PDF(292.9 KB) View with Adobe Reader on a variety of devices
ePub(350.3 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(198.2 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 16, 2021
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the steps to decode the DOCSIS certificate to diagnose why cable modems stuck in reject(pk) or w-reject(pk) state on Cable Modem Termination System (CMTS).
In several cases, modems end up in reject(pk) state. It can be caused by specific conditions, for example in the CM certificate, CM issuer does not match CA subject name.
SLOT 5/0: May 10 10:13:48.272 CET: Got Issuer 0^A^A1^K0 ^F^CU^D^F^S^BTW1^\0^Z^F^CU^D
^F^CU^D^K^S^FDOCSIS1C0A^F^CU^D^C^S:Hitron Technologies Cable Modem Root Certificate Authority from Certificate.
SLOT 5/0: May 10 10:13:48.272 CET: Got a new Invalid CM cert from a84e.3fdd.84c4
SLOT 5/0: May 10 10:13:48.272 CET: CA Cert Subject does not match CM Cert Issuer
SLOT 5/0: May 10 10:13:48.272 CET: BPI+ CM Cert Dump:
SLOT 5/0: May 10 10:13:48.272 CET: Failed CM Issuer not found. CMTS sent AUTH reject.
SLOT 5/0: May 10 10:13:48.272 CET: Sending KEK REJECT. Reason Code:6 Reason:16
SLOT 5/0: May 10 10:13:48.272 CET: BPI Authorization Reject Packet: a84e.3fdd.84c4
This output does not clearly show the root cause of the problem.
This article can be used to produce a readable certificate (that can be opened by openssl or KeyChain on the Mac), in order to identify the mismatch.
Cisco recommends that you have knowledge of these topics:
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Task 1. Collect the Logs
On CMTS, in order to get the certificate hex dump, you need to enable the logs. Type these commands.
XXD is a Linux/Mac utility that allows to convert a hex dump into a binary file and vice versa. XXD needs the hex data to have a specific line header in order to work. Use the following python script that adds the necessary header: