Network-Initiated Alerts, you also select a time from this dropdown list. Modem updates will take place at this scheduled time.

AT Config Script: Enter the AT commands to be used for carrier specific modem configuration settings. Each command must be entered on a separate line. The command and associated response will be logged, so you should check the system log to make sure there were no errors.

NOTE: AT Config Script should not be used unless told to do so by your modem’s cellular provider or by a support technician.

AT Dial Script: Enter the AT commands to be used in establishing a network connection. Each command must be entered on a separate line. All command responses must include “OK”, except the final command response, which must include “CONNECT”.

Example:

AT
ATDT*99***2#

WiMAX Settings

WiMAX Realm: Select from the following dropdown options:

  • Clear – clearwire-wmx.net
  • Rover – rover-wmx.net
  • Sprint 3G/4G – sprintpcs.com
  • Xohm –xohm.com
  • BridgeMAXX – bridgeMAXX.com
  • Time Warner Cable – mobile.rr.com
  • Comcast – mob.comcast.net

TTLS Authentication Mode: TTLS inner authentication protocol. Select from the following dropdown options:

  • MSCHAPv2/MD5 (Microsoft Challenge Handshake Authentication Protocol version2/Message-Digest Algorithm 5)
  • PAP (Password Authentication Protocol)
  • CHAP (Challenge Handshake Authentication Protocol)

TTLS Username: Username for TTLS authentication.

TTLS Password: Password for TTLS authentication.

WiMAX Authentication Identity: User ID on the network. Leave this blank unless your provider tells you otherwise.

CDMA Settings

These settings are usually specific to your wireless carrier’s private networks. You should not set these unless directed to by a carrier representative. If a field below is left blank, that particular setting will not be changed in the modem. You should only fill in fields that are required by your carrier.

  • Persist Settings: If this is not checked, these settings will only be in place until the router is rebooted or the modem is unplugged.
  • Active Profile: Select a number from 0-5 from the dropdown list.

The following fields can be left blank. If left blank they will remain unchanged in the modem.

  • NAI (Username@realm): Network Access Identifier. NAI is a standard system of identifying users who attempt to connect to a network.
  • AAA Shared Secret (Password): “Authentication, Authorization, and Accounting” password.
  • Verify AAA Shared Secret
  • HA Shared Secret: “Home Agent” shared secret.
  • Primary HA
  • Secondary HA
  • AAA SPI: AAA Security Parameter Index.
  • HA SPI: HA Security Parameter Index.

SIM/APN/Auth Settings

SIM PIN: PIN number for a GSM modem with a locked SIM.

Authentication Protocol: Set this only if your service provider requires a specific protocol and the Auto option chooses the wrong one. Choose from Auto, PAP, and CHAP and then input your username and password.

Access Point Configuration: Some wireless carriers provide multiple Access Point configurations that a modem can connect to. Some APN examples are ‘isp.cingular” and “vpn.com”.

  • Default: Let the router choose an APN automatically.
  • Default Override: Enter an APN by hand.
  • Select: This opens a table with 16 slots for APNs, each of which can be set as IP, IPV4V6, or IPV6. The default APN is marked with an asterisk (*). You can change the APN names, select a different APN, etc. For Verizon modems, only the third slot is editable. Changes made here are written to the modem, so a factory reset of the router will not impact these settings.

Update/Activate a Modem

Some 3G/4G modems can be updated and activated while plugged into the router. Updates and activation methods vary by modem model and service provider. Possible methods are: PRL Update, Activation, and FUMO. All supported methods will be displayed when you select your modem and click “Control” to open the “Update/Activate” window. If no methods are displayed for your device then you will need to update and activate your device externally.

To update or activate a modem, select the modem in the WAN Interfaces table and click “Control”.

The modem does not support Update/Activate methods: A message will state that there is no support for PRL Update, Activation, or FUMO.

The modem supports Update/Activate methods: A message will display showing options for each supported method:

  • Modem Activation / Update: Activate, Reactivate, or Upgrade Configuration.
  • Preferred Roaming List (PRL) Update
  • Firmware Update Management Object (FUMO)

Click the appropriate icon to start the process.

If the modem is connected when you start an operation the router will automatically disconnect it. The router may start another modem as a failover measure. When the operation is done the modem will go back to an idle state, at which point the router may restart it depending on failover and failback settings.

NOTE: Only one operation is supported at a time. If you try to start the same operation on the same modem twice the UI will not report failure and the request will finish normally when the original request is done. However if you try to start a different operation or use a different modem, this second request will fail without interfering with the pending operation.

Process Timeout: If the process fails an error message will display.

Activation has a 3-minute timeout, PRL update has a 4-minute timeout, and FUMO has a 10-minute timeout.

Update Modem Firmware

Click on the Firmware button to open the Modem Firmware Upgrade window. This will show whether there is new modem firmware available.

If you select Automatic (Internet) the firmware will be updated automatically. Use Manual Firmware Upgrade to instead manually upload firmware from a local computer or device.

Reset the Modem

Click on the Reset button to power cycle the modem. This will have the same effect as unplugging the modem.

Configuration Rules (Advanced)

This section allows you to create general rules that apply to the Internet connections of a particular type. These can be general or very specific. For example, you could create a rule that applies to all 3G/4G modems, or a rule that only applies to an Internet source with a particular MAC address.

The Configuration Rules list shows all rules that you have created, as well as all of the default rules. These are listed in the order they will be applied. The most general rules are listed at the top, and the most specific rules are at the bottom. The router goes down the list and applies all rules that fit for attached Internet sources. Configuration settings farther down the list will override previous settings.

Select any of these rules and click “Edit” to change the settings for a rule. To create a new rule, click “Add.”

WAN Configuration Rule Editor

After clicking “Add” or “Edit,” you will see a popup with the following tabs:

  • Filter Criteria
  • General Settings
  • IP Overrides
  • IPv6 Settings
  • Ethernet Settings
  • Modem Settings
  • WiMAX Settings
  • CDMA Settings
  • SIM/APN/Auth Settings

Filter Criteria

If you are creating a new rule, begin by setting the Filter Criteria . Create a name for your rule and the condition for which the rule applies:

  • Rule Name: Create a name meaningful to you. This name is optional.

Make a selection for “When,” “Condition,” and “Value” to create a condition for your rule. The condition will be in the form of these examples:

When Condition Value
Port is USB Port 1
Type is not WiMAX
  • When:
    • Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB Port 2”).
    • Manufacturer – Select by the modem manufacturer, such as Sierra Wireless.
    • Model – Set your rule according to the specific model of modem.
    • Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX).
    • Serial Number – Select 3G or LTE modem by the serial number.
    • MAC Address – Select WiMAX modem by MAC Address.
    • Unique ID – Select by ID. This is generated by the router and displayed when the device is connected to the router.
  • Condition: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition’s statement.
  • Value: If the correct values are available, select from the dropdown list. You may need to manually input the value.

Once you have established the condition for your configuration rule, choose from the other tabs to set the desired configuration. All of the tabs have the same configuration options shown above in the WAN Configuration section (i.e., the options for Configuration Rules are the same as they are for individual devices).

Permalink


Router Firmware Upgrade: Best Practices

Products Supported: Series 3 Click here to identify your router.


Quick Links

Summary

Configuration

Best Practices

Related Articles


Summary

This article provides instructions on how to upgrade your Series 3 Cradlepoint router through the local device and through Enterprise Cloud Manager(ECM). Best practices regarding firmware upgrades are also listed within this article.

Caution: Updating the firmware can permanently damage your router. The upgrade process will take several minutes. Do not unplug your router from the provided power supply during this process.

Note: Downgrading firmware to a version lower than 5.2.0 will require resetting the router to factory default settings.


Configuration

Configuration Difficulty: Easy

Local Router Upgrade

Automatically Upgrading from 5.4.x or Earlier

Note: The device has to be on the internet to update automatically

  • Step 1: Log into the router’s Setup Page. For help with logging in please click here.
  • Step 2: Navigate across the top menus to System Settings>System Software
User-added image
  • Step 3: Press the Automatic(Internet) button.
User-added image

Automatically Upgrading from 6.0.x or Later

Note: The device has to be on the internet to update automatically

  • Step 1: Log into the router’s Setup Page. For help with logging in please click here.
  • Step 2: Navigate across the left-hand menus to System>System Control>System Firmware
User-added image
  • Step 3: Press the Automatic(Internet) button.
User-added image

Downloading Firmware for Manual Upgrade

Note: These instructions are only for manual firmware upgrades. You do not need to download firmware when upgrading automatically or with ECM.

  • Step 1: Log into your Connect Portal account. The login page can be found here.
  • Step 2: Click the menu button. Hover over My Support and click Firmware Downloads.
User-added image
  • Step 3: Select the model of your router from the drop down menu.
User-added image
  • Step 4: Click download on the firmware version you are updating to
User-added image

Manually Upgrading from 5.4.x or Earlier
  • Step 1: Log into the router’s Setup Page. For help with logging in please click here.
  • Step 2: Navigate across the top menus to System Settings>System Software
User-added image
  • Step 3: Press the Manual Firmware Upload button.
User-added image
  • Step 4: In the box that appears press Choose File and use the pop up window to navigate to the firmware file
User-added image
  • Step 5: Press Begin Firmware Update
User-added image

Manually Upgrading from 6.0.x or Later
  • Step 1: Log into the router’s Setup Page. For help with logging in please click here.
  • Step 2: Navigate across the left-hand menu to System>System Control>System Firmware
User-added image
  • Step 3: Press the Manual Firmware Upload button.
User-added image
  • Step 4: In the box that appears press Select Firmware File and use the pop up window to navigate to the firmware file
User-added image
  • Step 5: Press Begin Firmware Update
User-added image

ECM Upgrade

  • Step 1: Log into your Enterprise Cloud Manager account. The login page can be found here.
  • Step 2: Navigate across the left-hand menu to Groups.
User-added image
  • Step 3: Create a new group for the device using the firmware the device is currently on.
User-added image
  • Step 4: Navigate to Devices and select the router. Press the move button and put it in the new group.
User-added image
User-added image
  • Step 5: Navigate back to the groups page and press firmware. Select the firmware you would like to upgrade to.
User-added image
  • Step 6: Press Run Now
User-added image

Best Practices

Configuration Backup

It is recommended that before upgrade you backup your configuration. Click here for help making backups.

Firmware Testing

Before upgrading routers in a live deployment, it is a good idea to test the firmware before updating all your devices. Testing beforehand also helps to have a smoother time when upgrading all your devices.

The best way to test is to have a lab environment where you can create a situation similar to your live network and test how your configuration will work with different firmware.

The next step would be to test a small controlled group of devices in production on the prospective firmware to ensure a smooth transition for that firmware to your network.

Stair Stepping

When upgrading firmware between major and minor versions, it is highly recommended to perform a stair-step upgrade. A stair step upgrade entails making short jumps between firmware versions as shown below.

           Example: From 5.1.1 to 6.1.0
                   Start:___5.1.1
                Update 1:_________5.2.0
                Update 2:_______________5.2.4
                Update 3:_____________________5.3.4
                Update 4:__________________________ 5.4.1 
                Update 5:_________________________________6.0.1
                     End:_______________________________________6.1.0

Permalink


Products Affected: AER31x0, AER2100, AER16x0, IBR11x0, IBR9x0, IBR6x0, IBR6x0B, IBR6x0C, IBR350, CBA850, and MBR1200B. Click here to identify your router.

Summary

Cradlepoint was notified of critical security vulnerabilities discovered in the dnsmasq network service (CVE-2017-14491 and others); in response Cradlepoint has taken steps to incorporate the dnsmasq version 2.78 into its latest NetCloud OS.

If exploited, this vulnerability could allow attackers to remotely execute code, forward the contents of process memory, or disrupt service on an affected router. As described in various sources, this flaw is difficult to trigger, requiring an attacker who controls a specific domain to send DNS requests to dnsmasq requiring it to cache replies from that domain. Through carefully constructing DNS requests and responses, dnsmasq could cause an internal buffer overflow using content influenced by the attacker.

More details can be found here: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html.


Affected Products

Cradlepoint recommends customers immediately upgrade products to the upcoming NetCloud OS versions (available 10/30/17) to mitigate this vulnerability. All router products are affected, including:

• AER3100 / AER3150
• AER2100
• AER1600 / AER1650
• IBR1100 / IBR1150
• IBR900 / IBR950
• IBR600 / IBR650
• IBR600B / IBR650B
• IBR600C / IBR650C
• IBR350
• MBR1200B
• CBA850

NOTE: Routers used in default configuration were not exposed on their WAN interfaces. Routers were exposed to their Local Network, including the Guest LAN (if enabled).

NetCloud Manager has been patched for all its own affected services. Usernames and passwords are not at risk.


NetCloud OS Patch

6.4.2 (Available 10/30/17) – All products listed above

6.4.3 (Available 12/11/17) – IBR900/IBR950 – FIPS

Remote NetCloud OS Upgrades

For remote devices, Cradlepoint recommends using NetCloud Manager to upgrade NetCloud OS, manage networks intelligently, and avoid costly truck rolls. If you haven’t deployed NetCloud Manager, you can start a free 30-day trial of NetCloud Manager today.
Local NetCloud OS Upgrades

For information on updating NCOS locally on the Cradlepoint please consult the below articles.

NCOS: Automatic NetCloud OS Update

NCOS: How to update the NCOS of a Cradlepoint router.


Interim Mitigation Until NetCloud OS Release

Because malicious tools could be used to obtain passwords during this period, Cradlepoint recommends the following steps to protect your network during the interim:

  1. Disable Guest Access via the NETWORKING > Local Networks > Local IP Networks tab.

Once NetCloud OS 6.4.2 or 6.4.3 is Available
1. Upgrade to the latest NetCloud OS version
2. Re-enable Guest Access if it was disabled

Permalink


Summary

Two new vulnerabilities that affect many modern microprocessors were published on January 3rd, 2018. These vulnerabilities could allow attackers to read the contents of memory used by other applications on the same server or even processes running in other virtual machines (VMs).

The first vulnerability, called Meltdown, affects only Intel CPUs and can be fixed with an operating system patch.

The second, called Spectre, affects CPUs from AMD and ARM. It requires a CPU design change and cannot be fixed in software.

Cradlepoint routers are not affected by either vulnerability.  However, Cradlepoint services like NetCloud Manager (NCM) and NetCloud Perimeter (NCP) run on servers that may be vulnerable.

What is it?

Both vulnerabilities are based on a CPU optimization called “speculative execution”. Both also require an attacker to install malware on the target system.

With Meltdown, an attacker — who can install and run a program on the target machine — can access the memory of all other programs running on that machine.

With Spectre, an attacker can “read” memory of other programs through indirect means.

For more information, please see

  1. https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html
  2. https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
  3. https://meltdownattack.com

 

 

The related CVEs are shown below:

CVE-2017-5715 (Spectre) “branch target injection” mitigated by CPU microcode update from CPU vendor
CVE-2017-5753 (Spectre) “bounds check bypass”
CVE-2017-5754 (Meltdown) “rogue data cache load” fixed with OS update

What Cradlepoint devices or services may be affected?

All NCM and NCP services run on cloud servers which may be affected. However, most NCM services run on multi-tenant servers and Cradlepoint’s primary cloud provider has patched their servers so that NCM is not vulnerable to Meltdown attacks running in other tenant spaces.

 

NCM could still be vulnerable to Meltdown exploits which manage to install malware on the NCM VMs. The operating system patch to fix Meltdown is expected to be released soon.  Cradlepoint will then begin immediate execution of its plans to apply the patch to all NCM systems.

 

No Cradlepoint routers use CPU’s vulnerable to Meltdown.

 

For Spectre, Cradlepoint does not support installing compiled applications on any routers with the Spectre vulnerability. An attacker would need to install malware that exploits certain CPU instruction patterns. Such patterns can only exist in compiled programs and Cradlepoint does not support compiling SDK apps.

Published Date: 01/08/2018

Permalink


Cradlepoint Series 3 (103)

View category →

If you are unsure of the CradlePoint Series or Model Number, please click here.

This article was written based up on firmware version 5.0.0


Overview:

The router automatically logs (records) events of possible interest in its internal memory. You can define what types of events you want to view and the level of events to view. 


Directions:

Follow these steps prior to power cycling the device:

  1. Access the Setup Pages
  2. Click on the Status tab, then select System Logs                                                  User-added image
  3. Press the Save Log button                                                                                           User-added image
  • You will be prompted to save the log file. Note the path and file name.

Permalink


If you are not sure what Series CradlePoint router you have, please click here.
This article was written based upon firmware version 5.0.0


A cellular modem displays “Suspended” or “CPPM failed: Carrier Reject” as its status and will not establish an internet connection when plugged into a Series 3 CradlePoint router, even though it works correctly when plugged into a computer.

 

  • Plug the cellular modem into the CradlePoint router.
  • Connect to your router via Wi-Fi or Ethernet, and access its administrative console. Click here if you are not sure how to do this.
  • Click on the Internet tab, and select Connection Manager from the dropdown.  User-added image
  • Select your modem within the WAN Interfaces list by clicking on its name.          User-added image
  • Once the modem is highlighted blue, click the Edit button above it.                       User-added image
  • Within the WAN Configuration window, click on the SIM/APN/AUTH Settings tab. User-added image
  • Choose the Manual option for the Access Point Name.                                              User-added image
  • Enter the access point name (APN) provided by your cellular carrier and click Submit.                            User-added image
    • NOTE: A list of common access point names (APNs) is displayed within the help panel, and some additional options can be found here. If you are not sure which APN you should use, please contact your carrier.
  • Click OK in the confirmation dialog.                                                                           User-added image
    • NOTE: After a new configuration has been submitted, the modem will reboot itself which will cause it to disappear briefly from the WAN Interfaces list before it tries to connect again.

 

Permalink


If you are unsure of your CradlePoint Series or Model number, please click here.

This article was written based on firmware version 5.0.0


Overview:

This article is an explanation of the CradlePoint Hotspot Service features found in the MBR1400, CBR400, and IBR600.  There are two modes for Hotspot Services: Simple and RADIUS/UAM.  Simple Mode allows you to  define Terms of Use and timeout settings controlled within the router.  RADIUS/UAM mode allows setting up external/third party authentication servers along with their authentication data.  This mode requires an account with a RADIUS/UAM provider such as HOTSPOTSYSTEM.com.  An example of a HOTSPOTSYSTEM.com setup can be found here.

To enable the Hotspot Services feature:

  1. Log into the router’s setup page (login instructions).
  2. Click on the System Settings tab then Hotspot Services in the sub-menu.
  3. From the Hotspot Mode dropdown menu select Simple or RADIUS/UAM
  • Allow Service on 3G/4G Modems: allows you to enable or disable Hotspot access to the Internet over a modem. This is typically used if the router has a main wired link and a secondary modem for failover. Select this option if you want the router to allow data traffic over the modem if the wired connection goes down.  Must be checked if cellular is the only connection.
  • Disable Service if Ethernet Threshold is met: This can be used if the router is being used as a backup failover connection to another router with a wired connection. If that other router’s wired connection goes down and it starts using this router for its primary connection, then disable Hotspot use of the WAN connection.
  • Redirect HTTPS Requests: This allows initial requests to HTTPS websites to be redirected appropriately.


Simple Mode Setup:
 

1.    In the Simple Mode Settings section select one of the following:  Internal Terms of UseExternal Terms of Use, or No Terms of Use. Redirect Only.
  •  Internal Terms of Use:
  1. Define your policy in the Terms of Use Text section.
  2. Select what you want to occur for the user after presentation of your policy in the Redirection on Successful Authentication dropdown.
  3. If “To an administrator-defined URL“ was selected set the Redirect URL.
  4. Apply your changes.
  • External Terms of Use:
  1. Define your Terms of Use URL.
  2. Select what you want to occur for the user after presentation of your policy in the Redirection on Successful Authentication dropdown.
  3. If “To an administrator-defined URL“ was selected set the Redirect URL.
  4. Apply your changes.
  •  No Terms of Use. Redirect Only:
  1. Define your Terms of Use URL.
  2. Apply your changes.

RADIUS/UAM Mode Setup:

  1. Make your Radius settings as required by your Radius provider in the RADIUS Settings section.
  2. Make your UAM settings as required by your provider in the UAM Settings section.
  3. Apply your changes.

Permalink


If you are unsure of CradlePoint Series or Model number, please click here.

This article was written based on firmware version 5.0.0.

Overview: 

Series 3 CradlePoint products with Wireless (WiFI) capability can connect to an available wireless network to use as an Internet (WAN) connection.

*NOTE* The AER 2100 will allow a WiFi as WAN connection on both the 2.4 and 5.0 frequencies; However, you can only use one as an active connection, the other will remain available until the primary WiFi as WAN connection drops.

Directions:

Newer CradlePoint firmware revisions include changes that allow connection to more types of wireless access points.  It may be necessary to upgrade the firmware to a newer firmware version How to upgrade my firmware.

  1. Log into the CradlePoint’s administrative console, the default location is http://192.168.0.1.  Click here if you are unsure of how to access the administration pages.
  2. Verify Advanced Mode and not Basic Mode (CTR35 and MBR95 only).                                 User-added image
  3. Click the Internet tab then select Wi-Fi-as-WAN.                                                                        User-added image
  4. Next to Wi-Fi Client Mode click the Wi-Fi-as-WAN button (Dark gray means that Wi-Fi as WAN is enabled). User-added image
  5. Available wireless networks will begin to appear in the Site Survey section.  It may take a moment for all nearby networks to appear.
  6. Select the desired Wi-Fi network then click Import.                                                                       User-added image
  7. Enter the wireless network credentials in the window that displays.
  8. Click Submit to save settings.                                                                                                            User-added image

Once saved, this wireless network will be available as a WAN Interface under the Internet > Connection Manager menu.  The failover priority for this Wi-Fi as WAN connection may be changed.  The higher the position on the list the higher the failover priority.

Please visit the following link if you experience issues with WiFi as WAN.   WiFi as WAN troubleshooting.

Permalink


QUICK LINKS:

  • SUMMARY
  • REQUIREMENTS
  • EXAMPLE CONFIGURATION
  • CRADLEPOINT CONFIGURATION
  • ADTRAN CONFIGURATION


SUMMARY:

This document will guide you through creating an IPsec VPN tunnel between a Series 3 CradlePoint router and an Adtran NetVanta 3120 router.  The IPsec tunnel in this example assumes that the WAN sources attached to both routers are publicly routable and not behind a NAT.

This document was created using CradlePoint firmware 4.4.2 and Adtran NetVanta firmware R10.9.0.E, but should work similarly on other firmware versions for both devices.


REQUIREMENTS:

CradlePoint Series 3 router supporting IPsec

Adtran NetVanta 3120 (or other similar Adtran routers)

Public WAN sources attached to each router


EXAMPLE CONFIGURATION:

CradlePoint IBR600LE configuration:

WAN IP: 166.142.176.196

LAN IP: 192.168.0.1

Subnet: 255.255.255.0

Adtran NetVanta configuration:

WAN IP: 184.76.124.69   (obtained via DHCP)

LAN IP: 10.10.10.1

Subnet: 255.255.255.0

Your WAN IP addresses (and likely LAN IP networks) will be different than the examples used in this document.  This example configures an IPsec tunnel between the router so that hosts connected to the CradlePoint’s 192.168.0.0/24 LAN can access hosts on Adtran’s 10.10.10.0/24 subnet without any additional configuration.

Both the CradlePoint and Adtran device configuration begin from factory default settings.  The CradlePoint’s IPsec configuration in this guide is intended to be the most compatible with the default IPsec settings on the Adtran, but there are many other combinations that should work as long as both sides are configured with matching settings.

For more information about other IPsec options on the Adtran, please contact http://www.adtran.com for assistance.


CRADLEPOINT CONFIGURATION:

  1. After logging into the CradlePoint, click Internet > VPN TunnelsUser-added image
  2. At the Internet > VPN Tunnels page, click the Add button to create a new IPsec policy. User-added image
  3. Give the tunnel a name, and then enter “CradlePoint” as the Local Identity and enter “NetVanta3120” as the Remote Identity.  Enter the same pre-shared key that will be entered in step 10 for configuring the Adtran.  The Initiation Mode may be set to “On Demand” or “Always On,” depending on your needs.  Click Next to continue. User-added image
  4. Under Local Networks, add the CradlePoint’s local network address and netmask for the network(s) that will be made available across the VPN.  Click Next to continue.                                                                                             User-added image
  5. Under Remote Gateway, enter the public IP address (or host name if available) of the WAN interface of the NetVanta.  Under Remote Networks, enter the “Network Address” and “Netmask” of the NetVanta’s private network that will be made available across the VPN tunnel.  Click Next to continue.                                                                      User-added image
  6. For IKE Phase 1, make sure that the settings match how the NetVanta is configured.  In this example, to match the NetVanta’s settings, the Exchange Mode was changed to “Aggressive,” the “Key Lifetime” left at 28800, and all Encryption, Hash & DH Groups that were not configured on the Adtran have been unchecked.  Click Next to continue. User-added image
  7. For IKE Phase 2, again make sure that the settings match how the NetVanta is configured.  In this example, “Perfect Forward Secrecy” has been unchecked.  The “Key Lifetime” has been increased to 28800, and like above the unused Encryption, Hash & DH Groups have been unchecked.  Click Next to continue.                                                                                              User-added image
  8. For “Dead Peer Detection,” leave the settings at the default values and click Finish.       User-added image
  9. At the “Tunnel Summary” screen, ensure that your settings are correct and click Yes to save the settings.  User-added image
  10. At the VPN tunnels page, you will now see the new IPsec policy listed.  Click Enable VPN Service to start the VPN service.  User-added image


ADTRAN CONFIGURATION:

  1. After logging into the Adtran, click the Data tab.                                                          User-added image
  2. Under “VPN”, click the VPN Wizard link.                                                                       User-added image
  3. At the wizard’s welcome page, click Next.                                                                     User-added image
  4. Choose “Typical Setup” and click Next.                                                                          User-added image
  5. In the “VPN Peer Description” field, enter a name for the remote CradlePoint, then click Next.
    • In this example, the VPN peer is named “CradlePoint”.)                User-added image
  6. In the “Public Interface” field, select Adtran’s public WAN interface, then click Next.
    • In this example, the Public Interface selected is “Public (DHCP).” User-added image
  7. In the “Peer IP Address” field, enter the CradlePoint’s public WAN IP Address, then click Next.
    • In this example, the CradlePoint’s WAN IP is 166.142.176.196.     User-added image
  8. In the “Remote Subnet” and “Remote Subnet Mask” fields, enter the private network behind the CradlePoint that will be made available through the tunnel, and then click Next.
    • In this example, the “Remote Subnet” is 192.168.0.0 and the “Remote Subnet Mask” is 255.255.255.0. User-added image
  9. In the “Local Network” page, select or manually enter the Adtran’s local network that will be made available through the tunnel, and then clickNext.
    • In this example, for “Use Network From” drop-down the network “10.10.10.0/255.255.255.0” network was chosen. User-added image
  10. In the “Authentication Type” screen, choose Preshared Secret and enter a password that will be used on both sides of the tunnel. User-added image
  11. In the “Remote ID Type” field, choose Allow Any Remote ID.  It is also possible to use an e-mail address or IP address in this field if preferred, as long as both sides match.                                                                                           User-added image
  12. For the “Local ID Type,” leave it as “Domain Name”, and leave the “Local ID Value” at the default value, and then click NextUser-added image
  13. At the “Confirm Settings” page, make note of the IKE & IPsec settings that the NetVanta chose by default.  The CradlePoint will need to be entered with matching settings.
    • In the example, the NetVanta is using IKE Phase 1 Aggressive mode, Encryption type 3DES, Hash type MD5, DH Group 1, with a key lifetime of 28800.
    • The IKE Phase 2 (IPsec) settings in the example are Perfect Forward Secrecy disabled, Encryption type 3DES, Hash type MD5, with a key lifetime of 28800.  Keep in mind that these are not the same as the default settings on the CradlePoint.
    • Other combinations will also work as long as the settings match on both the CradlePoint and the NetVanta.  Click Finish to save your VPN configuration.                                                                  User-added image
  14. At the “Wizard Complete” page, click Exit to get back to the main NetVanta UI.

Permalink


Cradlepoint Series 2 (49)

View category →

If you are unsure of your device’s CradlePoint Series or Model number, please click here.

This article was written based on firmware version 2.0.0 on a Series 2 CradlePoint.

Symptom:

The time and date need to be changed in the router.

Cause:

This feature is important if you are setting up rules in the router to function at certain times of the day. For example, schedules to filter the Internet during certain times of the day or schedules for when the router should send emails of your current log files.

Directions:

Follow these steps to setup the time and date.

1. Connect to a CradlePoint router. (for instructions on connecting a computer to a router click here.)

2. Log into the CradlePoint router at http://192.168.0.1 (for help accessing the setup pages click here.)

3. Once logged in select the TOOLS tab.

4. Next select TIME from the left hand side menu.

5. In the Time Configuration box set the Time Zone setting to your current time zone.

6. If you are in an area that uses daylight savings, make sure to check the Enable Daylight Savings box.

After entering the settings in the Time Configuration box, you can choose to have the router set the time automatically through the Internet or you can choose to set it manually. Below are the steps for each method.

Automatic via Internet

1. Check the Enable NTP Server, and place a check in the Automatic Time Configuration box.

2. Select an NTP Server from the drop down box that is inline with the NTP Server Used setting.

3. Select Save Settings at the top of the page and if prompted select the Reboot Now option.

The next time the router connects to the Internet it will automatically update your time and date on the router.

Manually

1. Make sure the Enable NTP Server, make sure the Automatic Time Configuration box is NOT checked.

2. In the Set the Date and Time Manually box set the settings for your current location or click the Copy Your Computers Time Settings to automatically set the settings from your computers current settings.

3. Select Save Settings at the top of the page and if prompted select the Reboot Now option.

The router is now set with your time and date settings.

Permalink


If you are unsure of your CradlePoint series of Model number, please click here.

This article was written based on firmware version 2.0.0.

Overview:

This article explains how to enable web access logging for connected clients.  Enabling web access logging will display the websites visited by a specified host on your network in the router’s logs.

Instructions:

Enabling Web Access Logging

  1. Log into the routers administration page (login instructions).
  2. From the user interface click on the ADVANCED tab
  3. Click the ACCESS CONTROL link on the leftadv-access contorl.jpg
  4. Check the box next to Enable Access Control
  5. Click Add Policy
  6. This will give you a list of steps to configure access control. Click Next
  • Choose a unique name for your policy, and then click Next
acstep1.jpg
  • Chose a schedule to apply this policy, and then click Next.
acstep2.jpg
  • Specify a name of the client that you want to log web access.  You can specify it with its IP address, its MAC address, or you could apply the policy to all connected devices by selecting “Other Machines.”
acstep3.jpg
  • Click the OK button, then click Next
  • Select the method for filtering.  To enable Web Logging only select Log Web Access Only
acstep4.jpg
  • Click Save

Once the settings are saved,  you can view the web access log by clicking on the STATUS tab at the top of the configuration pages, then clicking the LOGS link on the left.

User-added image

Permalink


If you are unsure of your CradlePoint Series or Model number, please click here.

This article was written based on firmware version 2.0.0.


Overview:

This article describes how to enable Load Balancing on your Series 2 CradlePoint router.  This feature allows you to increase the data transfer throughput by using any connected modem interfaces consecutively.  Please see this article for a high-level explanation of CradlePoint’s Load Balancing implementation.
 

Directions:
 

  1. Log into the router’s setup page (login instructions).
  2. Click on the ADVANCED tab.
  3. Click on FAILOVER/LOAD BALANCE on the left sub-menu.
  4. Locate the WAN LOAD BALANCING section in the body of the page, see illustration below.
  5. From the Load Balance Mode drop down menu Select ‘Enable load balance with any WAN interface‘.User-added image
  6. Scroll to the top of the page and click the ‘Save Settings‘ button then reboot the router if prompted to do so.


Notes on Load Balancing:
 

  1. The wired WAN input is considered the primary interface WAN 1, this cannot be changed.
  2. When load balancing is active, all configurable services will be associated with WAN 1. For example, if you have configured the router to accept connections on port 80 to be forwarded to a certain host, only WAN 1 will be effected.
  3. If the primary interface is disconnected, primary services will failover to the next available interface.
  4. For dual-mode WiMAX/3G devices only one mode will be allowed to connect at a time.
  5. All though a combination of multiple wired WAN, 3G Wan devices, and dual-mode 3G/4G Wan devices may be load-balanced together a maximum of two dual-mode 3G/4G WAN devices may be load balanced at a time.  This is due to the high power consumption of the dual-mode 3G/4G WAN devices.

Permalink


If you are unsure of CradlePoint Series or Model number, please click here.

This article was written based on firmware version 2.2.1.

Description:

A Virtual Private Network (VPN) is a virtual private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet.  This article explains how to set up a basic IPSEC VPN-terminated tunnel between two CradlePoint MBR1200 routers when the connections on both routers are configured with publicly routable IP addresses.

These directions assume that you are using a static IP address on both sides of the IPSEC tunnel.  If one or both routers are configured with a dynamic publicly routable IP address using a dynamic DNS service, use the dynamic DNS hostname instead of the static IP address and make sure that “Aggressive Mode” is checked.

For assistance configuring Series 3 CradlePoint routers, refer to VPN setup example for static IP address connectionsVPN setup example for dynamic IP address connections,” VPN NAT-T setup

Before getting started, first make sure that both CradlePoint routers are online and are properly obtaining static IP addresses from your ISP(s).  Additionally, you will need to make sure that the local networks of the routers do not match.  For example, if Router #1 is already set up using the default network of 192.168.0.1, you would want to change Router #2’s local network to use a different private network (such as 192.168.100.1 or 172.16.0.1).  For assistance changing the local IP address of the CradlePoint MBR1200 router, please refer to this article: How to change the router’s local IP address.

For maximum compatibility, we also recommend making sure that the CradlePoint routers’ firmwares are upgraded to the most recent version.  The most recent CradlePoint firmware files can always be downloaded from http://www.cradlepoint.com/firmware.

Directions:

After verifying that both CradlePoint routers are online with routable static IP addresses, and after verifying that both routers have been configured on different local subnets, the directions below will help configure a VPN tunnel between the two routers.

This is an example setup where both routers have routable static WAN IP addresses.  Computer #1 is connected behind Router #1 and Computer #2 is connected behind Router #2.

Router #1 Setup
LAN IP address:                   172.16.20.1
LAN subnet mask:               255.255.0.0
WAN IP address:                  [the static IP address on router #1]
Computer #1:                        172.16.123.106

Router #2 Setup
LAN IP address:                   192.168.0.1
LAN subnet mask:               255.255.255.0
WAN IP address:                  [the static IP address on router #2]
Computer #2:                        192.168.0.199

A typical VPN tunnel between these routers would allow Computer #1 (and other computers getting addresses from Router #1) to be able to connect directly to Computer #2 (and other computers getting addresses from Router #2) using a secure tunnel across the unsecure public Internet.

Router #1 VPN configuration Steps:

1.    [Router #1] Log into the CradlePoint’s admin console on Router #1.

 2.    [Router #1] Click “TOOLS” -> “IPSEC VPN”

 User-added image

 3.    [Router #1] Enter your IPSEC policy into the “ADD IPSEC POLICY” section.

Give the tunnel a unique (to that router) Name
Leave the Remote Identity field blank.  The default settings for the Hash AlgorithmCipher AlgorithmDH GroupPhase 1 & 2 Key Lifetimes should work fine when connecting to another MBR1200.  Any other settings should also work as long as both sides are configured the same.

Choose a Pre-Shared Key for the IPSEC tunnel.  Both routers will need to have the same Pre-Shared Key.

If both routers connect to the Internet with static IP addresses, disable Aggressive Mode.  If one or the other router connects using a dynamic DNS hostname, leave Aggressive Mode checked.

Leave Perfect Forward Secrecy (PFS), and Dead Peer Detection enabled, as well as the timeout values below.

After entering your settings, click “Add Policy” to add the policy to the IPSEC POLICY LIST.

 User-added image

 4.    Once your IPSEC policy has been added, click Save Settings at the top of the page, then click Reboot Now.

Router #1 is now configured to connect to the IPSEC VPN tunnel.  Now you will need to set up Router #2 with the corresponding settings.

Router #2 VPN configuration Steps:

1.    [Router #2] Log into the CradlePoint’s admin console on Router #2.

2.    [Router #2] Click TOOLS in the red bar, and then IPSEC VPN

User-added image

3.    [Router #2] Enter your IPSEC policy into the ADD IPSEC POLICY section.

Give the tunnel a unique (to that router) “Name.”

Again, leave the Remote Identity field blank.  The default settings for the Hash AlgorithmCipher AlgorithmDH GroupPhase 1 & 2 Key Lifetimes should work fine when connecting to another MBR1200.

Use the same Pre-Shared Key that you entered into Router #1.

If both routers connect to the Internet with static IP addresses, disable Aggressive Mode.  If one or the other router connects using a dynamic DNS hostname, leave Aggressive Mode checked.  Both routers will need to have the same setting.

Again, leave Perfect Forward Secrecy (PFS), and Dead Peer Detection enabled, as well as the timeout values below.

After entering your settings, click Add Policy to add the policy to the IPSEC POLICY LIST.

User-added image

4.    Once the VPN tunnel has been configured and enabled, any traffic bound for the “remote network” will be sent across the VPN rather than being handled locally.  You can view the status of the IPSEC VPN tunnel at STATUS in the red bar, and then IPSEC VPN.

Note:

This example VPN shows how to make local networks available across a VPN.  If you need to have other local or public networks routed across the VPN, these networks will need to be added into the “Remote Gateway” settings for the router sending the traffic across the VPN.

For example, if the “Remote Gateway” in Router #2’s VPN configuration was changed from 172.16.0.0/255.255.0.0 to 0.0.0.0/0.0.0.0, this would force all Internet traffic coming from Router #2 to be sent across the VPN rather than being handled by Router #2’s WAN source.

Permalink


If you are not sure what Series CradlePoint router you have, please click here.


Symptom:

Have forgotten or do not know the default password to the CradlePoint setup pages, or I have forgotten the default password for the “Internet Access Hosted By CradlePoint” page.
 

Cause

I just purchased my router, I need to log into the router’s administration pages, I need to connect a new device to my router.


Resolution

The default password is the last six characters of the router’s WLAN Mac address (located on the bottom of the router).  The password is case sensitive, make sure the letters are lowercase and the zeros are zeros not the letter “O”.

Your default admin and user login password is the last 6 characters of the MAC address listed on the product label of the router. This is also refered to as your “Administration Password”.  For example, the default password from the label shown below would be 092a60.  This password is not the PIN for the router, if you are being asked for a PIN when connecting to wireless see the article on Windows Vista/7 asks for Pin. 

productlabel-mac-address.jpg
Note:  Passwords are case sensitive and all letters must be entered as lowercase.

Note: Passwords are restricted to between 8 and 15 characters in length.

If the default is not working, you may need to reset the router.

CradlePoint routers are secure in two ways:

  • A unique default password is printed on the product label of every router.  If you have a PHS300, the product label is located underneath the battery in the battery compartment.  You will use this password to access the Administration pages to make configuration changes to your router.  You can change the default password in the SETUP WIZARD after first logging in with the last six characters of your MAC address.

 

  • Series 1 & 2 CradlePoint routers come with a firmware-enabled featured called Require User Login.  When this feature is enbled, the first time any new connected device opens a web browser, they will be presented with the User Login screen.  The default password for the User Login is the same as your default password, which is the last six characters of the MAC address.  This page can be modified using BILLBOARD customization, and you can establish a custom password.  However, many WiFi-enabled devices do not have the ability to enter a password in a browser and won’t connect correctly.  How Do I Disable the User Login Feature?

Permalink

0 Comments - Leave a Comment

Sierra Wireless Products (44)

View category →

Yes, the Sierra Wireless AirLink® GX-400 is RoHS Certified. The M2M modem is branded with an RoHS sticker on the modem, and USAT has a certificate of compliance on file from Sierra Wireless for the AirLink® GX-400 RoHS Certification (available on request). The certificate is a DECLARATION OF EUROPEAN UNION RoHS COMPLIANT PRODUCT, and that Sierra Wireless Inc certifies that the products identified below to be “”RoHS Compliant””:

Sierra Wireless AirLink® GX400 Modem

Restriction of Hazard Substances (or RoHS) compliant defines that the product conforms to the requirements of the European Union’s restriction on use of hazardous substances in electrical and electronics equipment’s directive,2002/95/EC (RoHS directive) which limits the content of the following elements:

  • Lead (Pb)
  • Mercury (Hg)
  • Cadmium (Cd)
  • Hexavalent Chromium (Cr6+)
  • Polybrominated biphenyls (PBB)
  • Polybrominated diphenyl ethers (PBDE)

Hexavalent chromium is used in primers, chrome coatings and chrome plating.

PBB and PBDE are used in plastics as flame retardants.

The RoHS directive is with respect to any homogenous components used in the product as shipped by Sierra Wireless, in its entirety.

The RoHS directive is vitally important for USAT’s clients in the European Union, global carrier partners such as Vodafone and AT&T, as well as North American enterprises with sales and offices in Europe. RoHS is also an environmental sustainability directive which USAT is proud that our suppliers, such as Sierra Wireless, support.

Permalink


No While the GX440 LTE devices does use an APN, that APN will be automatically loaded into the device by the Verizon Wireless network at time of initial device provisioning.

 

Learn More about the Sierra Wireless Gx440

 

Permalink


The Sierra Wireless GX400/440 has two visible Ethernet LEDs on the rear panel of the GX400 and GX440 devices:

  • Left LED (Activity) – Blinks Yellow when there is activity
  • Right LED (Link Speed):
    • Green – 100 Mbps
    • Orange – 10 Mbps

AirLink GX400 + GX440 FAQ

Permalink


The Sierra Wireless GX400 and GX440 have an additional antenna port for Rx Diversity. Rx Diversity is designed to improve the quality of the downlink signal by essentially enabling the device to “choose” the best available signal. Rx diversity has been shown to improve signal quality. However, many customers decide to forego the expense of the 2nd antenna and rely on one Rx signal. Rx Diversity is set to “”ON”” by default in ALEOS, but if you decide to not use a 2nd antenna it’s vital to change the ALEOS setting for Rx Diversity to “OFF”. This setting can be found under the “WAN/Cellular” tab in ACEmanager 4.0.

The GX440 (LTE) utilizes 2×2 MIMO technology. MIMO equals Multi-In/Multi-out and is designed to improve the cellular signal and quality on both the down-link and up-link. MIMO for LTE works differently than Rx Diversity in that it utilizes 2 distinct Tx and Rx signals which are intelligently combined to increase throughput where signal multipath is available. MIMO will increase throughput in areas where interference would otherwise cause throughput degradation. Our recommendation is that 2 antennas be used for optimal performance. A single antenna may be used, however with one antenna you will not receive full MIMO benefits and your antenna performance may not be optimized. It is up to the user to determine if two antennas are beneficial, as multi-path is determined by local topology. There is no option to turn MIMO off in the GX440 since MIMO is a requirement of LTE.

Please contact your USAT Sales Manager for help identifying your best antenna options and to learn more about our custom cable assemblies and jumpers.

Permalink


The SIM slot is located on the front left (as you are looking at the side with the lights and the reset button) behind the plastic cover. To access the SIM slot on the device you must remove the plastic cover with a 2mm or 5/64″ hexagon Allen wrench. Install the SIM card with the gold contacts facing down and the cut-out facing to the right. The GX400/440 also includes a SIM lock-down feature to prevent the SIM from moving during extreme vibration. The cover has a tab to mechanically secure the SIM in place during extreme vibration. When replacing the cover, first place the front into the lip and push back to make sure the four holes are aligned before screwing the bolts back in place.

 

Learn More about the Sierra Wireless Gx440

 

Permalink


Digi Products (3)

View category →

Firewall concerns:
Firewalls (and the IT security people that maintain them) are generally concerned with protecting a location’s Local Area Network from unauthorized use – both from traffic coming at the network from the outside world, and traffic from within the local area network going outward.  A Remote Management-capable Digi product falls into the latter category, because the Digi device creates an outbound TCP socket connection to the Device Cloud or Remote Manager server.  This  EDP (easy device protocol) socket connection is tunnel through which data gets pushed from your Gateway to to the Device Cloud, so that data can be accessed from anywhere in the world.

The following article describes:

  • The IP socket connections used when a Digi RF Gateway,TransPort Router, or edp-capable device (using Digi Cloud Connector) makes a Remote Management connection to Device Cloud or Remote Manager
  • How to determine the IP address in use for a given Device Cloud or Remote Manager DNS name

Locations where it is likely that Firewall Rules will be needed:

Those who are trying to connect to Device Cloud or Remote Manager from a location which has strict outbound firewall rules will especially need the guidance found within this article.  Some likely examples for this type of network security environment include:  Government offices/buildings and institutions, Schools, Universities, and some Businesses (especially ones that do government contract work).

 

What network port(s) does a Gateway or Connect-capable device use to connect to Device Cloud?

By default, the TCP and/or UDP port(s) your Device Cloud-capable Gateway or device uses to connect with Device Cloud will depend in part on the age/default configuration of your Gateway, the device’s configuration, as well as the particular model.

TCP Port 3197:  The outbound EDP/non-SSL (non-secure) socket connection from NDS-based products like the ConnectPort X2 / X4 / X5 / X8 Gateways, and ERT/Ethernet Gateway (especially if the product hasolder firmware), which may still be configured to create an un-encrypted Device Cloud socket connection.

Note:  If possible, the firmware of older products should be updated so that the Device Cloud configuration settings can changed to use of SSL socket connections into the Device Cloud instead (see next entry below).

TCP Port 3199:   The outbound EDP/SSL (secure) socket connection from NDS-based products like the ConnectPort X2 / X4 / X5 / X8 Gateways, and ERT/Ethernet Gateway with newer firmware which are configured to create a secure SSL socket connection into Device Cloud.  Required on ALL Linux-based Gateways, examples:  XBee Gateway ZB andConnectPort X2e for Smart Energy.  Can also be required if the Device Cloud account is configured to accept SSL connections only (new Device Cloud option as of version 2.16)

UDP Port 53:  Outbound DNS (Domain Name Service) name recognition service, i.e. translates the my.devicecloud.com name for Device Cloud connectivity.

Note:  DNS service is not a requirement.  If access to DNS service is not allowed or possible from your network, the device’s remote connectivity address would need to use the IP address of my.devicecloud.com (52.73.23.137), rather than the DNS name itself (see below under What IP address is needed for outbound Firewall rule(s)? for more details).

UDP Port 123:  The outbound socket connection to an NTP (time) server is required for ALL Linux-based Gateways such as the XBee Gateway and ConnectPort X2e, as well as  gateways and devices configured for NTP time management.

Important Note for all XBee and ConnectPort X2e Gateways (and Gateways configured for NTP Time Management)

The XBee Gateway and ConnectPort X2e are Linux-based gateways which require outbound access to UDP port 123 (NTP), in order to generate the secure (SSL) TCP socket connection into Device Cloud.  Any Gateways which are configured for NTP time management will have this requirement as well, since the Gateway connects to an NTP server in order to to keep an accurate date/time.

If your XBee (or CP-X2e) Gateway is added to your Device Cloud account but never shows up in a Connected state, check to ensure that outbound NTP access is available for the Gateway through your local network Firewall.  ConnectPort X2 and X4 gateways would still connect to Device Cloud (assuming TCP port 3199 isn’t blocked), but the Gateway might show an epoch 1970-based date/time if no other Time Sources are configured.
What IP address is needed for outbound Firewall rule(s)?

The best way to determine that is to do an nslookup of the DNS name for the Remote Management server you want your device(s) to connect to.  As of the date of this article (6/16/2015), here is how this looked from my Windows 7 commandline (Start – Run – CMD) prompt when doing nslookup of our various Remote Management and NTP ring servers:

Digi Device Cloud and Remote Manager device connectivity address:

C:\>nslookup my.devicecloud.com

Name:    my.devicecloud.com
Address:  52.73.23.137

Past Device Cloud connectivity addresses which may still be in use on devices (all device configurations should be updated to use of the my.devicecloud.com address, then re-connected to the server at the new address):

devicecloud.digi.com
login.etherios.com
my.idigi.com
app.idigi.com

devicecloud-uk.digi.com
login.etherios.co.uk
my.idigi.co.uk

Digi Primary NTP Time Server Ring addresses:

C:\>nslookup time.devicecloud.com

Name:     time.devicecloud.com
Addresses:  52.25.29.129, 52.2.40.158

Secondary/Tertiary NTP Time Server addresses for pool usage:

C:\>nslookup 0.time.devicecloud.com

Name:     0.time.devicecloud.com
Addresses:  52.2.40.158

C:\>nslookup 1.time.devicecloud.com

Name:     1.time.devicecloud.com
Addresses:  52.25.29.129

Deprecated NTP/Time server addresses which may still be in use on devices (all devices should be updated to use time.devicecloud.com within their configuration):

time.digi.com
time.etherios.com

time.etherios.co.uk
0.idigi.pool.ntp.org
1.idigi.pool.ntp.org
2.idigi.pool.ntp.org

Making the Firewall Rules:

If the IP address of the DNS name ever changes (before this article is updated to reflect it), a Windows CLI command can be used to determine the IP address of our server:

nslookup <DNS name of server>

The Name and Address fields will be the DNS name and IP address for the Remote Management or Time server listed.  Your firewall rule will need to allow access for the appropriate network port used based on your Gateway’s Device Management configuration, as well as UDP port 123 if NTP Time Management is in use.

Important Note regarding deprecated DNS names:

If your Gateway is configured to use an idigi.* or etherios.* DNS name, it should be re-configured to use the my.devicecloud.com url at your earliest convenience. You will need to create firewall rules for all IP addresses/ports used, for all Remote Management and Time (NTP) DNS server names used within your device.

Permalink


Cloud services can be used for applications built around Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

Digi International has a platform called iDigi. iDigi is a cloud platform for both device network management and for data management. The iDigi Device Cloud is designed using a high-availability architecture, with redundancy and failover characteristics. It is a highly scalable system that can host single units to tens of thousands of Digi devices. It also has web services APIs for secure application integration and data messaging. iDigi device clouds are located in Chicago and in London and you can select to which cloud your data is subscribed.

Device management also include the ability to send commands to remote devices. Standard web service calls are available to manage traditional device settings. An optional Server Command Interface / Remote Command Interface (SCI/RCI) mechanism is available for any custom device or application commands that may be required.

iDigi Manager Pro is a pay-as-you-go model, starting at $1.59 per registered device, per month. Sending data to and from the iDigi Device Cloud is billed on a transactional basis and are available at different usage levels. Data is managed through iDigi, which means that iDigi provides a collection point of data. iDigi is not a (long-term) data storage solution–Digi Dia data is stored for 1 day, and iDigi files are stored for 7 days.

Permalink


Unlike the ConnectPort WAN, the serial ports on the standard builds of the Digi Transport line are DTE not DCE serial, this means that a null modem cable should be used instead of a cross-over cable.

Null modem is a communication method to connect two DTEs (computer, terminal, printer etc.) directly using an RS-232 serial cable. The name stems from the historical use of the RS-232 cable to connect two teleprinter devices to modems in order to communicate with one another; null modem communication was possible by instead using RS-232 to connect the teleprinters directly to one another.

Permalink


Digi Transport (18)

View category →

1)  Log into the WebUI, and navigate to Configuration – Network > IP Routing/Forwarding > IP Port Forwarding/Static NAT Mappings.

NOTE:  Use the below screenshot as a reference for steps 2-5

User-added image

2)  Fill in the Minimum and Maximum TCP/UDP ports the TransPort should listen on.  These can be the same port if only 1 port is being passed through, or a range of multiple ports if those are needed to pass through.

3)  Fill in the IP address of the LAN device the connection needs to get to.

4)  Fill in the TCP/UDP port of the LAN device the connection needs to get to.  Click Add when finished.

5)  Click Apply and Save the settings.

NOTE:  A reboot may be necessary at this point in time for the rules to take effect.

6)  Navigate to Configuration – Network > Interfaces > Mobile.

7)  Expand Mobile Settings, and change the NAT option to IP address and Port as shown in the screenshot below:

User-added image

8)  Click Apply and Save the changes.

Permalink


For most model TransPorts, the PPP 1 interface is the default cellular WAN interface.  If needed, an Ethernet interface may be used instead for WAN connectivity, for example, to connect to a separate non-cellular modem via Ethernet for Internet access.

Generally, all that needs to be done for this to work is to change the Interface of the Default Route to the Ethernet port and to enable NAT on the Ethernet WAN port.

To change the Interface of the Default Route to the Ethernet port, from the TransPort’s web interface, navigate to Configuration – Network > IP Routing/Forwarding > Static Routes > Default Route 0, and then change the “Default Route 0” Interface from PPP 1 (or whatever it currently is) to the appropriate Ethernet port, for example Ethernet 0.

For the vast majority of applications, enable NAT on the Ethernet WAN port.  In this “Ethernet as a WAN” scenario, NAT should only be disabled on the Ethernet WAN port in certain circumstances, for example, when using a private APN (and even then it may still need to be enabled).  To enable NAT on the Ethernet WAN port from the TransPort’s web interface, navigate to Configuration – Network > Interfaces > Ethernet > ETH x* > Advanced, and then check “Enable NAT on this interface”.  *Select the appropriate Ethernet port that’s being used for WAN (usually Eth 0 but not always).  Optionally check the option to enable NAT for “IP address and Port” instead of just “IP address” to avoid any potential Port Forwarding issues in the future.

Notes:

  • If the TransPort has multiple Ethernet ports, consider either enabling Port Isolate mode or utilizing Hub Groups.  Using an Ethernet port as the WAN interface will work without enabling Port Isolate mode or utilizing Hub Groups, but there are considerations.  If using the default Hub Mode instead of Port Isolate mode, traffic will route out of a single Ethernet port, for example Eth 0, and respond on that same port.
    • To enable Port Isolate mode from the TransPort’s web interface, navigate to Configuration – Network > Interfaces > Ethernet > ETH 0 > Advanced, and then click the “Switch to Port Isolate mode” button, unless the device is already in Port Isolate mode.
    • A Hub Group can alternatively be utilized by putting the WAN Ethernet port (Eth 0 for example) in a Hub Group that’s separate than the other ports.
    • For more information about Hub Mode vs. Port Isolate mode, and Hub Groups, please review the TransPort User Guide:  http://ftp1.digi.com/support/documentation/90001019.pdf
  • Be sure the TransPort’s Ethernet IPv4 port settings are configured correctly, to match the Ethernet-attached device.
  • Be sure to Apply any configuration changes, save the configuration, and then Reboot the TransPort.
  • WAN failover between Ethernet and Cellular may also be desired.  Please reference Quick Note 53 for information on this type of failover scenario.

Permalink


Debug output is usually obtained through the serial port (ASY0) or via telnet on the router (not SSH).

The options are:
“debug 0”   ->   ASY0
“debug 1”   ->   ASY1
“debug t”   ->   TELNET

To obtain debug output through SSH connect to the router via an SSH client & log in:

User-added image

Now, from the command line run the CLI command “TELNET 127.0.0.1” & log in:

User-added image

Now, you can send the debug output to the Telnet port running the CLI command “debug t” to see the debug output:

User-added image

Following an example in which IKE debug is enabled with level 4 (very high) and a IPsec VPN is removed:

User-added image

NB: In order to be sure to have all the debug output without losing old logs, please assure that the scroll line limit of the SSH client  is high (for example 2000). In Putty for example you should go to Change settings > Window to change the “Lines of scrollback” value:

User-added image

Permalink


Digi TransPort RJ45 Serial Port to Cisco RJ45 Console Port – Cable Pinout

TransPort                            Cisco
Pin 1 – RTS                         Pin 1 – RTS
Pin 2 – DTR                         Pin 2 – DTR
Pin 6 – Tx                            Pin 3 – Tx
Pin 7 – DCD                        Pin 4 – DCD
Pin 5 – GND                        Pin 5 – GND
Pin 3 – Rx                            Pin 6 – Rx
Pin 4 – N/A                          Pin 7 – DSR
Pin 8 – CTS                         Pin 8 – CTS

Permalink


Recommendations

It is recommended that a switch be used between the PC that will be uploading the files to the TransPort and the TransPort itself. Issues may occur in the file transfer and/or IP addressing if a switch is not used, and the process will need to start over to recover the TransPort.

Recovery Process

1) FlashWriter will first need to be downloaded and installed. You can download the latest version of FlashWriter from the Digi support site under the TransPort family of products:
http://www.digi.com/support/

2) The proper firmware file will also need to be downloaded to the local PC. Download the FlashWriter version of the firmware file with the .zip file extension from the Digi Support site at the below link:

http://transport.digi.com/digi/firmware/

NOTE: If you are unsure which firmware file to use, please contact Digi Technical Support for further assistance.

3) Extract the downloaded .zip file, which will give you the .all and .ini files needed to perform the upgrade.

4) Launch FlashWriter to view the first screen below, using the options shown below:

5) Click Advanced in the upper left corner, and choose Set remote TFTP IP address. With the most recent version of FlashWriter you will not need to perform steps 5 and 6).

6) Fill in a temporary IP address that will be used on the Digi TransPort and click OK, as shown in
the image below:

7) Set a Static IP address on your PC that falls within the same subnet range as the temporary IP
address that was assigned to the TransPort. Using the example IP above, the PC could be set to
an IP address of 192.168.1.100/24.

8) Once the IP addresses have been set on both the PC and in FlashWriter, click the Load button.
Click Yes on the first warning pop-up to continue.

9) Fill in the serial number of the TransPort and click OK. This number can be found on the label on
the bottom of the device:

10) A prompt for the location of the .all file will then pop-up. Click OK and browse to the file on the
PC’s hard drive.

11) After choosing the .all file, FlashWriter will ask you to choose the module type that is installed in the TransPort. Choose the appropriate module from the drop down list, and click OK.


12) Depending on the size of the firmware file, this may take a few minutes to complete the process. Once completed, a message should appear at the bottom of FlashWriter indicating so, as shown in the image below:

13) After the process completes, the TransPort will reboot itself and be back to factory defaults with the latest firmware installed.

Permalink


Digi Remote Manager (5)

View category →

Remote Manager uses tags to categorize devices.  You may want to edit the tags associated with a device if the purpose of a device changes or if you use tags to create a new sub-category of devices. Device tags are stored in Remote manager and not on the device.

To add a tag to a device:

  1. Click Device Management > Devices.
  2. Select the device you want to update.
  3. Click More > Edit Tags. The Edit Tags dialog appears.
  4. Enter the name of a tag in the text box and click Add Tag.
  5. Click Save. The new tag is associated with the device.

To edit tags for a device:

  1. Click Device Management > Devices.
  2. Select the device you want to update.
  3. Click More > Edit Tags. The Edit Tags dialog appears.
  4. Click the tag name you want to edit. The tag name appears in the text box.
  5. Edit the tag name as needed and click Change Tag.
  6. Click Save. The new tag is associated with the device.

To remove a tag from a device:

  1. Click Device Management > Devices.
  2. Select the device you want to update.
  3. Click More > Edit Tags. The Edit Tags dialog appears.
  4. Click the red X under action to delete the corresponding tag underStream Name.
  5. Click Save. The new tag is associated with the device.

Permalink


The groups feature allows you to add or create a group and assign a list of devices to that group. You can create a hierarchical structure of device groups to help organize your device inventory.

To create a group

  1. Click Device Management > Devices.
  2. Click the Groups button and select Add Group. The Add Group dialog appears.
  3. Type a group name.
  4. Choose the folder where you want to place the new group. The default is the root level.
  5. Click the Add Group button. The group name appears in the folder structure under the root directory in the left pane.

To add a device to a group
You can add one or more devices to a device group, and can add up to 500 devices to a group at one time.

  1. Click Device Management > Devices.
  2. Select the device(s) you want to add to a group:
  • Click any device list item to select that device.
  • Use Control-click or Shift-click to select multiple devices or a range of devices.
  1. Click More in the Devices toolbar and select Assign to Groupfrom the Organize category. The Add to Group dialog appears.
  2. Choose a group from the drop-down list.
  3. Click Assign to Group. The devices are added to the selected device group.

To move/remove a device from a group

  1. Click Device Management > Devices.
  2. Click a group name in your list of device groups you wish to remove the device from.
  3. Select the device(s) you want to remove from a group:
  • Click any device list item to select that device.
  • Use Control-click or Shift-click to select multiple devices or a range of devices.
  1. Click More in the Devices toolbar and select Assign to Groupfrom the Organize category. The Add to Group dialog appears.
  2. Choose a group from the drop-down list.  You may also select the “/” to move it to the root directory.
  3. Click Assign to Group. The devices are added to the selected device group or root.

To edit device group properties
You can edit device group properties, including the group name and its parent in the groups hierarchy.

  1. Click Device Management > Devices.
  2. Click a group name in your list of device groups.
  3. Click Groups and select Edit Group from the drop-down.
  4. Make changes to the group name and location as needed.
  5. Click Edit Group to confirm your changes.

To Remove a device group
Removing a device group removes the group itself and moves all devices in that group to the parent level in your device list.

  1. Click Device Management > Devices.
  2. Click to select the device group you want to remove from the device hierarchy in the left panel under Groups.
  3. Click Groups and select Remove Group from the drop-down. A confirmation dialog appears asking you to confirm that you want to remove that group.
  4. Click Yes to confirm. The group is deleted and any devices in that group move to the parent level in your device hierarchy.

To show or hide device groups
This feature will allow you to toggle the Groups display to hidden or visible.

  1. Click Device Management > Devices.
  2. Click the Show/Hide Groups button on the far left side of theDevices toolbar.

Permalink


This article describes how to configure Digi Device Cloud or Digi Remote Manager to send an E-Mail notification when a device goes offline.

Note: This article assumes that you have already created a Digi Device Cloud account or a Digi Remote Manager account, that your device is configured to connect to the cloud and added to your account.

Guidelines for NDS devices (Digi Connect WAN 3G, ConnectPort X etc..) can be found here : Configure a Digi Connect WAN or ConnectPort Gateway for Device Cloud connection

Guidelines for Digi TransPort can be found here : Configuring a Digi TransPort for Remote Manager connectivity

Guidelines for adding a Digi device to the Digi Device Cloud or Remote Manager platform can be found here : Adding a Digi Device to the Digi Device Cloud or Remote Manager Platform and here Add a Digi TransPort to your Remote Manager account

Create an Alarm

1. Log into your Digi Device Cloud or Digi Remote Manager account.
2. Click on the Device Management tab.
3. Click on the Alarms tab.
4. Click on the Add button

User-added image

The Add Alarm window will open.

1. Select Device Offline in the Alarm Type drop down menu.
2. Chose a name for the Alarm. (default is Device Offline)
3. Chose a description for the Alarm. (default is Detects when a device disconnects from Device Cloud and fails to reconnect within the specified time)
4. Chose for how long the cloud should wait before firing an alarm (defaul is 5 minutes. This is recomended in case of cellular devices that can sometimes lose network connectivity due to bad reception and allow it to reconnect)
5. Resets when device reconnects will allow the alarm status to be reset as soon as the device reconnects to the cloud.
6. Chose the Scope of the alarm. It can be per group or per device. Per Group allows to select the root directory (in this case the alarm will be applied to all devices on this account) or a single group.
7. Click Create to create the Alarm.

User-added image

Create an E-Mail Notification

1. Navigate to Admin Account Settings > Notifications
2. Click on the Add button.

User-added image

1. Chose a name for the Notification
2. Chose a Description for the notification. This will be shown in the “Subject” field of the E-Mail
3. Chose an E-Mail address to send the notification to.
4. Select if you wish to receive a daily summary of your alarms and at which time.
5. Check this box to receive an E-Mail notification each time an alarm triggers (Each time a device goes offline this will trigger an alarm which in result will trigger an E-Mail)

User-added image

6. Select “Send notification for the following alarms” and in the box, type the name of previously created alarm, by default “Device Offline” and press enter.
7. In the list, chose the previously created alarm and click on the “+” icon

User-added image

8. Click Save

User-added image

Testing

To test that the Alarms and notification are working, simply disconnect/turn off one of your devices which are monitored by this alarm. After the selected delay triggers, the alarm should fire and you should receive an E-Mail similar to this one :

User-added image

Permalink


Introduction:

This article will discuss how to configure your Digi TransPort router for use with Remote Manager by utilizing the built-in Web User Interface (WebUI) of the Digi TransPort itself.

Changing the Remote Manager connection settings from the WebUI

The Digi TransPort WebUI can be accessed locally via the local IP address (LAN or WAN), or the Cllular Mobile IP address (provided your cellular account is one which supports Mobile Termination, and that you left a pinhole for HTTP or HTTPS through which to get to the WebUI if configured for IP Passthrough).

If you know the Mobile IP address and have met the conditions above, you should be able to open the TransPort’s WebUI by opening a browser to the Mobile IP of your TransPort at this time, but keep in mind that accessing the TransPort WebUI via the Local IP is preferred if available, since it doesn’t affect your cellular bill, is faster, and generally less prone to connection loss.

If you can get to the Local IP of the TransPort (this is an Ethernet or Wi-Fi connected TransPort and you’re at that location), you should access the TransPort’s WebUI using the Local IP address instead. The Digi Device Discovery Tool for Windows can be used to discover the Local IP address of the TransPort, if unknown. If you run the Device Discovery Tool and see a “No devices found?” message, and you’ve verified your TransPort is both powered on and has a solid Link LED present, you may want to check this article for Digi Device Discovery Troubleshooting Tips.

Assuming you can access either the Mobile (WAN) or Local (LAN) IP address and are now looking at the Web User Interface of your Digi TransPort:

1. Open Configuration -> Remote Management -> Remote Manager on the WebUI, then click the check box for “Enable Remote Management and Configuration using Remote Manager”. It should look similar to this:

2. On the page above, from the drop down menu, select the desired Device Cloud server :remotemanager.digi.com for the US Cloud or remotemanager-uk.digi.com for the EU Cloud.

3. Ensure the “Automatically reconnect to the server after being disconnected” box is checked as shown in the example, and configured with the 10 second value listed (or a reasonable alternative), as this is the box that tells your router to re-connect to the Remote Management server, should the connection get broken for some reason

4. Apply any changes by clicking the Apply button, when configuration is complete.

5. Click the blue “here” link to save the configuration, as shown below:

6. Click the “Save All” button from the ensuing page and you should get a message saying “The configuration has been saved successfully!”, then click the OK button.

7. After a minute or so, you should see that your Transport has established (i.e. state = ESTAB) a Remote Management connection to the Remote Manager server by viewing the Management -> Connections -> IP Connections page under the “General Purpose Sockets” listing towards the bottom:

In Closure: If all went well, your Digi TransPort should now be “Connected” on the Remote Manager server you selected in step 1 above.

Permalink


Adding your Digi TransPort to Remote Manager

  1. Log into your Digi Remote Manager account.
  2. Click on the Device Management tab.
  3. Click on the Add Devices button on the tool bar

  4. Add the Digi TransPort by either discovering it locally, or manually adding the Device ID, using either of the the two methods described below:

Discovery method:

  1. After hitting Add Devices (step 3 above), click the Discover >> button.

  2. Click the Discover button on the 2nd Add Devices screen.

  3. Select the Digi TransPort to be added, and click OK.

Manual method:

  1. After hitting Add Devices (step 3 above), click the dropdown which defaults to MAC Address, and select Device ID instead.

  2. Populate the entry field to the right of Device ID with the Device ID of your Digi TransPort.  This can be obtained from the Digi TransPort WebUI Home page if needed.

  3. Click the Add button, then click OK.

Your Digi TransPort should now be added to Remote Manager:

After your device is added, it should show up in the list of devices as disconnected (a Red icon beside the device means Disconnected, see below).

After a minute or so, refresh the device list by clicking the Refresh button, and verify a Connected state as seen below.  A Blue icon indicate the device is connected to Remote Manager.

 

Conclusion:

If you see the Blue/Connected icon next to your TransPort, it means that your device was properly configured, and you can now manage your TransPort on Remote Manager.  If still not connected after a a few minutes, you’ll want to re-check your TransPort Remote Management and Network configurations, as well as make sure you aren’t running into any Firewall issues between the TransPort and Remote Manager.

Permalink


Digi Device Cloud (5)

View category →

HOW TO: Change the Device Cloud Name on Gateways Using Device Manager from the Device Cloud
To change the server name for the Device Cloud connection from your Device Cloud account, you will navigate to the Device Management tab, right click on the desired Digi device and select Properties.

From the Properties screen, navigate to Advanced Configuration > Remote management connection > Remote management connection 1.  Type in the server name (en://my.devicecloud.com) in the Server address field:

User-added image

Click Save to save the changes.  Your device may disconnect from the Device Cloud and reconnect using the new name.

Permalink


The following example shows how to create a task on Digi’s Device Cloud to change the Remote Management Server Address in a TransPort.
Log into Device Cloud
Click on Device Management > Schedules and then click New Schedule
User-added image

Click Start Walkthrough
Type in the description at the top of the screen for the task
On the left menu, select Command Line Interface
For the first command, enter cloud 0 server my.devicecloud.com
On the left menu, select Command Line Interface, again
For the second command, enter config 0 saveall
Then click Schedule at the bottom right hand corner
User-added image

Either select Immediate or Future to schedule when you wish to apply this change
If you choose Future, you will need to use the drop down buttons to specify the date and time and then you will see the scheduled job on the next screen.
If you choose Immediate, it will simply complete the job.
You will need to select the devices you wish to apply these changes to.  If selecting more than one, use the “Ctrl” button to select these.
Select Run Now at the bottom of the screen if you choose Immediate or Schedule if you choose Future.
User-added image

Here are the results for a scheduled job.
User-added image

After the scheduled event, you can check to see if it performed by going to Device Management  >  Operations.  You should be able to see if it successfully completed or not.  You may also click on Operation Details for each individual device.
User-added image
You can also see the changes in each individual device by going to Device Management > Devices, selecting a particular device by double clicking on it, click on Configuration, Remote Management, Remote Manager, Remote Manager Config, then check the Connect to Device Cloud server.  At first you will see the previous server name, but if you click Refresh at the bottom of the page, it will update.
User-added image

Permalink


This article describes how to configure Digi Device Cloud or Digi Remote Manager to send an E-Mail notification when a device goes offline.

Note: This article assumes that you have already created a Digi Device Cloud account or a Digi Remote Manager account, that your device is configured to connect to the cloud and added to your account.

Guidelines for NDS devices (Digi Connect WAN 3G, ConnectPort X etc..) can be found here : Configure a Digi Connect WAN or ConnectPort Gateway for Device Cloud connection

Guidelines for Digi TransPort can be found here : Configuring a Digi TransPort for Remote Manager connectivity

Guidelines for adding a Digi device to the Digi Device Cloud or Remote Manager platform can be found here : Adding a Digi Device to the Digi Device Cloud or Remote Manager Platform and here Add a Digi TransPort to your Remote Manager account

Create an Alarm

1. Log into your Digi Device Cloud or Digi Remote Manager account.
2. Click on the Device Management tab.
3. Click on the Alarms tab.
4. Click on the Add button

User-added image

The Add Alarm window will open.

1. Select Device Offline in the Alarm Type drop down menu.
2. Chose a name for the Alarm. (default is Device Offline)
3. Chose a description for the Alarm. (default is Detects when a device disconnects from Device Cloud and fails to reconnect within the specified time)
4. Chose for how long the cloud should wait before firing an alarm (defaul is 5 minutes. This is recomended in case of cellular devices that can sometimes lose network connectivity due to bad reception and allow it to reconnect)
5. Resets when device reconnects will allow the alarm status to be reset as soon as the device reconnects to the cloud.
6. Chose the Scope of the alarm. It can be per group or per device. Per Group allows to select the root directory (in this case the alarm will be applied to all devices on this account) or a single group.
7. Click Create to create the Alarm.

User-added image

Create an E-Mail Notification

1. Navigate to Admin Account Settings > Notifications
2. Click on the Add button.

User-added image

1. Chose a name for the Notification
2. Chose a Description for the notification. This will be shown in the “Subject” field of the E-Mail
3. Chose an E-Mail address to send the notification to.
4. Select if you wish to receive a daily summary of your alarms and at which time.
5. Check this box to receive an E-Mail notification each time an alarm triggers (Each time a device goes offline this will trigger an alarm which in result will trigger an E-Mail)

User-added image

6. Select “Send notification for the following alarms” and in the box, type the name of previously created alarm, by default “Device Offline” and press enter.
7. In the list, chose the previously created alarm and click on the “+” icon

User-added image

8. Click Save

User-added image

Testing

To test that the Alarms and notification are working, simply disconnect/turn off one of your devices which are monitored by this alarm. After the selected delay triggers, the alarm should fire and you should receive an E-Mail similar to this one :

User-added image

Permalink


The following example shows how to create a task on Digi’s Device Cloud to change the Remote Management Server Address in a TransPort.
Log into Device Cloud
Click on Device Management > Schedules and then click New Schedule
User-added image

Click Start Walkthrough
Type in the description at the top of the screen for the task
On the left menu, select Command Line Interface
For the first command, enter cloud 0 server my.devicecloud.com
On the left menu, select Command Line Interface, again
For the second command, enter config 0 saveall
Then click Schedule at the bottom right hand corner
User-added image

Either select Immediate or Future to schedule when you wish to apply this change
If you choose Future, you will need to use the drop down buttons to specify the date and time and then you will see the scheduled job on the next screen.
If you choose Immediate, it will simply complete the job.
You will need to select the devices you wish to apply these changes to.  If selecting more than one, use the “Ctrl” button to select these.
Select Run Now at the bottom of the screen if you choose Immediate or Schedule if you choose Future.
User-added image

Here are the results for a scheduled job.
User-added image

After the scheduled event, you can check to see if it performed by going to Device Management  >  Operations.  You should be able to see if it successfully completed or not.  You may also click on Operation Details for each individual device.
User-added image
You can also see the changes in each individual device by going to Device Management > Devices, selecting a particular device by double clicking on it, click on Configuration, Remote Management, Remote Manager, Remote Manager Config, then check the Connect to Device Cloud server.  At first you will see the previous server name, but if you click Refresh at the bottom of the page, it will update.
User-added image

Permalink


One very useful aspect of Device Management on the Digi Device Cloud is the ability to view the Connection History of a device.  This of course refers to the connection history of that device as viewed from Device Cloud, and is a record of a device’s connections and disconnections with the server, for whatever reason.

Device Cloud Connection History (from the device UI):

Getting the Connection History from the Data Streams API:

As seen above, the Connection History of a device is something which Device Cloud keeps track of.  A screen like the one above may be useful when wanting to know the current state of a device or what’s been going on with it, but short of taking a screenshot or copying/pasting that information into a text file, the information isn’t very portable.  The good news is, the Connection History is something which is also tracked as a Data Stream, and each of the Connect/Disconnect events is a separate Data Point within that Stream.

To query the Data Stream Connection History if the same device, we must query for the Data Points which make up that Stream as follows:

/ws/DataPoint/{deviceId}/management/connections/

Example Request:  /ws/DataPoint/00000000-00000000-00409DFF-FF5DF1CB/management/connections/

Response (for a single Data Point of the Stream):

<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<result>
<resultSize>206</resultSize>
<requestedSize>1000</requestedSize>
<pageCursor>27f2d9aa-beab-11e5-92dc-fa163ea15feb</pageCursor>
<requestedStartTime>-1</requestedStartTime>
<requestedEndTime>-1</requestedEndTime>
<DataPoint>
<id>f5e6756c-75c8-11e5-8dc1-fa163ee3abab</id>
<cstId>70</cstId>
<streamId>00000000-00000000-00409DFF-FF5DF1CB/management/connections</streamId>
<timestamp>1445194168409</timestamp>
<timestampISO>2015-10-18T18:49:28.409Z</timestampISO>
<serverTimestamp>1445194168412</serverTimestamp>
<serverTimestampISO>2015-10-18T18:49:28.412Z</serverTimestampISO>
<data>{“connectTime”:”2015-10-18T03:14:07.442Z”,”disconnectTime”:”2015-10-18T18:49:28.409Z”,”type”:”Wi-Fi”,”remoteIp”:”213.35.189.122″,”localIp”:”192.168.82.204″,”bytesSent”:70412,”bytesReceived”:69588,”session”:”6b861b2f-bd52-4455-b9fc-dc92693460db”}</data>
<description/>
<quality>0</quality>
</DataPoint>…
</result>

As can be seen in the <resultSize> field, there were 206 Data Points in the response to the query, so I’ve only listed one Data Point as an example of the type of data retrieved from the Connection History Data Stream.

Permalink


NetCloud Engine (82)

View category →

Summary

This article provides a workaround to the issue of host name resolution not functioning correctly.


Issue

You try to access a remote computer listed in the NetCloud Engine Connect workgroup and get the error message “Windows cannot access \Computer Name”. However, you can ping the remote computer’s IPv6 address successfully.

In this situation, it is possible LLMNR (IPv6 name resolution) is not able to respond because DNS is responding first, or LLMNR is turned off or being blocked.


Workaround

To workaround this issue you can edit the hosts file by adding the IPv6 address and hostname of the remote machine.

  • Check what IPv6 address is assigned to the host:
    • In windows command prompt type ipconfig and look for the IPv6 address under the Ethernet adapter NetCloud Engine Connection.
  • From Notepad (Run As Administrator), select File and then Open.
  • Navigate to the C:\Windows\System32\drivers\etc\hosts file.
    • Make sure to select All Files (.) to show the file called hosts.
  • Add the IPv6 address then the name of the machine at the bottom of the page. Select File, then Save.

Permalink


Summary

This article will explain iOSConnect, and provide instructions for configuring iOSConnect on your NetCloud Engine network and your iOS device.

NOTE: a business account is required for iOSConnect.


Frequently Asked Questions

What can an iOS device do on a NetCloud Engine network?

iOS devices on the NetCloud Engine network can access any server using any protocol. The preferred way of accessing services is using the NetCloud Engine fully qualified hostname (hostname.yournetwork.pertino.net), but direct access via IP address, which you can see in the Web Management Console under device properties, is also supported. Apple’s app store has many well-regarded applications for remote control via RDP and VNC as well as file access over the SMB protocol. Mobile Safari can be used to access any internal web applications. iOS devices on the NetCloud Engine network are client devices only. Connections FROM another computer on the network TO an iPad will not work, even if you do manage to find an app in Apple’s app store that supports incoming connections.

What is new in iOSConnect?

This version enables user-level config profiles as opposed to a shared secret. The user level profiles are built upon our PKI infrastructure.

What is the end-user workflow?

  • Users receive the mobile config URL via email.
  • Users click on the mobile config URL and are directed to the login page.
  • Users log in with their NetCloud Engine credentials.
  • The mobile config is downloaded, and the user will be walked through a standard iOS config install flow.
  • Once the installation is complete, the user can turn on the VPN service under Settings and use the NetCloud Engine network as desired.

What OS versions are supported?

iOS 7.x and greater


Configuration

Configuration Difficulty: Intermediate
  • Step 1: Log into the NetCloud Engine web console with an admin account.
  • Step 2: Select the Network for which iOSConnect will be enabled by clicking on its name.

User-added image

  • Step 3: Click the Settings button at the top right of the screen.

User-added image

  • Step 4: In the list of Entitled services, click the iOSConnect toggle to enable it.
    • Note: This step may take a while. In some cases the browser window will need to be refreshed before you see the option has been enabled.

User-added image

  • Step 5: Expand the NetCloud Engine options navigation menu by clicking it at the top left of the screen.

User-added image

  • Step 6: Select Users.

User-added image

  • Step 7: Click the enable toggle next to the mobile users you would like to give VPN access to.

User-added image

  • Step 8: Click Get iOS Profile at the top of the page to generate the user link.

User-added image

  • Step 9: Copy the iosprofile link and email it to the users of enabled iOS Connect accounts.

User-added image

  • Step 10: Have the user click the received link to download and install the client on the iOS device.

User-added image

  • Step 11: Once they’ve logged into the web portal, they should be prompted to Install Profile. Click to Install.

User-added image

  • Step 12: Go to Settings and turn on your VPN to connect to your network and access devices.

User-added image

Once connected, you need to install the appropriate app to do the job on your iOS device. Below are examples of a few free to use apps to get you started:


Troubleshooting

Known Issues

  • The last step of the end-user workflow results in a web page displaying only the NetCloud Engine logo. This is expected, represents completion of the profile delivery and can be closed.
  • VPN connections must be manually established. On-demand connections are not available in this release.
  • Apps like GeoView and UsageMonitor will not recognize individual iOS devices
  • On certain iOS devices, config for one network overrides the config for a different network resulting in just one mobile config on the device at a time.
  • When deactivating the iOSConnect app from AppScape, make sure you only click the Deactivate button once. To re-activate the app, please wait until the button text states Activate (about 15 seconds).

Failed to install iOSConnect Beta v2 mobile config profile on iOS device

If you encountered an unknown error (failed to install profile) while attempting to install your iOSConnect Beta v2 mobile config profile, please check if your NetCloud Engine network name includes one of the following characters:

  • quotation mark (“)
  • ampersand (&)
  • apostrophe (‘)
  • less than sign (<)
  • greater than sign (>)

If the network name includes any of the above 5 characters, the mobile config profile will fail to install.

As a workaround ask the network owner to change the NetCloud Engine network name and recreate the iOSConnect mobile config.

iOS Connect not working on iOS 9

There is a known issue in Apple’s iOS 9 release that breaks many VPN features.

A high-level description can be found here.

Until Apple addresses the issue, users can downgrade to iOS 8.4.1 and continue to use VPN connectivity.

Permalink


Summary

The Full Tunnel feature allows you to specify that the default route for selected devices will point to the NetCloud Engine network.


Configuration

Configuration Difficulty: Easy
  • Step 1: Navigate to the Devices tab.
  • Step 2: Select one or more devices using the check boxes along the left-hand column.
  • Step 3: Choose Enable Full Tunnel from the I Want To… action drop-down.
  • Step 4: Click Enable Full Tunnel in the dialog box.

User-added image

The traffic from the devices selected will now traverse the NetCloud Engine private cloud before accessing any applications or the Internet. This is useful for mobile workforces who need to securely access applications from public WiFi hotspots—such as restaurants, train stations, or airports.

Permalink


Summary

What is the new multiple network admin feature?

Previously, a NetCloud Engine network only allowed for one network admin (a network owner). The network admin performs administrative actions on a network and invites new users. NetCloud Engine now offers Multiple Network Admins. These network admins can perform the same actions as the network owner (the first and primary network admin). With this feature, you can promote another user to administer your network for after hours or out of office support.

Is there an extra charge for the multiple network admin feature?

This feature is included with all Business plans and free to try until January 15, 2015, for all Basic and Free plans.

How do I promote a user to network admin?

Navigate to Users, select the user you wish to promote to network admin and click the drop down “I Want to…” and select “Promote User”

User-added image

An icon will appear by the user you promoted to show that they are now a network admin.

User-added image

What can a new network admin do?

A network admin can perform the same admin actions as the network owner. This includes accessing admin apps such as UsageMonitor, promoting or demoting other users, inviting or deleting other users, generating device authentication keys and deleting devices from the network.

What are the limitations for new network admins?

  1. Today, only the network owner (the original network admin) can change the selected plan or manage Pertino apps. We will look to address this in a future release.
    User-added image
  2. The network owner cannot be deleted from the network or demoted and will be the billing contact for the network

User-added image

How do I remove a network admin from my network?

If you only want to take network admin privileges away from a network admin, navigate to Users, select the network admin you wish to demote and click “Demote User.”

User-added image

If you want to fully remove the network admin from your network, you must first demote them from the network admin position and then select “Delete User.”

Can I demote myself from network admin?

You can demote yourself only if you are not the original network admin. If you demote yourself, you will automatically lose access to administrative pages and need to be re-promoted by another network admin for future administrative access.

What happens if I demote a network admin who is currently logged in?

If you demote someone who is actively logged in, they will not see that they were demoted until they refresh their browser. The demoted network admin may be able to perform some actions during their active session but will be unable to perform any administrative actions after they refresh their browser or log out and log back in.

Permalink


Summary

This article shows how to remotely control a Mac from a PC.


Configuration

Configuration Difficulty: Intermediate
  • Step 1: Enable remote management on a Mac:
    • Click on the Sharing in System Preferences.
    • Select and check Remote Management.
    • Select Computer Settings.
    • Select and check “VNC viewers may control screen with password” and provide a password for login.

    User-added image
    User-added image

  • Step 2: Launch VNC Viewer on Windows:
    • Download and run the free VNC Viewer.
    • Provide the name of the Mac computer as it is displayed in the Windows network and select Connect.

    User-added image

  • Step 3: Access the remote Mac:
    • Provide the password you setup on the Mac for the VNC connection.
    • Provide your Mac username and password.

    User-added image

  • Step 4: Now you are connected to your Mac remotely!

    User-added image

Permalink


NetCloud Manager (4)

View category →

Summary

The Applications Tab within NCM allows you to purchase, try and manage applications within NCM.


 

Overview

The Applications tab will display all available applications.

You can purchase or try an application by selecting the appropriate button.

Once your account has the application entitled the Buy and Try buttons will be replaced by a Manage button.

User-added image

Clicking Try will create a trial entitlement for 10 devices.

Clicking Buy will bring up a tab for locating a partner to purchase the entitlement.

By clicking Manage you can Add or Remove devices. You can also determine which devices are entitled.

User-added image

To Add a device to an entitlement click the Add button. You will be presented with a dialog to select routers to add. You can locate devices with the Search field by Name or MAC or Product as needed. Place a checkmark next to the device(s) you wish to add to the entitlement and the press Save.

User-added image

To Remove devices from an entitlement, select the device(s) you wish to remove and then press Remove.

User-added image

In the right column you can find the following information:

  • Entitlement Details
    • Available: Remaining entitlements
    • Assigned: How many entitlements have been applied to devices
    • Non NCM Devices: Devices with this entitlement that are not in NCM
    • Total Allowed: Total number of entitlements purchased.
  • Buy More: Buy more entitlements
  • Features: What the entitlement offers
  • Requirements: Any requirements placed upon the entitlement
  • Support Products: Which Cradlepoint products will work with this application
  • Supported NetCloud OS Version: NCOS requirements for devices to use this entitlement

User-added image

Permalink


NETCloud Manager

The default NCM configuration generates the approximate data usage that is presented below. Protocol and carrier overhead can increase these values but these values do provide a generally good rule of thumb for data generated by use of NCM.

IMPORTANT: Things that could dramatically increase your data usage:

  1. Enabling logging, stats and alerting
  2. A high number of events being logged on the router
  3. Firmware upgrades pushed from NCM
  4. Modem disconnecting and reconnecting loops.

Routers managed through NCM:

  • By default, a Connection Pulse that are approximately 66 bytes is sent to NCM every 2 minutes.
    So 720 heartbeats/day x 66 bytes = 47520 bytes/day, 47520 bytes/day x 30 = 1,425,600 bytes/month (1.43 MB/month).
  • By default Usage Reporting that are approximately 10-20KB per report (depending on how many WAN devices are utilized on the Cradlepoint router) are sent to NCM every hour.
    So 20 KB/hour x 24 = 480 KB/day; 480 KB/day x 30 = 14400 KB/month (.014 GB/month or 14 MB/month)
  • By default Log Reports that are approximately 100KB (depending on how many events are logged on the router) are sent to NCM every hour. These reports can vary in size dramatically depending on events that are logged on the router; client connects/disconnect, modem state, etc.
    So a minimum amount of data sent would be 100 KB/hour x 24 hours = 2400 KB/day; 2400 KB/day x 30 = 72000 KB/month (.069 GB/month or 69 MB/month).

Routers not managed through NCM:

  • Every time the router is powered on it sends a 50 byte heartbeat to the NCM Server and then sends a heartbeat every 86400 seconds, (once per day).
    So the volume of data generated is approximately 50 bytes/day x 30 days = 1500 bytes/month (.0000014 GB/month or .0014 MB/month).

(The timers above can be adjusted higher or lower, depending on your data caps).


Advanced Failure Check

A ping packet is 64 bytes of data. If Advanced Failure Check set to an Idle Check Interval to 3600 (1 ping per hour) would generate 64 bytes/hour x 24 hours = 1536 bytes/day.
Then 1536 bytes/day x 30 days = 46080 bytes/month (.000042 GB/month or .042 MB/month).

NOTE: Increasing the time interval on NCM check in or Advanced Failure Check will cause data generation to increase.

Permalink


Summary

This article describes how to set up alerts, export reports, and export logs from NetCloud Manager (NCM).

NOTE: On July 13, 2017, NetCloud Alerts currently generated from the legacy Enterprise Cloud Manager (ECM) will be updated with the name change to NetCloud Manager (NCM). Automated systems that consume this information may need to be updated accordingly.
Email and API Alert changes include:

  • Alert titles will change from “Cradlepoint ECM Alert Notification” to “Cradlepoint NCM Alert Notification”
  • Alert subjects will change from “ECM Alert: <friendly info>” to “NCM Alert: <friendly info>”
  • Emailed Alert summary report subject will change from “ECM Alert Summary” to “NCM Alert Summary”
  • Connection State Alert name will change from “ECM Connection State” to “NCM Connection State”
  • Firmware Upgrade alert name will change from “Firmware Upgrade” to “NetCloud OS Upgrade” with an alert description changing to “The router NetCloud OS was successfully upgraded to X.X.X”

Setting Up Alerts

The Alerts page has two views for tracking device status changes:

  • The Log view shows a list of alerts sent from the routers to NCM.
  • The Settings view shows rules for alerts, including email notifications.

Toggle between these two views by clicking on the buttons at the top left.

User-added image

Alerts are of the following types (see Definitions below):

  • Configuration Change
  • Configuration Rejected
  • Configuration Unacknowledged
  • Ethernet WAN Disconnected
  • Ethernet WAN Plugged In
  • Ethernet WAN Unplugged
  • Data Cap Threshold
  • Device Location Unknown
  • NCM Connection State
  • Firmware Upgrade
  • Geofence Proximity Change
  • Reboot
  • Temperature Limit Exceeded
  • Modem WAN Connected
  • Modem WAN Device Plugged In
  • Modem WAN Device Unplugged
  • Modem WAN Disconnected
  • WAN Service Type
  • Account Locked
  • Failed Login Attempt
  • Intrusion Activity
  • IP Address Banned
  • IPS Engine Failure
  • Successful Login
  • Unrecognized Client
  • WiFi as WAN Connected
  • WiFi as WAN Disconnected
  • WiFi as WAN Network Available
  • WiFi as WAN Network Unavailable

To enable alerts, including emailed notifications, first select the Settings view and then click on Add at the top left. Create an alert notification rule by completing the fields.

User-added image

Complete the following fields to create an alert notification rule:

  • Accounts/Groups (required) – Choose which sets of devices will follow the notification rule. If you select an account, both grouped and ungrouped devices within that account (including all subaccounts) will be assigned to this rule.
  • Alerts (required) – Select the alert types from the dropdown options.
  • Users (optional) – If you want emailed notifications for these alerts, select users from the list to receive those emails. If you just want these alerts logged, leave this field blank.
  • Interval (optional) – Select a time interval from the dropdown options. If you select “Immediately,” an email notification is sent every time one of the selected types of alerts are logged. Otherwise, the alerts are stored over the course of the time interval and then sent together.

Potential NCM Alert Issues

  • Receiving the Email Alert seem to take longer than expected.
    • Once NCM is aware of the alert, it will verify the alert, and send it out to the configured email address. We do not have control over the alert once we have sent it to its destination address.
      • We have seen some mail servers reject, or display abnormally long delays in the alert deliveries.
        • To trouble shoot/verify if this is the issue, configure a different email address with a different domain and test the behavior of the alerts.
  • Times can also vary depending on the number and type of WAN connections being used for this device.
    • If a device only has one internet source, only one connection to NCM, then you can expect delays in the alerts. The alerts are configured in NCM, then NCM lets the router know what to watch for. If the router experiences any issue pertaining to the configured alerts, the router will then report this back to NCM. However the caveat is if the router loses its internet source or connection to NCM, then the router cannot report the issues to NCM until it regains its connection to NCM.
    • In cases where you have more than one internet connection the alerts should be fairly on queue, so long as the router can check into NCM via its second internet connection to report its alerts.

Exporting Reports

Reports allow you to create a summary of information about groups of devices and export that information as a CSV file. Select from several fields to customize your reports. Select the type of report (Data Usage or Signal Quality), a range of dates, the group(s), and identifying fields and then click Run Report to view the report. You also have the option to save the settings of a report for future use.

1366IMG24.png


Exporting Logs

To export a device’s logs as a CSV file, first enable log reporting for the group the device is in. (This is disabled by default because some users won’t use this functionality – it would unnecessarily use data.) Navigate to the Groups page, select the desired group, and click on Settings.

User-added image

In the popup window that appears, ensure that Enable Log Reporting is selected.

User-added image

Once log reporting is enabled, navigate to the Devices page, select the desired device, and click on Export → Export Logs to export the device’s logs as a CSV file.

User-added image


Alert Definitions

  • Account Locked – If Advanced Security Mode is turned on for a device, the account will lock for 30 minutes after six failed attempts to log into the device. To enable this setting, open the configuration pages in Groups or Devices and go to System Settings → Administration. Open the Router Security tab and select Advanced Security Mode.
  • Configuration Change – This displays when there has been a local configuration change. Sample alert: The device configuration has changed.
  • Configuration Rejected – A configuration change that was sent to the device has been rejected.
  • Configuration Unacknowledged – A configuration change that was sent to the device was not acknowledged by the device.
  • Data Cap Threshold – If you have a data cap threshold set, this sends an alert when the threshold is reached. A data cap threshold must be configured under Internet → Data Usage. Sample alert: The (Internal LTE/EVDO Port:int1) rule exceeded 100 percent of its 150 MB daily cycle.
  • Device Location Unknown – Displays when no location has been reported for 24 hours if the device has GPS enabled. If a manual location is being used the alert will not be generated.
  • NCM Connection State – Displays when the device loses or regains its connection to NCM. Sample alert: The device entered the “online” state.
  • Ethernet WAN Connected – An Ethernet WAN device is now active.
  • Ethernet WAN Disconnected – An Ethernet WAN device is no longer active.
  • Ethernet WAN Plugged In – An Ethernet WAN device is now attached.
  • Ethernet WAN Unplugged – An Ethernet WAN device has been removed.
  • Failed Login Attempt – Someone attempted to log into the device administration pages locally and failed. Sample alert: An attempt to log in as the admin user from 192.168.0.142 has failed.
  • NetCloud OS Upgrade – The device NetCloud OS has been upgraded.
  • Geo-fence Proximity Change – Displays whenever the device enters or exits the specified geo-fence.
  • GPIO State Change – A device GPIO pin has changed state. To update the GPIO configuration, open the configuration pages in Groups or Devices, select the System → GPIO Configuration tab. Requires at least 6.0.2 NetCloud OS.
  • Intrusion Activity – This is only relevant for devices with CP Secure Threat Management. Whenever the Threat Management deep packet inspection engine detects an intrusion, the event is recorded in the logs. These events are grouped together for 15 minutes and then reported in NCM, so even if you select “Immediately” in the Interval field below, an emailed alert might not arrive for approximately 15 minutes after an intrusion. Intrusion Activity alerts include the intrusion details and the action taken by the engine (e.g., “Blocked”). To edit Threat Management settings, open the configuration pages in Groups or Devices and select Network Settings → Threat Management. For more information about Threat Management, visit the Knowledge Base article.
  • IP Address Banned – If the Ban IP Address setting is turned on for a device and someone from a particular IP address attempts and fails to log into the device administration pages six times, that IP address will be banned for 30 minutes. To enable this setting, open the configuration pages in Groups or Devices and go to System Settings → Administration. Open the Router Security tab and click on Advanced Security Mode. Select the Ban IP Address option.
  • IPS Engine Failure – This is only relevant for devices with CP Secure Threat Management. In the unlikely event that the Threat Management engine fails, an alert is logged. You can set the router to either allow or deny traffic with a failed engine: to edit this setting, open the configuration pages in Groups or Devices and select Network Settings → Threat Management. For more information about Threat Management, visit the Knowledge Base article.
  • IPSec Tunnel Down – An IPSec tunnel that was successfully connected has gone down.
  • Modem WAN Connected – A modem WAN device is now active.
  • Modem WAN Device Plugged In – A modem WAN device is now attached.
  • Modem WAN Device Unplugged – A modem WAN device has been removed.
  • Modem WAN Disconnected – A modem WAN device is no longer active.
  • Modem WAN Standby – A modem WAN device is now in standby. This means the modem is connected to the carrier, but is not sending any data. A modem in standby will failover faster than a modem not in standby. Standby can be turned on in the router’s configuration in the Connection Manager grid.
  • Reboot – Displays when the device has been rebooted. Sample alert: The device has been rebooted.
  • Rogue Access Point Detected – Displays after running a WiFi site survey when a rogue access point not marked as known is detected broadcasting the same SSID as the device running the site survey. This helps identify potential access point hijacking, evil twin, and man-in-the-middle WiFi attacks.
  • Router App Custom Alert – A custom alert that is generated by the custom code inside a router app.
  • Router App Execution State Changed – A router app that is running on a group goes into a different execution state (start, stop, error, etc).
  • Unexpected Router App Installed – An unexpected router app is found installed, an expected router app is unexpectedly uninstalled, or a router app unknown to the system is found installed.
  • Successful Login – A user has logged into the router locally (requires at least NetCloud OS 5.0.1).
  • Temperature Limit Exceeded – For products with an internal temperature sensor (COR IBR1100 and IBR1150) and configured temperature limits, this alert displays when one of those limits is reached. To set these temperature limits for the COR IBR1100 Series, open the configuration pages in Groups or Devices, select System Settings → Administration, and click on the Temperature tab.
  • Unrecognized Client – A client with an unrecognized MAC address has attempted to connect to the device. MAC logging must be enabled for this alert to display. In the configuration pages, go to: Network Settings → MAC Filter / Logging to enable MAC logging.
  • WAN Service Type – A WAN device has changed its service type, such as switching from 3G to 4G. Possible service types include: DHCP, LTE, HSPA+, etc. Sample alert: The lte-2ae6ec8e service type has changed to LTE.
  • WiFi as WAN Connected – WiFi as WAN is now active.
  • WiFi as WAN Disconnected – WiFi as WAN is no longer active.
  • WiFi as WAN Network Available – A WiFi as WAN network is now attached.
  • WiFi as WAN Network Unavailable – A WiFi as WAN network has been removed.
  • Zscaler TLS Tunnel State – This displays the state of the Zscaler TLS tunnel when using Zscaler Internet Security in TLS Tunnel mode. If there is a connection error more information can be found in the router’s system log.

Permalink


For customers with NetCloud Manager (NCM), there are three main ways to edit a device’s configuration: in NCM, through Group and Device configurations, and locally, through the router’s own administrative page.

  • NCM Group configuration has the lowest priority.
  • NCOS Local configuration has high priority.
  • NCM Device configuration has the highest priority.

The router’s default configuration is used as a basis for comparison for configuration files. It is overwritten by any custom local configurations or NCM configurations.

The Group configuration in NCM is overwritten by both the custom Local router configuration and the Device configuration in NCM.

The NCM Device and Local router configurations are synonymous in most cases. When making a configuration change at the local level, the changes will then sync with the NCM Device level, and vice versa. The two scenarios where the NCM Device level configuration will override Local changes are:

  • when conflicting changes are made at both the Local and NCM Device level while the device is offline. Once brought online and checks into NCM, the NCM Device level changes will have priority.
  • when a new change is made locally while the NCM Device level configuration is still syncing the previous change. The new change will be overwritten by the last NCM Device level configuration once the sync completes.

In general, the preferred method for managing devices that are registered in NCM is through the Group configuration. If there are more specific settings needed for individual devices, use the Device configuration in NCM. For example, it is possible to make the administration password standard for an entire group, and then create individual SSIDs for each device – both through NCM.

Troubleshooting

If most of the devices in a group are functioning as intended, but one member of the group is not behaving the same as the others, there may be a device level configuration that is overriding the group configuration. To remove the Device configuration and keep the Group configuration, log in to NetCloud Manager, select the Devices tab, highlight your router, click Configuration and select Clear

Clear Device configuration


 

Determining where a router gets its configuration

The individual config symbol found on the NCM Devices page indicates that the router is running a non-default configuration. The same symbol, when found on the NCM Groups pages tells us that the group contains one more routers that are running configuration settings that do not match the router default or the group configuration. (Tip: clicking the individual config symbol on the Groups page will automatically display all routers with unique configurations.)

The Configuration Summary option in NCM displays a color-coded output of the router’s configuration. The target configuration displays the total sum of the different configurations the router is running:

  • settings in purple are pulled from the Group configuration in NCM
  • settings in green are pulled from the Device configuration in NCM
  • settings in grey exist only on the router’s local configuration file, and are not synced to the Device configuration in NCM (possibly because the config sync was suspended, or the router went offline before syncing)

User-added image


 

Resetting a Router Managed in NetCloud

If you factory reset a device that is managed by NetCloud Manager, the Cradlepoint will automatically connect to the internet, check back in with NetCloud Manager and re-apply the Group and Device configuration stored in NetCloud. To get the device to a factory default state, the NetCloud Device and Group configuration need to be removed from the device.

To factory reset a device that is in NetCloud Manager, do the following first before trying a software or hardware reset, otherwise, it will be reverted to its previous configuration.

Step 1: Log in to Netcloud Manager. Open the Devices tab and select your Cradlepoint Router.
Step 2: If the device is in a group: highlight the router, click “Move”, select the parent account, and click “Ok”.

Highlight your router and select "move"
Select the root account and click "ok"

Step 3: Once the device is removed from the group, highlight your router, click “Configuration” and select “Clear”.

Highlight your router, click "Configuration" and select "Clear"

Step 4: Once the router has been removed from its group and the device level configuration has been cleared, you can factory reset by clicking “Commands” and selecting “Restore to Defaults”. You may also use the hardware reset button or System > System Control > Device Options > Factory Reset Router in the local web interface.

Highlight your router, click "Configuration" and select "Clear"

Permalink