dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
670
share rss forum feed


jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
kudos:2
Reviews:
·AT&T Southwest

Expired certificate?

After changing my 3347's DHCP lease time from one hour to one day and restarting the device, I casually browsed its status log and found the following to be a bit interesting:

2/11/13 09:47:13 PM L3 TR-069: Connect to 64.186.176.213 Retry 2
2/11/13 09:47:14 PM L3 SSL: Handshake Success
2/11/13 09:47:14 PM L3 SSL: Connect Success: patthdm2.att.motive.com
2/11/13 09:47:14 PM L3 SSL: certificate has expired
2/11/13 09:47:14 PM L3 SSL: Closing Connection: patthdm2.att.motive.com
2/11/13 09:47:14 PM L3 TR-069: Closing connection on failure - connect fail


Googling the IP showed a long list of reports involving loss of connection, but it appears to be an official site. What troubles me is the third line: "certificate has expired" which should never happen to a site that's part of the AT&T infrastructure. Can anyone shed some light on this situation?

Extra credit for an explanation of why my 3347 wants to connect to the site during its admin login procedure!

--
Jim Kyle



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by jimkyle:

What troubles me is the third line: "certificate has expired" which should never happen to a site that's part of the AT&T infrastructure. Can anyone shed some light on this situation?

Is Alcatel-Lucent really a part of AT&T? I had no idea that AT&T had regained ownership.

When I trace route to 'patthdm2.att.motive.com', I don't even touch AT&T infrastructure!
Tracing route to patthdm2.att.motive.com [64.186.176.213]
over a maximum of 30 hops:
 
  1     1 ms    <1 ms     1 ms  192.168.42.1
  2    25 ms    25 ms    28 ms  173-228-7-1.dsl.static.sonic.net [173.228.7.1]
  3    29 ms    26 ms    24 ms  gig1-4.cr1.lsatca11.sonic.net [70.36.243.13]
  4    25 ms    24 ms    25 ms  0.xe-5-1-0.gw.pao1.sonic.net [69.12.211.1]
  5    26 ms    26 ms    28 ms  xe-1-0-6.ar1.pao1.us.nlayer.net [69.22.130.85]
  6    25 ms    24 ms    25 ms  ae0-90g.cr1.pao1.us.nlayer.net [69.22.153.18]
  7    24 ms    25 ms    24 ms  peer-02.palo.twtelecom.net [198.32.175.111]
  8    72 ms    72 ms    72 ms  aus1-ar3-ge-0-0-0-0.us.twtelecom.net [66.192.246.170]
  9    73 ms    72 ms    74 ms  67.67.200.3
 10    73 ms    73 ms    73 ms  patthdm2.att.motive.com [64.186.176.213]
 
Trace complete.
 
Alcatel-Lucent appears to have bought Motive, Inc. in 2008.
Alcatel-Lucent appears to be independent from AT&T, though it supplies DSLAM hardware to AT&T. I just can't find any information other than the customer-supplier one between the two.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
reply to jimkyle

said by jimkyle:

Can anyone shed some light on this situation? Extra credit for an explanation of why my 3347 wants to connect to the site during its admin login procedure!

motive acs server att has used for quite some time, it's a part of TR-069 management it can be used to update firmware or configuration data.

If I'm not mistaked all att issued modems/routers have/use TR-069
You may be able to disable some or all of this routine.


jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
kudos:2
Reviews:
·AT&T Southwest

Googling TR-069 indicates that this is part of AT&T's configuration control mechanism, so what effect does the "expired certificate" and resulting failure to complete the connection have on my service?

Should I raise the question in the Direct area? Seems like an authentication failure here could play hob with my WAN-interface parameters eventually...
--
Jim Kyle



wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1

said by jimkyle:

So what effect does the "expired certificate" and resulting failure to complete the connection have on my service?

I'm just speculating but.....
I don't think the expired certificate would have any effect on authentication.
If you have a close look at the log messages you'll notice the certificate message comes after a successful authentication, you may even find messages about unsuccessful connection attempts to the servers.

Like I posted every att issued modem "checks" in with that/those severs after a public ip is issued and the servers don't deny/allow public ip allocation. So a lot of users would be affected.
Those servers have nothing to do with authentication.

If you feel like you need to question this do it.
I would like to know the answer to your question if you ask.

said by jimkyle:

Should I raise the question in the Direct area? Seems like an authentication failure here could play hob with my WAN-interface parameters eventually...?

That's your descion.


jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
kudos:2
Reviews:
·AT&T Southwest

The "authentication" I mentioned was that for getting into the ATT.MOTIVE.COM site, not for getting to the router admin pages or to the Internet itself.

I've now raised the question in Direct, referring back to this thread, and will pass on any information I get if they don't answer the questions here...
--
Jim Kyle



wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1

said by jimkyle:

The "authentication" I mentioned was that for getting into the ATT.MOTIVE.COM site, not for getting to the router admin pages or to the Internet itself.

Well, I'll leave this subject be and let you get you answers from a official source.


jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
kudos:2
Reviews:
·AT&T Southwest

David gave me the answer over in Direct. The connection to att.motive.com was intended as a helper for initial setup of the devices, nothing more, but it didn't work out and has been abandoned. Therefore the certificate was allowed to expire. Now it just wastes a few cycles of bandwidth, and has no ill effects at all.

Way to go, AT&T, to create the image of a professional and efficient service!
--
Jim Kyle



David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
Reviews:
·DIRECTV
·AT&T Midwest
·magicjack.com
·Google Voice

1 edit
reply to jimkyle

yea thing is it was worth a shot. Now a days if you have a bad password or incorrect userid you connect to a different box and get a redirect from what I understand. I can't say I keep up with all of that as I probably should, most in my group work on maintaining DSL sync and such. connections and what you on the internet is out of their hands.

AFAIK, I believe it was only used for configuring a modem on install. I think it was abandoned though. the different box does this now much easier and cheaper from what I understood.

A lot of the newer modems today I don't think reference the motive at all. As the IPv6 transition happens, most of these modems will be obsolete so it won't really matter.