Eli Fulkerson .com
HomeArticlesCisco-asa-vs-comcast-smc8014
 
 


Cisco ASA vs. Comcast SMC8014, a love story:

This describes a particular issue, and the fix, for connecting a Cisco ASA firewall to a Comcast provided SMC8014 cable modem. I believe that this is the standard modem they use with their business class cable internet plans.

The guilty party is this piece of crap:

The following behaviors were observed:

  • Working state: connection would initially work, and would continue to work for minutes (or hours) before seeming to peter out and halt.
  • Failure state: it would appear that all traffic would halt. however, extremely small packets would pass, as if the device had adopted an MTU of 494 bytes and was rejecting all other packets. (pings of 466 bytes and below were able to pass). As a side note, this failure state was not sufficiently failed enough to trip the auto-failover that I had configured in the 5505, as its small packets continued passing through the hold time.
  • Rebooting the firewall, switch, and all other related devices *other* than the SMC modem would result in no change. Rebooting the SMC modem alone, without restarting any other equipment, would return you to the "working" state.
  • Replacement of the firewall itself resulted in no change.

    • With the problem seemingly isolated to the Cable modem, it was time to talk to the helper monkeys at Comcast to see if they could see anything from their view into the SMC modem. This was not successful - the first play out of their book is to remotely reboot the modem, which puts it back into "working" state, at which point they declare it working and end the call. After the problem persisted regardless, the second step from their end was to send a technician out to check the signal and power levels on the upstream of the modem. Slight issues would be found (as would be true in any such network), but it wouldn't resolve the problem. In addition, Comcast shipped out a replacement SMC8014, which replaced the suspicious one. There was no change, the new device entered a failure state the same as the original.

    Eventually I was put in touch with a higher level tech support person, who was as baffled as I. We went through every setting we could think of and eventually discovered the issue.

    The SMC8014 cable modem crashes in situations of mismatched speed/duplex.

    The problem was this: the Cisco on my end had a hard coded speed (100 mbps) and duplex (full) setting. The cable modem was set to auto. For whatever reason, rather than just causing more collisions, this causes the SMC8014 to lock up completely. Logging into the SMC8014 and hardcoding the port settings to match causes the problem to go away . (It is possible that setting both sides to autonegotiate might have also been successful, but I haven't verified this. Autonegotiation between different vendors doesn't always work the way you would expect - it is my opinion that hardcoding all network interconnections (with the exception of the end PCs themselves) is the way to go.)

    In order to log into the SMC modem, you need to aim a web browser at http://WhateverGatewayAddressComcastGaveYou. This brings up a login/password screen. The credentials that worked for me were username: cusadmin and password: highspeed.

    Once you get in, navigate to "Feature Settings" and then "Switch Controls", and set the port information the way you need it - in my case, unchecking "auto" and filling out the radio button for 100 and full. Active should remain checked.

    My firewalls are currently enjoying network uptimes in the hundreds of days. The modem crashing problem has completely disappeared.





    Exhibit A: mturoute output during failure state

    C:\Users\Eli\Desktop>mturoute (address redacted)
* ICMP Fragmentation is not permitted. *
* Maximum payload is 10000 bytes. *
- ICMP payload of 5046 bytes failed..
- ICMP payload of 2569 bytes failed..
...- ICMP payload of 1330 bytes failed..
...- ICMP payload of 711 bytes failed..
+ ICMP payload of 401 bytes succeeded.
...- ICMP payload of 556 bytes failed..
...- ICMP payload of 478 bytes failed..
+ ICMP payload of 439 bytes succeeded.
+ ICMP payload of 458 bytes succeeded.
...- ICMP payload of 468 bytes failed..
.+ ICMP payload of 463 bytes succeeded.
+ ICMP payload of 465 bytes succeeded.
+ ICMP payload of 466 bytes succeeded.
...- ICMP payload of 467 bytes failed..
+ ICMP payload of 466 bytes succeeded.
+ ICMP payload of 466 bytes succeeded.
Path MTU: 494 bytes.

    Exhibit B: equipment version information

    In particular, the devices involved:

  • Comcast-provided cable modem, SMC8014
  • Cisco ASA 5505 firewall. Same behavior with a Cisco ASA 5510 firewall, and a Cisco Pix 506e firewall.

    • Cisco ASA 5510:

  • Cisco Adaptive Security Appliance Software Version 7.0(7)
  • Compiled on Fri 06-Jul-07 10:37 by builders
  • System image file is "disk0:/asa707-k8.bin"
  • Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  • This platform has an ASA 5510 Security Plus license.

    • Cisco ASA 5505:

  • Cisco Adaptive Security Appliance Software Version 7.2(4)
  • Compiled on Sun 06-Apr-08 13:39 by builders
  • System image file is "disk0:/asa724-k8.bin"
  • Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
  • This platform has an ASA 5505 Security Plus license.

    • The Pix 506e has since been retired, I no longer have its details.

    © 2012 Eli Fulkerson. All rights reserved. Sitemap.