I have deployed a refurb Total Access 924 (1st Generation) for breaking out analog phone lines for our IP-PBX. I monitor its SMTP stats with PRTG. And see that this unit seems to lose it's web interface every so often. Usually after a little under a week. When this happens I can't access the management page (obviously ), but I can ping it, the analog lines are still SIP registered and working, and I can access it via SSH. I have to reload it via SSH so that the web interface comes back up.
The active firmware version currently loaded is A4.11.00.E. Any suggestions on how to resolve the issue?
I had a very similar issue on a TA908e (first-gen), also being monitored by PRTG, also losing web interface at about that interval (even though other functionality remained fine). We ended up replacing it with a newer (2nd or 3rd gen). This was a couple of years ago, but if I recall, I strongly suspected PRTG so turned off monitoring for this device. However, I believe it continued to happen. I don't know if the final firmware has a bug or what. Sorry that's not much help with the issue other than confirming that you are not alone!
I've not seen that personally, but if the web interface is exposed to the public Internet it's entirely possible that script kiddies are hammering on the web interface in an attempt to brute-force access or running some malware that wedges the web server. You can (and should) apply an access-list to the management plane including telnet, SSH, web access, and SNMP. Telnet can and probably should be shut down entirely. Here's how I do it.
ip access-list standard admin-access
permit [subnet and inverse mask of trusted network]
permit [subnet and inverse mask of trusted network]
...
http ip access-class admin-access in
http ip secure-access-class admin-access in
line telnet 0 4
login local-userlist
ip access-class admin-access in
shutdown
line ssh 0 4
login local-userlist
ip access-class admin-access in
no shutdown
If it's a failure or bug, you're running the latest available firmware so upgrading isn't really an option, and the unit may be approaching the 10-year (wow) warranty they offered on these units when introduced.
Yeah, Adtran's support and warranty are the best. Bar none. Years ago I had a couple of Atlas 550's that were rock solid. But when I needed something the company backed their product very well. In this case, I don't have the TA924 exposed to the Internet. It's private LAN only. I might check into warranty support on it I'm thinking.
Thanks for the feedback!
I wonder if my PRTG app (that monitors various endpoints via SNMP and other protocols) might be causing the issue. It's testing the web ports, their SSL mechanisms, etc. every 30 seconds. Might be muddying the waters if the Adtran isn't receptive to getting hit like that. I might disable the web port and SSL checks to see if that helps!
That's a possibility. The SNMP get queries shouldn't be an issue although 30 seconds is pretty aggressive. If PRTG is opening sockets to port 80 and 443 and not properly closing them it could result in resource starvation.
"show ip policy-session" may give a clue. If it is something along those lines you should see multiple connections from your NMS hanging around.
I just remoted into the device and checked. See below. Looks clean, but I'll periodically re-check especially when the web interface goes offline. Thanks for all of the tips!
TA924>enable
Password:
TA924# show ip policy-session
No active sessions.
I had a very similar issue on a TA908e (first-gen), also being monitored by PRTG, also losing web interface at about that interval (even though other functionality remained fine). We ended up replacing it with a newer (2nd or 3rd gen). This was a couple of years ago, but if I recall, I strongly suspected PRTG so turned off monitoring for this device. However, I believe it continued to happen. I don't know if the final firmware has a bug or what. Sorry that's not much help with the issue other than confirming that you are not alone!
I bought a batch of these used TA924's, so if one needs to be swapped out I can still be the less for wear. Although I should likely purchase newer generations of these devices. Thanks for the confirmation that I'm not alone!