Auth Reject-Unauthorized SAID Error Messages and BPI Configuration Changes in 12.2(8)BC1
Available Languages
Contents
Introduction
CableLabs 
, the body that governs standards relating to Data-over-Cable Service Interface Specifications (DOCSIS) cable modem and Cable Modem Termination Systems (CMTS), made an important change in the way a CMTS allows a DOCSIS 1.0 cable modem to establish Baseline Privacy Interface (BPI) encryption between the modem and CMTS. These mandatory changes may cause some cable modems using DOCSIS configuration files that work with releases of Cisco IOS® previous to 12.2(8)BC1 to fail to come online. In addition, the following message may be generated on the CMTS:
%UBR7200-3-AUTH_REJECT_UNAUTHORIZED_SAID: <132>CMTS[Cisco]:<66030104> Auth Reject - Unauthorized SAID. CM Mac Addr <0081.9607.3831>
The way to resolve this issue and comply with the new changes is to make sure that at least one of the BPI configuration options is specified in the DOCSIS configuration file downloaded by the cable modem.
This document describes the symptoms seen in systems affected by this change, and how to quickly update DOCSIS configuration files to comply with the new BPI configuration specifications.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
The information in this document is based on the software and hardware versions below.
-
Cisco IOS releases 12.2(8)BC1 and later.
-
All Cisco CMTS products including uBR10000, uBR7200, and uBR7100 series CMTSs.
-
All releases of the Cisco DOCSIS Customer Premises Equipment (CPE) Configurator tool.
-
This document only applies to cable modems provisioned to operate in DOCSIS 1.0 mode, and use DOCSIS 1.0 mode BPI.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Details of the Changes to Configuring DOCSIS 1.0 Based BPI
The latest revision of the BPI specification has a new requirement; if a cable modem provisioned in DOCSIS 1.0 mode needs to run BPI, the BPI configuration settings option Type 17 must be present in the DOCSIS configuration file and the subsequent Registration Request from the cable modem.
Further details of the change may be found in CableLabs Engineering Change Notice RFI-N-02005. This document is only available to registered CableLabs participants. Refer to CableLabs for more details.
Releases of CMTS Cisco IOS previous to 12.2(8)BC1 did not require cable modems, provisioned in DOCSIS 1.0 mode, to use BPI to register with a BPI configuration option. From 12.2(8)BC1 and later, it is mandatory to include the extra BPI configuration option.
Symptoms Shown When Baseline Privacy Configuration Option Type 17 is Not Used
If a cable modem has been provisioned to operate in DOCSIS 1.0 mode and to use BPI, but no BPI configuration options have been specified, they do not reach the familiar online (pt) state. They will, however, seem to reach the online state. They may appear to quickly fall offline. The following error messages may appear on the console of the CMTS as cable modems begin to negotiate BPI parameters with the CMTS:
uBR7246VXR# term mon !--- Necessary for a Telnet session. uBR7246VXR# 01:27:42: %UBR7200-3-AUTH_REJECT_UNAUTHORIZED_SAID: <132>CMTS[Cisco]:<66030104> Auth Reject - Unauthorized SAID. CM Mac Addr <0090.9607.382f> 01:27:50: %UBR7200-3-AUTH_REJECT_UNAUTHORIZED_SAID: <132>CMTS[Cisco]:<66030104> Auth Reject - Unauthorized SAID. CM Mac Addr <0090.9607.3831> 01:27:55: %UBR7200-3-AUTH_REJECT_UNAUTHORIZED_SAID: <132>CMTS[Cisco]:<66030104> Auth Reject - Unauthorized SAID. CM Mac Addr <0050.7366.12fb> 01:27:57: %UBR7200-3-AUTH_REJECT_UNAUTHORIZED_SAID: <132>CMTS[Cisco]:<66030104> Auth Reject - Unauthorized SAID. CM Mac Addr <0050.7366.2223>
By applying a debug to more closely analyze why cable modems are not able to perform BPI negotiation, you can see that the CMTS claims that the cable modem is not correctly provisioned to run BPI, although the modem itself tries to initiate BPI.
uBR7246# debug cable privacy CMTS privacy debugging is on May 23 01:39:27.214: CMTS Received AUTH REQ. May 23 01:39:27.214: Auth-Req contains 1 SID(s). May 23 01:39:27.214: SIDs are not provisioed to run Baseline Privacy. May 23 01:39:27.214: Unauthorized SID in the SID list May 23 01:39:27.214: Sending KEK REJECT. 01:31:06: %UBR7200-3-AUTH_REJECT_UNAUTHORIZED_SAID: <132>CMTS[Cisco]:<66030104> Auth Reject - Unauthorized SAID. CM Mac Addr <0030.96f9.65d9>
Note: In the above debug, provisioned is misspelled as provisioed. A cosmetic bug, CSCdx67908 (registered customers only) , has been raised to address this issue, which occurs in IOS version 12.2(8)BC1
How to Configure Baseline Privacy Configuration Option Type 17
Using the Cisco DOCSIS CPE Configurator tool, DOCSIS configuration files for cable modems operating in DOCSIS 1.0 mode can be modified to include the BPI configuration option by specifying at least one of the following options in the configuration file. All of these options are found under the Baseline Privacy tab in the Cisco DOCSIS CPE Configurator tool. Also listed are the default values for each parameter.
| Baseline Privacy Configuration Option | Default Value |
|---|---|
| Authorize Wait Timeout | 10 |
| Reauthorize Wait Timeout | 10 |
| Authorize Grace Time | 600 |
| Operational Wait Timeout | 10 |
| Rekey Wait Timeout | 10 |
| TEK Grace Time | 600 |
| Authorize Reject Wait Timeout | 60 |
Note that the SA Map Wait Timeout and SA Map Max Retries are specific to cable modems operating in DOCSIS 1.1 mode only, and therefore, must not be specified in a DOCSIS configuration file for a cable modem operating in DOCSIS 1.0 mode.
Note: Although the above BPI configuration option Type 17 values are defaults, you still need to specify one of those values in the DOCSIS CPE Configurator tool to enable BPI configuration option Type 17.
Listed below are two examples that discuss how to use various tools to set one or many of these values using the Cisco DOCSIS CPE Configurator tool. Other forms of DOCSIS configuration file editors or builders may also be used.
Example - Specifying Only One Parameter
In this example, the Cisco DOCSIS CPE Configurator GUI is used to set the Authorize Wait Timeout parameter to the default value of 10. Setting this one value will place the required BPI configuration option in the DOCSIS configuration file.
The graphic below shows one of the parameters that will insert the BPI configuration option into the DOCSIS configuration file.
Once this field is completed, select Apply -> OK button. Save the DOCSIS configuration file as normal.
Example - Specifying All Parameters
In this example, the Cisco DOCSIS CPE Configurator GUI is used to set all of the parameters that are part of the BPI configuration option to their default values. Note carefully that the SA Map Wait Timeout and SA Map Max Retries fields are not completed. These fields are specific to cable modems operating in DOCSIS 1.1 mode only, and therefore, must not be specified in a DOCSIS configuration file for a cable modem operating in DOCSIS 1.0 mode.
The graphic below shows all of the parameters that are a part of the BPI configuration option.
Once these fields are completed, select Apply -> OK. Save the DOCSIS configuration file as normal.
Conclusion
Cisco strives to make sure that the uBR suite of CMTS products is kept as close to the latest versions of the DOCSIS specification as possible. While this strategy may seem to cause some short term loss of backwards compatibility or inconvenience in some rare cases, it ensures that in the long term Service Providers deploying Cisco CMTS equipment can be assured of interoperability with similarly compliant third party DOCSIS products.
Related Information
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)