Troubleshooting Cellular Data Connections

Field workers today are, quite frankly, spoiled.

The devices we use to connect to the Internet while on the move are becoming increasingly faster, easier to install and easier to use. It is easy to forget to days of dial-up connections, of manually editing initialisation strings to set your device to a precious HSCSD as opposed to plain old CSD mode…of having to actually ‘make it work’.

I thought it would be worth a blog post to remind readers that even today, sometimes things just ‘go wrong’, and you may need to troubleshoot the problem before your new all-singing, all-dancing device will connect you to the Internet.

In the event of everything not going according to plan, there are 3 main areas that could be the cause of the problem:

• Hardware
• Software
• Mobile Network

Hardware

In this article I will look solely at PC cards and USB devices. Whilst Bluetooth and Infrared connections are still used, the limitations of the inter-device connection speed render them arguably unsuitable for today’s data rates, after the ‘data overhead’ of encryption and error correction is taken into account.

Before I look at how hardware installation problems are identified and resolved, it is perhaps necessary to first briefly go over how current PC hardware “hangs together”.

For the purposes of troubleshooting new plug and play hardware, suffice it to say, and this is a vastly oversimplified description, that a PC, consists of a processor (CPU or Central Processing Unit), a BIOS (Binary Input Output System), a data bus, some memory and some expansion ports.

The “heart” of the PC is the processor, which receives commands from the various input devices connected to the PC (keyboard, mouse, etc) and returns responses to the output devices (monitor, printer, etc). The processor is connected to the “data bus”, as are all the other devices that need to be able to communicate with the processor.

In order for the processor to “know” which device is communicating with it at any given time, each device is assigned its own “interrupt”, so that it can interrupt the processor from what it is doing and request its attention. Each processor will have a limited number of interrupts available. The information regarding which interrupt is used by which device is held in the BIOS, which is accessed when the PC is turned on, or “booted”. Having more than one device configured to use the same interrupt can cause devices to malfunction.

When installing new devices, it is imperative that you read the manufacturer’s documentation before proceeding. In all cases, if a device comes with a CD you should insert the CD into the PC before inserting the new hardware!

When the new hardware is inserted, Windows will normally indicate that it has detected the new hardware by displaying an icon in the system tray, and will also indicate when the installation process has completed.

As a rule of thumb, even if not prompted to do so by the manufacturer’s installation wizard, it is always a good idea to restart the PC after installing new hardware.

Once installed, verify that the new hardware is installed correctly by looking in the Device Manager. On Windows XP, this is done as follows:

• Open the Control Panel
• Double click the System icon
• Click on the Hardware tab
• Click on the Device Manager button

Normally, you should not see any items with a red X or a yellow exclamation mark, and there should not be a section entitled ‘Other Devices’ (which would indicate that the operating is unable to determine what that particular element of hardware is):

On Windows Vista, the Device Manager is launched as follows:

• Open the Control Panel
• Double click the System icon
• Click on the Device Manager link

Should you see any item with either a red X or a yellow exclamation mark on it, which looks like it may be related to the new hardware you’ve just tried to install, then there has been a problem during the installation. Typically, GPRS / 3G devices will install themselves as modems and network adapters.

The first step at this point would be try completely uninstalling the software via the Add/Remove Programs applet in the Control Panel, rebooting the PC, and then reinstalling it again.

Should that not resolve the problem, then it is possible that the PC does not have enough free interrupts available to install the new hardware. If this is the case then you will first need to disable another device before installing this one. Typically infrared ports, or internal 56K modems are not used, so one or even both of these could be disabled – this will need to be done in the PCs BIOS: consult the manufacturer’s documentation for your PC before changing any settings in the BIOS.

I have assumed so far that when the new hardware was inserted, Windows detected and tried to install it. If nothing happens at all, verify that, in the case of USB devices, that the USB section in the device manager is present, and listed with no errors, and similarly the PCMCIA section for datacards.

If you’re using a laptop in a docking station, try undocking the laptop and inserting the device directly into the laptop.

It is also important to note that when installing new hardware you will need administrative rights on the PC – so if you’re using a company machine you may need to get the network administrator to install it for you.

Of course, if you have checked all of the above and the device still fails to install correctly, it is possible that either the device or the PC is faulty. Try another PC if possible, if the device fails to install on that machine also, then consult the vendor.

Software

Once the new hardware is installed, the appropriate accompanying software needs to be used to initiate the Internet connection. This software may need to be configured with the correct connection settings for your network operator. You should not need to change any of the default settings, other than the Access Point Name (APN), Username and Password. The settings for the most common UK networks are as follows:

Vodafone

APN – internet

Username – web

Password – web

Orange

APN – orangeinternet

Username - (leave blank)

Password - (leave blank)

O2

APN – mobile.o2.co.uk

Username – web

Password – web

T-Mobile

APN – general.t-mobile.uk

Username - (leave blank)

Password - (leave blank)

Three

APN – three.co.uk

Username - (leave blank)

Password - (leave blank)

Provided that the correct settings have been entered, if the connection fails, make a note of the error message that is returned.

An error along the lines of ‘the answering modem failed to respond’ could mean that the APN has not been entered correctly and that the settings should be double checked.

It may also be the case that although the settings are correct, the SIM is not enabled for the service that is being accessed, and a call will need to be made to the network operator to get the service activated.

An error indicating that the modem is busy, or is already in use, could indicate an interrupt conflict, or could mean that another application is running that is trying to access the device – fax software which has been configured to automatically answer incoming faxes can cause this. For USB devices, try to disable any software that may be set to monitor USB connections – synchronisation software for a PDA, imaging software for a scanner, USB printer management software, for example.

Should everything appear to be configured correctly, but the connection still fails, it is time to roll up your sleeves, as it were.

Close the software for the mobile device.

Launch an application called HyperTerminal.

Depending on which version of Windows you are running, this application lies in a different place in the Start menu, so it is easier to launch it by clicking on Start and selecting Run. In the Run dialogue, type in:

hypertrm.exe

and press enter. This will launch the HyperTerminal application. If this is the first time you are running the application, you may be prompted to set the program as the default Telnet application, just click OK. You may also be prompted to complete your telephone number details, just complete the area code field and click OK.

HyperTerminal will now launch, and you will be prompted to enter a name for the session. Just type in ‘Test’ and click OK.

You will now be prompted to enter a telephone number, just enter 0. You will also be prompted to select a connection device, here it is vital that you select the GPR / 3G modem that you wish to troubleshoot. Click OK.

On the next screen you will be prompted to Dial, DO NOT dial, just click Cancel.

You will now be presented with a blank screen and a flashing cursor.

It is now possible to issue what are known as “AT” commands to the device (so called because they all begin with the letters AT). Type in the following commands to ascertain the status of the device:

AT (enter)

Should return OK. If you are not able to see what you are typing on the screen, type in

ATE1 (enter)

This should return OK, and will turn on the ‘echo’ so that you can now see what you type on the screen.

Typing in

AT+COPS? (enter)

Should return the network operator. NOTE - if this command returns an error, it may be necessary to activate the radio on the device. This can be done by entering

AT+CFUN=1

Which should return OK after a few moments. Now trying issuing AT+COPS? again. Should you still not be registered with the network operator, it may be necessary to enter a PIN code to enable the SIM card. This can be checked by typing

AT+CPIN?  (enter)

This will return whether or not the SIM requires a PIN code

+CPIN: READY

indicates that a PIN code is required. To enter a PIN code type

AT+CPIN=xxxx

(where xxxx is your 4-digit PIN)

+CPIN: SIM PIN

indicates that there is no PIN code required

+CPIN: error

indicates that the SIM cannot be read

If the device does not require a PIN to unlock it, and still does not register on the network, it may be that the device is locked to a particular network and cannot be used with your SIM card. This can be checked by typing:

AT+CLCK=”PN”,2  (enter)

This will return whether the device is network-locked or not:

0 – unlocked

1 – locked

If the device does not require a PIN, and is not network-locked, and yet still does not register with a network operator, then you can query the registration status of the device by typing:

AT+CGREG? (enter)

This will return the network registration status:

0 - not registered, not searching

1 - registered, home network

2 - not registered, searching

3 - registration denied by network

4 - unknown

A response of 0 would indicate that the device tried to find a network but was unable to. This might indicate a faulty aerial on the device, or a lack of available signal.

A response of 1 would indicate that the device believes that it is registered.

A response of 2 would indicate that the device is still searching for a network. This might mean that you simply need to be patient, or may mean that there is insufficient signal available.

A response of 3 would indicate that either the device or the SIM has been ‘blacklisted’ by the network. This could indicate that the device is stolen, the bill has not been paid, etc. In any case, a call should be made to the network operator to establish why.

Provided that the device is registered on the network, it is possible that the device is registered for voice communications, but not for data. This can be verified by typing:

AT+CGATT? (enter)

This will return whether the card is attached to the packet data network or not

0 - detached

1 - attached

It is possible force a connection to the data network by typing:

AT+CGATT=1 (enter)

Provided that you are registered on the network and are attached to the packet data network, you can then enter the APN of your network provider. This is done by typing:

AT+CGDCONT=1,”IP”,”APN”  (enter)

(where APN is the Access Point Name for the network operator, as defined above)

This will return OK (Note – IP needs to be capital letters for most devices)

Once the APN has been defined, it is now possible to initiate the connection. This is done by typing:

ATD*99# (enter)

The device will now connect to the Internet. If you see the word CONNECT in the Terminal window, then the connection has been established.

If the connection fails then it is possible that the SIM card is not enabled for the service that is being accessed and you will need to contact your network operator to get the service activated.

If you have run through all of the above, and are able to connect to the Internet, but once connected you are not able to view any web pages, or send and receive email, then it is possible that DNS server settings need to be configured.

DNS is the Domain Name System and is responsible for converting the “friendly” names of web addresses (www.bbc.co.uk, for example), which are meaningless to computers, to their corresponding IP addresses (212.58.251.195), which they do understand. If the PC is not able to contact a DNS server, it will not be able to resolve the web addresses that you enter.

A DNS issue is easy to identify: if entering www.bbc.co.uk into a web browser does not display the BBC Homepage, but yet entering 212.58.251.195 does, then it is a DNS issue.

Similarly, for email issues, if you are not able to send or receive email, try substituting the “friendly” name of the email server for its IP address.

The IP address of a server can be identified (on a PC which IS able to contact a DNS server), as follows:

• Click on Start and select Run
• In the Run dialogue, type in CMD and press Enter
• A Command Window will be displayed. At the prompt, type in:
• ping www.bbc.co.uk (enter) (where www.bbc.co.uk is the server address you wish to resolve).

The IP address will be returned:

It is not normally necessary to manually configure DNS server settings, but should you identify that this is the problem, then your network provider will need to provide you with the correct settings to use. Alternately, Google now provides an external DNS service:

8.8.8.8
8.8.4.4

These addresses will need to be entered within the manufacturer’s connection software.

Mobile Network

If you have run through all of the above troubleshooting and both the device and SIM appear to be working correctly, then it is possible that there is a fault with the mobile network, or for some reason your account has been altered by the vagaries of the customer service department. In either case, a call to the network will be necessary!

Addendum

If you are experiencing an issue whereby you are connected to the Internet and can browse web pages, and are able to receive emails, but are not able to send emails, it is likely that you will need to change the SMTP server address in your email application.

If you use a POP/SMTP-based email solution rather than an Exchange or Domino-based solution, most SMTP servers are configured to only allow emails to be sent through them from a known list of IP addresses, to prevent SPAM. You may well be able to send emails from home via your broadband connection, but not when connected to the Internet via your mobile network provider.

In this situation you will need to create a new mail profile (or edit your existing one if you are willing to each time you need to), and set the SMTP server address to the SMTP server provided by your network provider - if they have one (most do, if they do not I would advise moving provider). Customer services will be able to provide this information.

Troubleshooting Email Connections

If you are unable to send or receive emails for any reason, there are 5 main areas to look at:

• Software configuration
• DNS
• Firewall
• Server issues
• Mobile network operator

Software configuration

There are 4 principle different types of email account:

• POP
• IMAP
• HTTP
• Exchange

There are other types which also warrant mentioning: where I have listed Exchange, there are other equally ubiquitous email products available, such as Lotus Domino or Novell Groupwise. This article will only look at Microsoft Exchange as being the most popular, but the same troubleshooting techniques apply to the other products.

POP is the Post Office Protocol, often referred to as POP3 as it is now in its third version. Using POP, emails are stored on a central server in an individual mailbox. A POP client will download any mails that are waiting in the mailbox and, once downloaded will usually then delete the mails from the server. POP is the original "remote access" mail protocol and is limited in its functionality. The user is not able to view mails until they have been downloaded to the client, and the mail will not be removed from the server until it has been fully downloaded.

POP is only a mail retrieval protocol: it cannot be used to send email; mails are sent using a different protocol - SMTP (Simple Mail Transfer Protocol).

When creating a POP email account, most email client software will require at the very least 4 pieces of information:

• Username
• Password
• Incoming Mail Server (POP Server)
• Outgoing Mail Server (SMTP Server)

The software will also require other information such as your name and your email address, but it is only these 4 pieces of information that are necessary for the correct functioning of the POP account:

IMAP is the Internet Message Access Protocol (also referred to as the Internet Mail Access Protocol), and is currently in version 4, so is referred to as IMAP4.

Using IMAP, users can access mails on the server directly, without having to first download them before being able to view them. As with POP, IMAP can only be used to retrieve mail, mail is sent using SMTP.

Setting up an IMAP account requires the same information as a POP account, with the only difference that the Incoming Mail Server needs to be set to the address of the IMAP server rather than a POP server.

HTTP mail accounts are those mail accounts that are typically access through a web browser, such as Hotmail (or Windows Live, or whatever latest name change the service has undergone by the time this article is being read!). HTTP is the HyperText Transfer Protocol, the protocol used by the World Wide Web to retrieve web pages across the Internet. Typically, when setting up an HTTP mail account, the service will be listed explicitly (thus Hotmail will be listed as "Hotmail" rather than just plain "HTTP Mail", the following information is required:

• Email address
• Username
• Password

Exchange (or corporate, in-house server-based mail platforms) can be set up by the company's IT department, but are not complicated to configure in terms of the amount of settings required. Typically a connection will need:

• Server address
• Username
• Password
• Domain

When setting up a connection to Exchange, provided that you are running Exchange 2003 or later, it is possible to configure Outlook (and other mail clients, such as Entourage for MacOS), to access the Exchange Server via HTTP (or HTTPS, depending on how the server has been configured). Normally, the server address in this scenario is the same address as that used for Outlook Web Access (OWA), ie logging into your mailbox via a web browser.

DNS

Should all of the account settings be correct, and you receive an error message along the lines of "the mail server could not be reached" when trying to send or receive email, it could be a DNS issue. As we looked at last week, DNS is the Domain Name System and is the technology by which "friendly" names of web sites and mail servers (such as www.bbc.co.uk), which means absolutely nothing to a computer, is converted to an IP address (such as 212.58.251.195). Should a DNS server not be available to the PC, or be misconfigured, then the PC will not be able to "resolve" the address of the mail server. In this case, it is necessary to either adjust the DNS server settings, or enter the IP address of the mail server in the email client rather than the friendly name so that a DNS server is not required.

Below are the addresses of two DNS servers I have found to be useful in the past:

195.129.12.115
158.43.128.72

You can find out the IP address of a mail server (on a PC that has DNS configured correctly), by opening a command window and typing in:

ping (server address)

The IP address of the mail server will be returned:

Enter this information in the account settings of the email software, replacing the "friendly" name.

Firewall

Provided that all of the settings are correct, and DNS is able to resolve the name of the mail server to its IP address without issue, if you are still not able to reach the mail server, then it may be a firewall configuration problem. The following ports need to be open on the firewall for email to function correctly:

• POP - 110
• IMAP - 143
• SMTP - 25
• HTTP - 80
• HTTPS - 443

Server Issues

Should all of the above not be the cause of the problem, then it is time to "roll up the sleeves" and troubleshoot the authentication and mail submission process with the email server directly, at the command level. I will look at troubleshooting the POP and SMTP protocols as the most common.

POP

Open up a command window on your PC and establish a Telnet connection to the mail server. To do this, in the command window, type in:

telnet (server address) 110

(where is the name or IP address of the POP server):

The server will indicate that it is ready by returning an OK response:

You can now send your username to the server by issuing this command:

USER SP (username)

You will now be prompted to enter your password, the command to do this is:

PASS SP (password)

An OK response indicates that you are now successfully logged in.

If you do not get the prompts listed above then again verify the DNS and firewall configuration, or contact your service provider as the server may not be available, you may be using the incorrect username or password or your account may have been disabled for some reason.

IMPORTANT - it is important to be aware that logging into a POP server via a Telnet session sends your password to the mail server in plain text, without encryption. In the unlikely event that your session was intercepted, the "hacker" would be able to see your password as it was typed in.

Once logged in, you can query the mailbox. The following command will return the number of messages in the mailbox and the total size of them:

STAT

The response will be in the form:

+OK n xxxx

(where x is the number of messages and xxxx is the size on bytes)

To display information on individual messages, use the LIST command:

LIST SP

The response will display the individual messages in the mailbox, the unique message identifier (UID) and its size.

To retrieve an individual message, use the following command:

RETR SP (message number)

(where the message number is the UID value returned by the LIST command)

This will cause the entire message to be downloaded to the client. Once downloaded, to delete the message, use the following command:

DELE SP (message number)

SMTP

Open up a command window and establish a telnet session with the mail server. To do this, use the following command:

telnet (server address) 25

(where server address is the name or IP address of the email server)

The server will respond and indicate that it is ready and waiting for the next command (SMTP code 220):

Now you will need to indicate the domain that you wish to send an email from. Use the following command:

helo (domain)

The server will respond with an SMTP code 250, indicating that it is ready and waiting for the next command. You will now need to enter the email address that you are using to send the message. Use the following command:

mail from:(sender_email_address)

The server will respond with an SMTP code 250, indicating that it is ready and waiting for the next command. You will now need to enter the email address that you wish to send a message to. Use the following command:

rcpt to:(recipient_email_address)

The server will respond with an SMTP code 250, indicating that it is ready and waiting for the next command. You can now type in the text of the message you wish to send. Issue the following command, followed by the text of the message:

data
(body of message)

When you have finished typing the text of the message, press Enter, then type in a single "." followed by Enter:

You will be notified that the message has been queued for submission.

After a few moments the email will be delivered:

SMTP is the protocol by which most email platforms exchange mail: the POP and IMAP protocols are reserved for mail retrieval. The above troubleshooting procedure can be applied to any SMTP-compliant mail server. If you are unsure as to what server address to use when troubleshooting an SMTP-related mail issue, then you can find out using the nslookup command:

Open a command window and type in:

nslookup

The command prompt will change. Now set the query type to MX (Mail eXchange):

set type=mx

Now type in the domain that you wish to query, for example:

devicewire.com

The mx record details for the domain will be returned:

Troubleshooting Exchange Connections

There are several different ways of connecting to an Exchange Server:

"locally" via a MAPI connection (either via a LAN or VPN connection)

Over the Internet via na HTTP or HTTPS connection

Via a web browser using Outlook Web Access

(or, of course, Exchange also supports POP and IMAP connections)

It is beyond the scope of this article to go into the vagaries of troubleshooting VPN connections, but if you are using an HTTP(S) connection from a mail client, such as Outlook, to retrieve email, then the server address to use is the same as that used for Outlook Web Access (indeed, this means of retrieving mail is effectively a Server ActiveSync connection, the same protocol that Windows Mobile PDAs use to "push" email from Exchange). Should the connection not be successful, try opening a web browser and entering the same server address. Should the page not be displayed again verify DNS. If you are unable to login then verify account information.

Mobile Network Operator

It is important to be aware of SMTP relaying restrictions. To try to combat SPAM (unsolicited emails), most SMTP servers are not simply open to the Internet at large, allowing anyone to send email messages through them: instead they are firewalled to only accept emails from specified IP addresses. Therefore, to send an email via Tiscali's SMTP server, you would have to be connected to the Internet using a Tiscali connection.

When users change their method of connecting to the Internet, quite often they will find that they can receive emails, but are no longer able to send them.

Thus, when at home, or in the office, email will function correctly. But when out of the office, connected to the Internet via a 3G connection, it may be necessary to edit the email account settings and change the SMTP mail server address (as Tiscali's SMTP server will not allow mail relaying from the IP address you will have been given by the mobile network operator).

Your network operator will be able to provide you with the details of the correct server address to use, here are a few:

Orange - smtp.orange.net

O2 - mail.o2.co.uk

Vodafone - send.vodafone.net / mail.vodafone.co.uk

Three - smtp.three.co.uk

Troubleshooting Fax Connections

Sending and receiving faxes over a cellular connection is rapidly becoming a 'black art' as more and more MNOs either drop support for "mobile-originate" or "mobile-terminate" fax altogether, or forget to train their customer services staff on the network's fax capabilities.

In order to use your mobile phone, datacard, USB modem (in conjunction with a PC fax application) or embedded cellular fax device (such as the Possio device range http://www.possio.com) to send and receive faxes, you will need to have your SIM card enabled for fax service with the operator. There is usually no cost to have this done, but it is something you will have to specifically request from the operator as it is not enabled by default.

When you are enabled for fax service, you should be assigned an additional telephone number, distinct from that SIM's voice number. It is this number that people who wish to send you a fax should dial: the distinct number lets the receiving device know that it should expect a fax call on that number rather than a regular voice call.

Sending faxes

If you are unable to send faxes, the most common problem is that either you have not been enabled for fax by your operator, or your device simply does not support fax at all.

To verify either of these, the best tool to use on a Windows PC is HyperTerminal, which is included as part of the operating system. Other platforms will most likely have a suitable terminal application - consult the documentation.

HyperTerminal can be launched by running 'hypertrm.exe' from the Run dialogue on the Start Menu.
When running HyperTerminal for the very first time, you may be prompted to enter telephony dialing properties such as your local area code - enter anything, it is not important for our troubleshooting purposes.

Enter a name for the session, 'Test' will do.

You will be prompted to enter a telephone number, enter 0

You will also be prompted to select a connection device from a drop-down menu. Here you should select your cellular data device. If your device is not listed it may be because either that it is not installed correctly (in which case you should resolve that issue first) or that your device is not 'presented' to Windows as a modem, but a network adapter - in which case it will not be compatible with your fax application.

Provided that your device is listed, select it and click Next. On the next screen you will be prompted to Dial. DO NOT click dial, simply click Cancel.

You will now be presented with a blank screen with a flashing cursor - you have established a terminal session with your modem.

Verify that you can communicate with your modem by typing in:

AT (enter)

You should hopefully receive an 'OK' response.

Now verify that you are indeed 'talking' to the correct device by typing in:

ATI (enter)

You should receive details of the device including manufacturer and model number. If you receive details of the PC's other modem devices then you inadvertently selected the wrong device earlier, you should close HyperTerminal and start again.

Provided that you are indeed talking to the cellular device, verify that the device is registered on the mobile network and has a decent signal strength:

AT+COPS? (enter)

Should return the name or 5-digit "SID" of the network operator.

To verify that your device supports fax at all, type in:

AT+FCLASS? (enter)

You should hopefully see something along the lines of:

+FCLASS=0,1,2,2.0

Which indicates that your device does indeed support fax. If you see only:

+FCLASS=0

Then that would indicate that your device is not fax-capable.

Provided that your device is fax-capable, set the device to fax mode by entering:

AT+FCLASS=2 (enter)

Now try dialling another fax device by entering:

ATDxxxxxxxx (enter) 

where xxxxxxx is the number to be dialled.

If your device immediately returns a response of

"NO CARRIER"

then your SIM card is not fax-enabled by the operator.

If you see a response from the receiving fax machine (which will consist of the name and number of the answering machine) then you have successfully established a fax connection.

Should the above troubleshooting indicate that your device is fax capable, but you cannot send faxes from within your fax application, verify that the number entered is correct (and that the fax application is not adding any area code or other dialling digits itself) and also that the fax application is configured to use the correct modem device rather than an internal device.

Receiving Faxes

Receiving faxes is a lot more complicated than sending faxes over a cellular connection. Even if you have no intention of sending a fax from your device, but only want to receive faxes, when troubleshooting fax reception issues, you should always verify that you can send faxes first using the above troubleshooting procedure as any failures will indicate where the problem lies clearer than troubleshooting the other way around.

Provided that you can send faxes successfully, you are enabled for fax. Receiving faxes requires that your SIM card be assigned an incoming fax number, distinct from the voice number, as mentioned above.
When troubleshooting fax reception, you should first ring the fax number and make sure that it is in service. You should also try ringing the number when your device is not powered on: if the call is still answered and you hear fax tones, then the network operator has assigned you a "fax mailbox" rather than a direct incoming fax line to your SIM.
Provided that your device appears to be fax-enabled, but when dialling the number your device rings but the fax application never answers the call, ensure that the fax application iss et to 'auto-answer' and that it is set to monitor the correct modem device for incoming faxes - this is often configured separately from the sending options.

If you do not have a fax application, but you wish to verify that your SIM and device can receive faxes, you can use HyperTerminal. HyperTerminal will not receive the fax as it is merely a terminal application, but it will answer the call and prove the functionality.

Start a HyperTerminal session to your device using the instructions above.

Once connected, set the device to fax mode with the command:

AT+FCLASS=2 (enter) 

Now set the device to wait for an incoming call answr after 2 rings with the command:

ATS0=2 (enter) 

Now try sending your device a fax on its incoming fax number.

Hopefully you should see HyperTerminal answer the call and display the information of the sending fax device.
If HyperTerminal does not answer the call, but does indicate that a call is incoming (by displaying "RING" on the screen), then that would indicate that the device is not recognising the call as a fax call, which might indicate that the mobile operator has not assigned a fax line, but rather either an additional voice line or a data line. This should be addressed with the mobile operator.

Configuring Windows XP Fax software

Open the Control Panel and double click on the icon for Printers and Faxes

If Faxing has not been previously configured you will see an option to Set up Faxing on the top left hand corner of the screen. You may be prompted for the Windows XP CD to install the necessary software.

If faxing has been configured you will see a Fax printer listed:

To configure faxing, right click on the icon for the Fax printer and select Properties

Click on the Devices tab

A list of installed modems will be displayed.

The fax software does not allow much configuration. Modems can either be enabled or disabled to send or receive faxes.

To configure a device highlight the appropriate modem and click on Properties

To enable sending on a device tick the option to Enable device to send

To enable receiving on a device click on the Receive tab and tick the option to Enable device to receive

You will have the option to receive faxes manually, or automatically after x amount of rings.

Click OK

To enable automatic reception of faxes click on the Tracking tab

Ensure that monitoring is enabled on the correct modem

Note – if monitoring is enabled, this may render the modem unusable by other applications.

Troubleshooting Fixed Cellular Terminals

Fixed Cellular Terminals (FCTs), are devices typically used with private telephone systems for least-cost routing purposes. Essentially a mobile phone, these devices can be connected to a trunk port on a PBX to route calls made from desk extensions to mobile numbers over the cellular network rather than via the landline provider, a mobile-to-mobile call being cheaper than a landline-to-mobile call.

These devices can also be used to provide voice and fax telephone services in remote or temporary locations where fixed line services may be costly or not required, such as a port-a-cabin on a building site.

When troubleshooting PBX connectivity or routing issues, the PBX should be addressed last - firstly verify that the FCT itself is working correctly. People are typically confused by these devices but when troubleshooting them it is important to treat them exactly like a mobile phone and not to forget the basics.

LEDs

What are the lights on the unit doing? Unlike a phone these devices do not typically have screens so you cannot tell at a glance what they are doing, you will need to note down the LED sequence and consult the user manual to see what that means. Check the following:

• the SIM is inserted correctly
• the device is receiving adequate signal
• the device is registered with the mobile network
• the SIM is live

The easiest way to verify that the FCT itself is working correctly is to connect an analogue handset (ie, a desktop phone) directly into the unit and verify that you both receive a dial tone and can place a call successfully. If you receive any sort of recorded message from the operator then you should pay attention to what it says and if necessary contact customer services.

Connectivity

Provided that a connected handset works correctly, verify that the FCT has been connected to the PBX correctly. The vast majority of devices only work in trunk mode: it is not possible to connect the unit to an extension port and assign the unit an extension number. Rather devices must be connected to an analogue extension ports and routing entry created to pas all numbers beginning "07xxx" via that trunk.

Call Termination

One area that can sometimes require additional configuration is that of call termination - situations can arise whereby one call can be placed through the FCT successfully, but following the termination of that call, the trunk is then available for a following 30 seconds or so following the termination of that call - meaning that no subsequent calls can be routed over that trunk until it then becomes available again. This is typically caused by the fact that the FCT is not receiving or is not correctly interpreting the termination command being sent by the PBX.
PBXs are typically configured to signal the termination of a call either by reversing the polarity of the circuit, or by sending a specific tone. If calls are not being closed correctly, then the precise configuration of what the PBX is sending needs to be ascertained, and then determined whether or not that is supported by the FCT.

Other problems and solutions

Typically FCTs live in server rooms or comms cabinets and are not checked on a regular basis. Should a device suddenly no longer route calls or provide a dial tone, check the LEDs on the unit. If a unit has been receiving SMS messages (spam messages, wrong numbers or network marketing updates) and these have not been being cleared down, should the internal memory on the unit fill up, the unit will no longer be able to place calls until these messages are deleted. This usually involves connecting a phone to the unit and entering a system command on the keypad.

Troubleshooting Mobile VPN Connections

Establishing a virtual private network (VPN) connection from a cellular device can be quite a complicated affair and when troubleshooting issues it is necessary to understand what is happening in the background to be able to identify what might be going wrong.

A crash course on VPN technologies

VPN technology is used to extend private networks beyond the boundaries of their physical cabling – to grant remote users access to local network resources by 'fooling' the network into believing that the remote client is connected locally. This is accomplished by 'encapsulating' the data packets generated by the client – that is to say, the client generates a request for a local resource, and that request ‘packet’ is then ‘wrapped up’ in a larger packet with the necessary information to enable the request to be routed over the Internet. At the VPN server, the Internet addressing information is removed and the ‘local’ packet delivered to the local network resource. The process is then repeated in reverse to deliver the response from the local network back to the remote client. This process of encapsulating packets with 'local' addresses into larger packets with 'routable' addresses so that they can cross the Internet is known as tunneling.
Because the packets are traversing the Internet to get to their destination, and could potentially be intercepted on their route to the destination, the contents of the packet are encrypted for security.

There are three principle protocols employed by VPN products:

• PPTP – Point to Point Tunneling Protocol
• L2TP – Layer 2 Tunneling Protocol
• IPSec – Internet Protocol Security

Each of these protocols essentially works in the same way: a packet is created with a source and destination address on the local network. That packet is then encrypted so that it cannot be read by any party that does not have the required decryption key. The encrypted packet then has the host’s Internet source address added and the external IP address of the VPN server is set as the destination.

PPTP is the oldest of the three protocols and provides security by encrypting data, but does not provide any means of verifying the identity of the sender or verifying whether the data may have been modified en route.
L2TP addresses this limitation by signing each packet with a digital certificate and adding a “hash” value or “message digest” to each packet. Essentially this involves performing a mathematical function on the data stored in the packet using the key contained in the certificate, and saving the result of that function. If the data is altered en route, when the receiving machine performs the same calculation, the resulting value will not match the original and the packet will be discarded and a request issued for a new copy.
IPSec, the commonest form of VPN protocol in use today, goes further and adds a message digest to the addressing “header” as well as just the data. This means that should your packet be intercepted en route and a hacker attempt to substitute your source address with their own (so that the VPN server then replies to them rather than you), the hash value on the address header will not match and the authentication process will fail.

This last detail is important and has implications on the ability of cellular devices to establish IPSec-based VPN connections.

Network Address Translation (NAT)

When a mobile device registers with the mobile operator using the normal ‘public’ APN (Access Point Name), it will be assigned a private IP address, normally in the range 10.x.x.x
Due to limitations of the IPv4 addressing scheme, there are not sufficient addresses available for all connected devices to have a ‘public’ IP address. Instead, connected networks typically have a single Internet-facing device with a public address and any devices that sit ‘behind’ that ‘gateway’ have private addresses. When a particular private device needs to connect to the Internet, it issues a request to the gateway using its local IP address. At the gateway, this request is edited, with the local address being substituted for the public address, and the request is then sent on its way across the Internet. The machine on the Internet, be it a web server or whatever, sends the desired response to the Internet address of the gateway, which receives it and then forwards it onto the private address of the local machine.
The process of editing the source address of a IP header is known as Network Address Translation.

A mobile network operator works in exactly the same way, and will assign connected client devices local addresses, performing NAT on all requests that are passed onto the Internet.

A moment ago we saw that the IPSec VPN protocol will perform a check on the IP header of a packet so that the VPN server can verify that the packet has not been altered en route. When the VPN packet passes through the NAT gateway, it will have its source address rewritten, substituting the local address with the external address of the gateway. Although this is not a malicious act, it will effectively cause the IP header check value to no longer match, and the VPN server will refuse to accept the packets, believing them to have been modified – which of course they have been.

This is a common cause for VPN connection issues when using the IPSec protocol from cellular devices.
There are a number of resolutions to this problem.

• Use a public IP address: most network operators provide the ability to use a public IP address rather than a private one, that will not undergo any NAT and therefore not be subject to this issue. In most cases this is simply a question of connecting to an alternate APN rather than the default, such as ‘vpn.o2.co.uk’ in the case of O2, rather than the standard ‘mobile.o2.co.uk’. Contact your network operator for more information.
• If your network operator does not provide a public IP address, then it is possible to get around this issue. Most modern implementations of IPSec provide for what is called ‘NAT Traversal’. Essentially this involves creating the VPN packet using the UDP transport protocol rather than TCP. UDP does not use source IP addresses when creating the data packet, only a destination address. Therefore a UDP packet can pass through a NAT gateway as there is nothing to re-write. Check within the configuration of your VPN software whether there is an option to use UDP mode, or NAT-T mode.
• Alternatively, if neither of these are an option, verify whether your IPSec VPN can be run in tunnel-only mode rather than authentication mode. This will mean that the VPN software does not verify the integrity of the header information, which is defeating the object of having an IPSec VPN in the first place, but is an option nonetheless.
• Finally, if none of the above are possible, then it may be necessary to use a different VPN mechanism rather than IPSec – an SSH or SSL-based VPN may be option, such as OpenVPN.

Addressing Schemes

When configuring a VPN server, it is important to remember that once authenticated, your client device will then need to be assigned an IP address on the local network in order to be able to communicate with other network resources, ideally via DHCP – it is surprising how many times this is overlooked. It is also important to use a suitable address range.
For your VPN solution to work, the client will need to recognise the remote resource being requested as residing on a network ‘behind’ the VPN server.
The majority of mobile network operators will assign connected clients an IP address in the range 10.x.x.x or 172.16.x.x (or potentially 192.168.x.x).
Therefore, if you have connected to your provider’s 3G service and have been assigned an address of, say, 10.10.0.24, you may be able to connect to your VPN server, but if you then request a connection to a server on the remote network with an address of 10.10.0.89, the client device will not know to route the request over the VPN link but will look for it on the local network.
Your internal network should therefore ideally use an addressing scheme that is suitably unlikely to be in use elsewhere.
Once connected, the VPN client will be assigned an IP address on the remote network. Similarly, in order for the remote resource to be able to reply to requests from the VPN client, the address used by the client also needs to be ‘behind’ the VPN server so that local network resources know to route responses accordingly.
The necessary routes will need to be added to the local network resources: either each machine will need a route added to it to direct requests to the VPN network to the IP address of the VPN server, or (preferably) add a route on the default gateway of the internal network.

Troubleshooting

Should your VPN connection not be established successfully from your client device, there are a number of things to check.

Firstly check the basics – are you definitely connected to the Internet and able to browse web pages? If not, address that issue first as until you can connect to the Internet you won’t be able to contact the VPN server.

If you can connect to the Internet, but cannot contact the VPN server, it may be a DNS issue. If your VPN client is configured with a name (eg vpn.domain.com), try connecting to the external IP address of the server instead.

Always check the log files, both on the client and on the server. If you receive errors relating to Security Association, or SA, failures, then it may be related to the IP address issue I looked at earlier.

Firewalls. If the VPN server sits behind a firewall, ensure that the correct ports are open – consult the documentation of your VPN server appliance. If using IPSec in UDP mode, the following ports will need to be open:

UDP 500 (IKE)
UDP 4500 (ISAKMP)

If you are able to connect to the VPN successfully, but once connected you are not able to connect to any resources, it may be an addressing or routing issue – verify that the IP address assigned to the VPN adapter does not conflict with the address assigned to the device by the mobile operator, and with your administrator that the necessary routing is configured on the local network.

If all fails, ring tech support!

What do you need from your mobile operator to set up a VPN connection?

I have written before about troubleshooting VPN connections from mobile devices should you experience problems (http://blog.brightpointuk.co.uk/troubleshooting-mobile-vpn-connections), but it has cropped up a number of times recently so I thought another post might help to better understand what the options are in terms of operator services and which is right for you based on your VPN infrastructure.

A VPN is a Virtual Private Network. People often believe a VPN is a more secure means of connecting to the Internet. VPN technology can be used to accomplish this, but typically it’s actually more basic: the point of a virtual private network is simply to provide remote access. Security is obviously a concern, but this is a feature, not the main objective when used in this scenario. VPNs extend the boundaries of a local network to remote machines by fooling the local network into believing remote machines are connecting locally by creating a virtual network connection over the Internet.

To use a typical example, field workers have a VPN client that when connected effectively puts their laptop on the corporate network regardless of where they are geographically and allows them to connect to the 'Shared' drive (or any network resource) as if they were at their desk. Yes it’s much slower, but remember you’re having to send your requests over a cellular Internet connection (measured in 100s of Kbps) rather than over the Gigabit LAN infrastructure in the office (measured in 1000s of Mbps).

When a VPN client is installed on a PC, it adds a new network adapter to the PC – a virtual adapter. Network adapters are such things as your Ethernet port (where you plug your network cable) or your WiFi card. A virtual network adapter is a piece of software that acts as a physical device and appears to the operating system as a real device.
When you connect to the VPN, the VPN server will push down a number of ‘routes’ to your computer, so that the PC knows to send normal traffic to www.google.com over the Internet via either your Ethernet or WiFi device, but to send anything for xxx.mycompany.com over the virtual adapter (and therefore to the VPN server and onward to the internal corporate network). The virtual adapter STILL USES the existing physical adapter to send traffic over your Internet connection, but it does clever stuff in the background to ‘wrap up’ traffic before sending it over the Internet to the VPN server via the ‘real’ adapter.

With me so far?

Before I can explain how VPNs work, we need to cover off how the Internet works – very basically. The Internet uses the Internet Protocol: IP.
Currently most of the Internet uses IP version 4 (IPv4). Essentially this means all machines on the Internet are assigned an address, along the lines of 212.58.253.67
In the same way that when you send a letter to 16 Alder Hills, Parkstone, Poole, UK an Internet address can be broken down in the same way, with 67=16 Alder Hills 253=Parkstone, etc etc etc
All that IP does is handle addressing. To actually send stuff to another address from your address, you need a transport protocol: TCP is the most common – that is why you often see TCP/IP written together.

In a nutshell, TCP handles the ‘what’, IP handles the ‘where’.

On a local network, when one machine requests something from another (say you want a document from the file server), the application doing the request (let’s say ‘Word’), creates a TCP request that says “I want this file”. The TCP request is then sent to the network adapter. The network adapter will add 2 IP addresses to the TCP request: the IP address of itself, and the IP address of the target server. You now have a TCPIP ‘packet’ that can be sent to the server. At the server, the file is retrieved and sent back to the IP address that was included in the original request.

So far so good.

There are not enough addresses available in IPv4 for all machines to have an address on the Internet. This means local networks use ‘gateways’: a single machine ‘faces’ the Internet and all machines on the local network (behind the gateway) have internal addresses (that cannot be reached from the Internet unless they go through the gateway first).
When a machine on the local network requests something from the Internet, it sends the request to the gateway. At the gateway a process known as NAT (Network Address Translation) happens. THIS IS VERY IMPORTANT.
What this means is that your PC has created a packet with its own address and the address of, say, the BBC web site. If the BBC web site receives this packet it won’t be able to send anything back because the source address is an internal address which it doesn’t know what to do with. Therefore, at the gateway, what NAT does is to REMOVE the address of your machine and ADD its own Internet address. The BBC sends the web site back to the gateway address. NAT then happens again but in reverse. The gateway’s own address is removed and the internal address of your machine added back in again, and the web page is sent back to your machine on the local network.

Now it starts to get a bit tricky.

There are 3 VPN technologies in common use: PPTP, L2TP and IPSec.

PPTP is the simplest and essentially just requires that you enter a username and password to connect. This is weak from a security point of view as anyone who gets your password can log in as you.

L2TP improves on this by requiring that you have a certificate installed on your machine as well as knowing the username and password. Therefore even if someone knows your password, they can only log in as you from a machine that has the correct certificate installed. These are also referred to as SSL-based VPNs. OpenVPN is an example of an SSL-based VPN.

IPSec goes even further and requires both a certificate and a password, but also generates a ‘digital hash’ based on your IP address. By that I mean that when the VPN TCPIP packet is created, before it is sent, the IP ‘header’ (containing both the source and destination addresses) is run through the certificate and a number stored within the packet. At the receiving end, the number is then checked against the IP header information on the received packet. This means that should someone have your password and certificate but try to ‘pretend’ to be connecting from an IP address other than their own (ie yours), the connection will fail. This is a security measure and is entirely deliberate...but it does have important repercussions on mobile connections.

Mobile networks can be treated as local networks. Yes they are physically huge and cover many geographical miles, but from a logical networking perspective all mobile devices are on a local network behind a gateway. In this case the gateway is the APN – the Access Point Node: the access point to the Internet.
In exactly the same way as an office LAN works, mobile devices are assigned an internal address and NAT occurs at the APN when requests are made to the Internet.

But hold on...

We saw a minute ago that IPSec VPNs create a ‘check’ value on all packets based on their IP header information.
We also saw that NAT removes the source address of a client request and substitutes it for the gateway’s source address.

You guessed it – if an IPSec VPN packet passes through a NAT gateway, when it is received by the VPN server the check value will no longer match the original as the header has been altered, and the VPN connection will fail. Although no intentional foul play has occurred, the VPN server doesn’t know this and will reject the packet as having been tampered with (which of course it has been).

IPSec therefore does not play well with NAT. This is the most common reason why mobile VPNs fail.

To address this issue, most network operators offer 2 APNs: one for the public Internet, and one for corporate VPN customers. The only difference between the two is that the VPN APN offers devices public IP addresses, and therefore do not undergo NAT. Sorted. There is no cost to use this APN, but you do have to request it specifically...for all SIMs.
Excellent, we have a solution. BUT – as this is not the standard APN, any device that auto-configures itself (Nokia CS-10, Sierra Wireless 889, etc) will default to the public APN and will need to be reconfigured manually by the user to use the non-standard APN. This may not be acceptable to companies with large numbers of remote workers.

But wait, I know of companies that use an IPSec VPN and they don’t have to use a special APN. How come? Now we get REALLY geeky...

We saw earlier that TCPIP creates packets with 2 IP address: a source and destination address and it is the source address that gets substituted by NAT which breaks IPSec connections.
Although TCP is the most common form of transport protocol, there is another.
UDP is another transport protocol that actually pre-dates TCP. An older protocol, the structure of UDP packets is different and does not include the source address in the IP header, only the destination address. Therefore a UDP packet can pass through a NAT gateway without being altered, and therefore can be used successfully for an IPSec VPN from a public APN.
This is a gross simplification, but I sense I’m losing you so we’ll leave it at that!
Most decent VPN products offer in their configuration the option to use UDP as a transport mechanism as opposed to TCP, or they may refer to it as ‘NAT-T’ (for NAT Traversal). This needs to be configured on the server and the client:

So what have we learnt?

Many mobile operator customer services departments, when they hear the phrase 'VPN' will have a knee-jerk reaction and tell you that you must use the VPN APN – because that is what they have been taught. That is not necessarily true.
The APN you need to use depends entirely on how your VPN server is configured. If NAT-T or UDP Transport is configured (and enabled) then you can connect from ANY Internet connection.

To summarise

If your VPN does not work over the public APN, the options are (PROVIDED IT IS A PROBLEM WITH THE VPN AND NOT SOMETHING ELSE):

• Use the VPN APN
• Use the public APN but enable UDP or NAT-T on the VPN server appliance
• Use L2TP (or SSL) instead of IPSec – a common example of an SSL-based VPN solution is OpenVPN (http://blog.brightpointuk.co.uk/openvpn)

Or there is another option, which is even more geeky: IPSec is basically L2TP with another module bolted on, called ‘AH Mode’, or ‘Authentication Header’. Some IPSec VPN products enable you to turn off the AH mode and just use the L2TP bit, which they may refer to as ESP mode (for Encapsulating Security Protocol). If you have the option to disabling this feature, try that.

This has been an introduction to VPN technologies and the potential pitfalls to be aware of when establishing connections. There is more troubleshooting that can be performed - for more in-depth information about DHCP and network addressing schemes read this article - http://blog.brightpointuk.co.uk/troubleshooting-mobile-vpn-connections