This document describes the steps to decode the DOCSIS certificate to diagnose why cable modems stuck in reject(pk) or w-reject(pk) state on Cable Modem Termination System (CMTS).
In several cases, modems end up in reject(pk) state. It can be caused by specific conditions, for example in the CM certificate, CM issuer does not match CA subject name.
SLOT 5/0: May 10 10:13:48.272 CET: Got Issuer 0^A^A1^K0 ^F^CU^D^F^S^BTW1^\0^Z^F^CU^D
^F^CU^D^K^S^FDOCSIS1C0A^F^CU^D^C^S:Hitron Technologies Cable Modem Root Certificate Authority from Certificate.
SLOT 5/0: May 10 10:13:48.272 CET: Got a new Invalid CM cert from a84e.3fdd.84c4
SLOT 5/0: May 10 10:13:48.272 CET: CA Cert Subject does not match CM Cert Issuer
SLOT 5/0: May 10 10:13:48.272 CET: BPI+ CM Cert Dump:
SLOT 5/0: May 10 10:13:48.272 CET: Failed CM Issuer not found. CMTS sent AUTH reject.
SLOT 5/0: May 10 10:13:48.272 CET: Sending KEK REJECT. Reason Code:6 Reason:16
SLOT 5/0: May 10 10:13:48.272 CET: BPI Authorization Reject Packet: a84e.3fdd.84c4
This output does not clearly show the root cause of the problem.
This article can be used to produce a readable certificate (that can be opened by openssl or KeyChain on the Mac), in order to identify the mismatch.
Cisco recommends that you have knowledge of these topics:
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Task 1. Collect the Logs
On CMTS, in order to get the certificate hex dump, you need to enable the logs. Type these commands.
XXD is a Linux/Mac utility that allows to convert a hex dump into a binary file and vice versa. XXD needs the hex data to have a specific line header in order to work. Use the following python script that adds the necessary header: