MA30120 Digital Communication Server Version 1.15

1) Introduction

MultiAccess30120 T1/E1-PRI Communication Server.

Expandable Remote Access Server for use with T1-RBS, T1-PRI or E1-PRI digital communication lines. The base unit comes with one thirty-modem module. Up to 3 additional modem modules (MA30EXP) can be added to the base unit, for a total of 4 modules (for a total of 120 modems).

Readme Outline

1. Introduction

2. General Usage

3. Hardware Notes

4. Software and Operational Notes

5. Configuration Objectives

6. Updates

7. Tech Tips and Trouble Shooting

8. Misc.

The documentation that is shipped with the unit is a printed Quick Start guide, and 2 CDs (a hard drive recovery CD and a User Manual CD which also has client utilities for Windows).

The current User Guide can also be downloaded from:

2) General Usage

The "Modem Usage" setting dictates the (Role) of the MA30120 modems. The modem usage is set per modem, so even a unit with just one modem module and one digital communication line can be a multi purpose server. The MA30120 can be configured to be a traditional Remote Access Server (RAS), a (FAX) Server, a Network Modem Pool Server (Modem Sharing), and a (Custom) Server for supporting user installed application software on the MA30120.

RAS - The purpose of which is to give remote users/nodes (i.e. Microsoft Dial-Up Networking clients) dial in IP access to the LAN the MA30120 is installed on. This is the default usage for all modems.

FAX - Modems set to a usage of FAX will be allocated to the internal HylaFAX™ Server. Calls that come into these modems from the digital line will be answered as fax calls. The received fax will then be sent as an email to the appropriate recipient (based on pre-configured information). The HylaFAX Server can also send outbound faxes by using a HylaFAX compatible fax client (like Multi-Tech’s FaxFinder™ Client). Install the client on workstations that have network access to the MultiAccess. The clients use TFTP to push faxes up to the HylaFAX server for sending out to remote fax locations.

MODEM SHARING - Modems set to one of the Modem Sharing options can be accessed by any computer that has IP access to the MA30120. Applications/users that want to use the modems must first open a specific TCP socket connection to the MultiAccess. The socket connection between the workstation and the MA30120 takes the place of a traditional serial connection between a workstation and an external modem. The MultiAccess modem is controlled by AT commands issued by the application that opens the socket. Additionally, a "com port redirector" (like Multi-Tech’s WINMCSI™ and Tactical Software's "DialOut/EZ" ™) is a common program (for use on Microsoft Windows™ workstations) that is used in conjunction with modem sharing access servers. The redirector provides a virtual com port to the OS. When an application opens the com port, the redirector opens a socket to the MA30120 modem and redirects the user’s data to and from it.

3) Hardware Notes:

The unit is a 19-inch wide, 1U high, rack mountable chassis. The unit uses one universal ATX switching power supply (100-240 VAC, 1.2/0.6 AMP, 50/60 Hz).

The mother board is a Intel Celeron™ based computer (on board video, 566 MHz CPU, 20+ gig laptop style hard drive, 1 DIMM with 256 meg SDRAM) running Linux Kernel 2.4.22 that’s been complied by Multi-Tech. The motherboard also has 2 on board 10/100 Ethernet NICs and 4 on board T1/E1 digital line interfaces (software configurable).

The digital line interfaces are not active unless an MA30EXP modem module is installed in the corresponding position. All active line interfaces must be configured to the same basic type. All must be T1 or all must be E1 (for example Line 1 can not be set to T1-PRI while Line 2 is set to E1-PRI). However T1-RBS and T1-PRI can be intermixed freely.

The MA30EXP Modem Module consists of 30 modems (0 through 29). When the Line Interface is configured for T1-PRI, 23 modems are made available to the system (0 through 22). When the Line Interface is configured for T1-RBS, 24 modems are made available to the system (0 through 23). When the Line Interface is configured for E1-PRI, all 30 modems are made available to the system (0 through 29).

4) Software and Operational Notes:

The primary system configuration and management is via HTTPS (secure browsing via SSL access). Command line access to the Linux operating system is also available (SSH client or locally attached keyboard and monitor). SFTP can be used to transfer files to and from the unit. The unit is also an FTP client.

There are two separate administrator accounts, the WEB management account and the Linux root account. The default credentials are:

WEB (HTTPS)

Command Line (SSH, etc)

Upon initial power up, within 5 seconds one beep is heard at a successful POST of the BOIS, appx 90 to 120 seconds later 5 consecutive beeps will be heard when the system has reached run level 3. Line Interface and Modem Drivers can take up to an additional 60 seconds to load, after run level 3 is reached. The time needed to fully boot up is a variable depending on the number of modem modules installed, hard drive variables (journal events and file system checks) and other system variables. All 12 line interface LEDs will simultaneously flash on/off (repeatedly) while booting up, until run level 3 is reached. Then when the line interface and modem drivers finish loading, only the activated line interfaces will have appropriate LEDs illuminated.

The operating system is Linux so avoid improper shutdowns. When a proper shutdown is initiated, immediately 1 beep is heard and then the unit starts to shutdown (killing services, unloading drivers, etc) and then approximately 30 seconds later "run level zero" is reached and two consecutive beeps are heard, after which it is now safe to power off the unit. In some rare occasions, timing variables to the shutdown process may result in not all PIDs being removed.

There are multiple ways to properly shutdown and/or restart the unit.

Via HTTPS:

Via Command Prompt (without quotes):

The unit MUST BE REBOOTED if the Line Interface type changes from E1 to T1 or T1 to E1. Changing from T1-RBS to T1 PRI does NOT require a reboot, nor does changing any of the other E1/T1 line interface settings (like framing format or switch type).

Front panel LED labeled "LAN 1" = Setup Menu "eth0" = back panel label "Ethernet 1"

Front panel LED labeled "LAN 2" = Setup Menu "eth1" = back panel label "Ethernet 2"

5) Primary Configuration Objectives:

Open a browser on your workstation and in the location (address) bar enter https://192.168.2.1. Answer yes to pop ups regarding secure site and certificate messages. A MultiAccess Web Management login menu will appear. You have now established HTTPS communication with the MA30120.

Enter the HTTPS administration credentials, you will be brought to the main menu (home page) of the MA30120. Go to the "Network Setup" menu. First, scroll down the menu and change the IP address and subnet mask of Network Card 1 to an available static address for the network the unit is to be installed on, and then press the save button. Confirm the pop up menu regarding the address change - wait approximately 1 minute for the parameter change to take effect. Then enter the new IP address into the location bar of your browser, and proceed to log back into the unit.

Return to the Network Setup menu and address the following:

Define the Default Gateway and save it. Add at least one DNS Server (this is used by the operating system to resolve names). Define a Host Name (for the MA30120) and save it. It is not necessary to configure and connect the second ethernet interface of the unit. The intended use of the second network interface is for more advanced applications. Use of the second interface lends flexibility to separate networks with separate applications, useful with private and public network implementations, provides an alternative means of network access and can aid in trouble shooting. It is acceptable to have both interfaces on the same network (as long as they have unique host addresses) or they can be on separate networks.

From the main menu bar, click on the Line Interfaces link. The top portion of this menu shows the current settings of the Line Interface indicated (the sub-menu on the left hand side of the page lets you select which Line Interface). The remaining portion of the menu is used to change the parameters of the Line Interface.

Select the Line Type pull down to change the general configuration of the digital line interface (from T1-RBS to T1-PRI to E1-PRI). Wait for the screen to update after selecting the line type.

Set the appropriate Framing Format, Line Code and Signaling information. The available Signaling choices depend on the type of line chosen (Switch Type for PRI and FXS Protocol for RBS). Line Build Out is the dB level of the T1 or E1 signal transmitted by the MA30120 Line Interface. Receive Sensitivity defines the minimum size of T1 or E1 signal (dB level) the MA30120 expects to receive (recovery) from the Telco circuit. The default is -10dB (short haul mode) - meaning we expect to receive a signal between 0 dB and -10dB. If the signal that is present on the receive pair is smaller than -10 dB, the sensitivity will need to be set to -36dB (long haul mode). This can be common with extended Demark installations or other extenuating termination variables.

After selecting the desired parameters, press the "save" button and wait for the screen to refresh. Next press the "send" button, followed by "Ok" to confirm the restarting of the interface. Wait for the screen to refresh (this takes longer - about 45 seconds). Only until after the send action is performed, will the "Current Setup" at the top of the page reflect the new parameters/changes.

The Line Type setting dictates how many modems (tty ports) are made available for the associated Line Interface.

The "Modem Setup" link on the main menu bar brings you to the Modem Usage Setup menu. See section 2 above for a general description of each choice. See section 7 below for common technical details associated with each. See Chapter 3 of the User’s Manual for a full explanation of Modem Usage.

The User Authentication menu has 3 sub menus (Local Users, RADIUS Client and RADIUS Server). If the modem’s usage is set to RAS or Modem Sharing with RADIUS Authentication you must use and setup the RADIUS Client page. If the modem’s usage is Modem Sharing with Local authentication, add users to the local database via the Local Users menu. Local Users that are added will have dial in and out rights and can be given SSH access rights to the Linux OS - but they will not have administrator rights.

The two RADIUS menus and how they can work together:

The RADIUS protocol implements a client to server relationship. The RADIUS Client within the MA30120 must be told (configured with) the IP address of the RADIUS server it is to authenticate against. The RADIUS Server can be external to the MA30120 (like IAS on a WIN2003 server). Or, the RADIUS server can be the internal RADIUS Server.

Point the RADIUS Client of the MultiAccess to the RADIUS server of your choice and define a shared secret password (that matches the stored value in the RADIUS server).

If you point the RADIUS Client to an external RADIUS server you do NOT have to enable and configure the internal RADIUS Server.

If you point the RADIUS Client to the Internal RADIUS Server, the IP address of eth0 is used to define (identify) both the Client and the Server.

Use the "RADIUS Server>General Setup" sub menu to add the client information. Use the "RADIUS Server>User Setup" sub menu to add users (credentials of the dial in users) to the "users" file of the internal RADIUS Server (this is a separate database from that of the "Local Users" menu).

For all RADIUS implementations, the RADIUS client must be added to the RADIUS server (which means editing the clients file\menu of the RADIUS server). When adding a RADIUS client to a RADIUS server - the shared secret password must match what is defined within the RADIUS client. The shared secret password is an encryption key used by both RADIUS server and client. When the RADIUS client makes an authentication request to the server, it encrypts the "user’s" password with the shared secret. When the RADIUS server reads the authentication request, the password is decrypted using the same shared secret value. The RADIUS server also has to be listening on the same UDP port the RADIUS client is using.

Appendix C in the User Guide explains the 3 possible methods that could be used to update the MA30120. The primary method of updating is via the System Update page. The update client within the MultiAccess will use FTP to contact the update server ("update.multitech.com"), download update files, apply them, and reboot the unit.

7. Tech Tips & Trouble Shooting

The web administration interface of the MA30120 provides access to these logs via the "Statistics and Logs" page -> "View Logs" menu. The log file to select is "kernel". After selecting a "date" you also have to select a "time". The "time" selection chooses the ending hour of the messages file for the date selected (normally you should select the time choice of "latest" when the date selected is today’s). All log files down loaded via the web interface will be saved as logfile.txt.

These symptoms are commonly encountered when setting up and testing a new installation (new MA30120, digital line or both). The Central Office is the one who generates any busy signal or ring back that might be heard when calling in. If either the MA30120 or Telco equipment indicates an alarm or error condition, calls will not go through. Alarm conditions are normally the result of cable wiring or equipment configuration issues. There can be a miss match of settings between the Central Office equipment and the Line Interface settings of the MA30120. The provider of the line can also have internal call routing issues before the call even reaches the T1 line connected to the MA30120.

It’s possible that no alarms or errors are indicated and yet there still can be a settings issue that prevents calls from getting through. Even though the layer 1 parameters match (1.544 MHz, Framing Format, Line Code), if there is a mismatch in the layer 2 call signaling techniques (i.e the T1 line is provisioned for PRI signaling and it’s connected to an MA30120 Line Interface set for Robbed Bit Signaling, or a mismatch in RBS methods), the equipment on the circuit most likely would not be indicating an alarm condition. Please Note: Certain PRI equipment may choose to indicate an Alarm condition when the layer 2 communication protocol (D_Channel protocol) is not up. Additionally, in rare occasions wiring\termination issues (loopbacks, wrong circuit, etc) can prevent layer 2 communication.

These symptoms can also be encountered when a call comes into the MA30120 on a port that is not being used properly. The modems in the MA30120 must be instructed to answer (by the application using the modem). If the modem is not instructed to answer (via AT command), we do not signal back to the CO (to indicate that we will except the call). Depending on the type of line and other variables, some or all of the symptoms may be encountered. This situation most commonly occurs when a modem port is set to "Modem Sharing" and it is not being accessed by any application from the LAN side of the MA30120 (the TCP socket is closed). Refer to Modem Sharing Problems in the Tech Tips section of this document for additional details.

When the modem usage is set to Modem Sharing, the application (opening the socket or virtual com port) is responsible for setting the modem’s configuration (connect speed, data protocol, etc) and instructing it to dial or answer. After each call is finished (be it a good call disconnects or an attempted call results in busy, etc) the modem’s configuration returns to it’s default settings. The application using the modem must configure the modem per call when the modem’s default settings are not appropriate for the situation.

When the modem usage is set to RAS - the "Modem Setup" sub menu (of the Modem Setup Menu) is used to control the modem’s configuration. All RAS modems will use the same Modem Setup parameters.

The MA30120 does not respond to Telco initiated loop backs.

Most T1 Lines (regardless of RBS or PRI) in North America that implement a framing format of ESF (Extended Super Frame) do so with Error Correction (CRC4). The MultiAccess provides two choices ("ESF" and "ESF with Error Correction"). When speaking with service providers it’s common that "with Error Correction" is not mentioned because it is widely assumed on. Some Telco equipment can auto detect if it’s on or off coming from the premise side equipment (MA30120). In most cases, set the MultiAccess to a framing format of "ESF with Error Correction".

The MA30120 will indicate RED alarm (also referred to as Loss of Signal, same as no cable connected to the Line Interface) if the received signal is smaller than the Receive Sensitivity setting.

When switching between T1 and E1 - the unit must be rebooted.

The MA30120 does not support E1 lines that implement R2 (R2 digital & R2MF) signaling methods.

Caller ID information (called number and Calling number) is only available through PRI lines.

When the modem usage is set to Modem Sharing with Authentication - the authentication source can be "Local", "RADIUS" or "Both". When "Both" is selected, all authentication requests will be sent to the RADIUS server unless the user name starts with an exclamation point (!). The preceding ! indicates to the MultiAccess to strip the ! and then run the remaining string (credentials) against the local data base instead.

When the modem usage is set to RAS - the authentication source must be "RADIUS". The RADIUS Client page within the MA30120 Authentication menu must be properly configured. RADIUS authentication is at a separate point (or layer) from that of the PPP peer to peer authentication process. PAP is the only PPP authentication protocol supported by the MA30120.

The RAS authorization process is: the remote user enters their username and password into their PPP software (i.e. MS-DUN client) and dials into the MA30120. After the modems establish carrier and the LCP portion of PPP starts, the PPP peer uses PAP to communicate the user credentials across the PPP link to the MA30120. Then, the MA30120 RADIUS Client via the RADIUS protocol sends an Authorization Request to the RADIUS server. If the credentials are correct and the attributes match, the RADIUS server sends an Authorization Accept to the RADIUS Client, who in turn informs the PPP layer that authentication is successful (at this point the PPP link is up and RADIUS Accounting can begin).

Traditional parameters associated with dial up PPP sessions are defined on the RADIUS Client page (DNS, IP pool, etc). The IP address given to the PPP peer (user) is controlled by RADIUS attributes. The RADIUS server will instruct the RADIUS client (AKA, MA30120) to give the user a specific (static) IP address or to give the user a "pool" address (use one from the address pool defined within the NAS). The parameter "Remote Host Address" specifies the starting point of a sequential range of IP addresses (address pool defined within the MultiAccess) and must end with a plus symbol (17.16.100.1+). The address range depends on how many modem ports are set to a Usage of RAS (if 24 modems are set to RAS the range is 172.16.100.1 thru 172.16.100.24). The assignment of PPP parameters (IP, DNS, etc) via the DHCP protocol is not supported by the MultiAccess.

If the RADIUS server shows the authentication request was rejected, the MA30120 was not added to the clients file within the RADIUS server, the user is giving the wrong password, or the user doesn’t have appropriate rights. If the RADIUS server doesn’t see (or appears to ignore) the authentication request; the shared secret is wrong (alpha numeric characters only and case sensitive), or the RADIUS client is not set to the same set of UDP ports as the RADIUS server, or the RADIUS client is pointing to the wrong RADIUS server/IP address, or there is a network problem blocking the request (RADIUS uses UDP to communicate). When the authentication request is not seen or ignored by the RADIUS server, eventually the RADIUS client will report a "RADIUS Timeout" error (no response from the radius server) and disconnect the user.

If the internal RADIUS Server is being used, it will look to the Local Users database of the MA30120 if it does not find a matching user name value when scanning it’s users file. If while scanning the RADIUS users file it DOES find a matching user name - it stops scanning and will NOT proceed to the Local Database (even if the password match fails).

Dial Up Networking on the remote workstation: The properties applet usually has 5 tabs, with the "Security" and "Networking" tabs addressing the parameters of concern. The type of security must be "Typical" with "Allow Unsecured Password". This description of "typical" and "unsecured" refers to the PPP authentication protocol of PAP (which transfers the credentials as clear text). On the Networking tab, the TCP/IP component must be set to Obtain IP Address and DNS Automatically. The remaining TCP/IP parameters can be left at default. However for some of the options (depending on your network variables), if they are set incorrectly communication at a certain level may not work (like name resolution or routing issues).

IAS (Internet Authentication Service): There are many variables to IAS and it’s interaction with a Windows user database (Local Users or Active Directory) that go beyond the scope of this document (and beyond the control of an IAS Client). Variables that can prevent successful authentication. Additionally, even though IAS may already be installed and working with other clients (applications and appliances), this does not mean it’s settings and policies are appropriate when serving a new client (i.e. additional RAS gear).

When the port is configured for Modem Sharing, the Modem Connections page (of the Statistics and Logs menu) will show the state of the port as "Idle" when there is not a TCP socket connection to the port. When a TCP socket connection is made to the port, the state of the port becomes "Allocated" (allocated to the application that opened the socket).

The MA30120 can not tell which application (on a workstation or server) is opening the TCP port/socket. Redirectors, telnet clients, and proprietary programs all appear the same to the MultiAccess because they must use TCP/IP (a platform independent protocol suite) to gain access to the modem(s) in the MA30120.

Telnet to the modem (specifying the IP address of the MA30120 and TCP port number assigned to a tty port\modem) and issue "at" commands. By default "at command echo" is off (what you type is not echoed back). To see what you type - enable command echo (issue ate1). Ati1 will identify which modem (of the 30) you are communicating with. At this point, the Modem Sharing functionality of the MA30120 is working. Now try to dial out (atdtphonenumber<cr>), if the destination rings T1/E1 Line Interface aspect of the MA30120 is working.

Inbound Calls (dial in):

The MA30120 modem must be instructed (by a host application on your network) to answer the incoming call. If the modem is not instructed to answer, the originator will hear a period of dead air until the CO gives up ringing the MA30120, then at this point you may hear a fast busy or an audible recording (depending CO behavior).

The MA30120 detects incoming calls on the particular B_Channel (dictated by the CO switch) and issues a "ring" message into the corresponding IP socket. The B_Channels of the digital line are mapped sequentially to the tty ports of the MA30120 (for example channels 1 through 24 of a standard T1 line are mapped to modems ttyMA00 through ttyMA23). If Telco routes a call to channel 1, the ring will be seen on ttyMA00, if Telco routes the call to channel 13, the ring will be seen on ttyMA12.

The socket has to be opened prior to the start of the call for the ring message to be displayed. The application that opened the socket must be looking for the ring message and respond with the answer command (ata).

Please Note: When the port’s Modem Usage is set to "RAS" or FAX it’s state is "Allocated". These internal processes (programs) initialize and instruct the modem to answer.

Outbound Calls (dial out):

When the MA30120 is configured for Modem Sharing with RADIUS Authentication, the user should have outbound/dial out access rights. Normally (in the RADIUS Server), the "Service Type" attribute would be set to "Dialout-Framed-User".

If a "No Carrier" message is issued within 10 seconds of dialing - look to a T1/E1 line setup issue (with the MultiAccess or with Telco’s line\CO equipment). If a No Carrier result is encountered roughly between 25 and 60 seconds after dialing - look to a modem to modem carrier negotiation issue.

Additional Modem Sharing details can be found in the Modem Usage section of Chapter 3 in the User Guide.

Modem AT commands can be found in Appendix B of the User Guide.

Add 1 MCSI com port to each work station, set the properties of the MCSI com port as follows and then reboot the workstation.

The IMCP protocol, IMCP Forwarding, and Ping utility responses are enabled and functional by default (factory image settings). The default IP table rules do not filter or block IMCP packets. However, the "Packet Filters> IMCP" menu is broken and subsequently indicates these functions are disabled, when they truly are enabled. Use of this menu can inadvertently disable the IMCP protocol (disabling it’s ability to forward, or respond to, pings), and contrary to what the menu suggests, it can not re-enabled these options.

To know if this situation has been invoked, review the table of filter rules found in the Packet Filter menu. Look for "ICMP... Drop" rules - these rules are not factory settings.

The "Modem Setup> Modem Usage" menu only allows you to enable the "Reverse Dial" option when the usage of the modem port is set to Modem Sharing. This menu limitation can be overcome for dial out situations when the modem usage is set to Fax or Custom, by manually editing the "modemusage" file found in the /opt/multiaccess/data/ directory. Manual changes to this file will be lost (over written) if any change to any port is made via the Modem Usage menu.

For more information on the Reverse Dial option, refer to the Modem Sharing section in Software Chapter 3 of the User Guide. For more information on the dial command and supported dial modifiers see the D dial command in Appendix B of the User Guide.

Enabling the Reverse Dial option for modem ports set to a usage of FAX or Custom:

First, use the Modem Usage menu to set and save the desired usage for all ports in the system (RAS, Modem Sharing, Fax or Custom) and then manually edit the modemusage file to enable the Reverse Dial option for the ports that are set to Custom or FAX. When editing the modemusage file, the syntax of line entries must be maintained and are case sensitive. Manual entries made to the modemusage file will be overwritten if any change to any port is made via the Modem Usage web menu.

Using the vi editor, make the following change per modem:tty (the below example is for port ttyMA00).

vi /opt/multiaccess/data/modemusage

modem:ttyMA00,port:7000,use:Fax,pool:no,raw:no,ssl:no,display:yes,idle:0,reverse:no,monitor:no,modemx:no,

modem:ttyMA00,port:7000,use:Fax,pool:no,raw:no,ssl:no,display:yes,idle:0,reverse:yes,monitor:no,modemx:no,

First, use the Modem Usage menu to set and save the desired Modem Sharing usage and options. Then manually edit the modemusage file to add the "displayCID" option. When editing the modemusage file, the syntax of line entries must be maintained and are case sensitive. Manual entries made to the modemusage file will be overwritten if any change to any port is made via the Modem Usage web menu.

Using the vi editor, make the following change per modem:tty (the below example is for port ttyMA00). Add displayCID:yes, before the display:xx option.

vi /opt/multiaccess/data/modemusage

modem:ttyMA00,port:7000,use:Modem Sharing,pool:no,raw:no,ssl:no,display:yes,idle:0,reverse:yes,monitor:no,modemx:no,

modem:ttyMA00,port:7000,use:Modem Sharing,pool:no,raw:no,ssl:no, displayCID:yes, display:yes,idle:0,reverse:yes,monitor:no,modemx:no,

8. Misc.

A common (open source) SSH client for use with Windows is a program called "putty.exe".

The makers of putty also have a SFTP client for Windows called PSFTP.exe.

Last Updated: Sept. 11th, 2007.