Draytek ACS & False Positive Alerts

The Draytek ACS platform has several flavours. One of which is the hosted-by-Draytek option.

Following update of firmware on assorted Draytek models, including the 2860 / 2860n models to firmware 3.9.1 [link] and others, we were seeing many false positive alerts from ACS that the routers were offline.

After much digging, it appears that there are 2 data flows that need to be working for ACS to accurately report a device’s online status.

 

Flow 1.

From router to ACS.

Set in the TR069 settings etc  – as per here [link]

This is easily tested using the “Test with Inform” button on the set up page.

In ACS, most detail will appear, so all will look more or less as expected.

 

Flow 2.

From ACS to router.

If this is not working and only Flow 1 is working, then there are a couple of key bits of information that will be missing from the ACS dashboard.

These include the

• Router uptime
• Live front panel view
• xDSL sync speeds.

If these are missing / blank then it’s a clear indication that ACS cannot successfully talk to the router.

Why might it not be able to talk?

• not correct username and password in ACS / router
• Wildly incorrect time and date on router
• Firewall / access restriction. ACS server needs to be allowed to talk on the Management Port that has been set for ACS (usually 8069)
• Something else…

It was the “Something else” that took some time to track down.

In older versions of Draytek firmware, the router has it’s own local, self signed certificate. This certificate was issued at the firmware build time (say…middle of 2019) and had a 40 year expiration date on it. Even though browsers etc didn’t like the fact that it was self signed (and so couldn’t be trusted), the expiration date was still valid.

Newer versions of Draytek firmware – this local self signed certificate is only valid for 1 year from the firmware build date. This much shorter certificate expiry date now means that the presented certificate is both self signed AND is no longer valid (by date). When logging in using a web browser, you get the certificate error for the self-signed / not-trusted, but once you’ve chosen to continue, there’s no obvious indication that the certificate has also expired.

However, ACS DOES notice that the certificate has expired and refuses to talk to the router. This means that Flow 2, which was working fine… now doesn’t work at all.

The fix?

Regenerate the Self-Signed Certificate in the router’s web interface. Takes less than a minute to do and isn’t difficult. This will give a valid end date (12 months from now) and ACS will now be able to communicate using Flow 2.

The boring bit: The certificate is going to need to be regenerated every 12 months.

It is possible to generate / install proper not-self-signed certificates with longer expiration dates, but that’s a much more complicated process. Or we can hope that Draytek reissue firmware with longer expiration dates on the self-signed certificates, because at the moment – it’s quite possible that a new-out-of-the-box Draytek will have expired self-signed certificates before it’s ever been used.