Proteon Software Release Notes

GTSecure-60 Router With OpenROUTE 2.1 [R1]

Part No. 42-048055-00

Revision A, October 1996

Introduction

This document is for the GTSecure-60 router. Please save this document with your copy of the GlobeTrotter 60 and 62 Getting Started Guide. The software for the GTSecure-60 is based on OpenROUTE 2.1 router software, and is compatible with released versions of Proteon router software.

Contents

1. GTSecure-60 With IP Firewall Using Dynamic Filters and RADIUS
2. Known Deficiencies, Limitations, and/or Clarifications in the Software

NOTE: The information in this document is subject to change without notice and should not be construed as a commitment by Proteon, Inc. Proteon, Inc. assumes no liability for any errors that may appear in this document.

The software described in this document is furnished under a license and may be used or copied only in accordance with the terms of such license.

Copyright 1996 by Proteon, Inc.

OpenROUTE is a trademark of Proteon, Inc. Proteon is a registered trademark of Proteon, Inc.

1.0 GTSecure-60 With IP Firewall Using Dynamic Filters and RADIUS

Product Description

The GTSecure-60 includes 2 MB of flash memory for system load storage, and 4 MB of DRAM to run the system software and maintain routing tables. The unit has a compact form-factor, a single Ethernet connection, a single WAN connection, and a console port for out-of-band management. The GTSecure-60 routers feature the following:

Hardware Features

    68360 Processor                                                        

    Single WAN port supporting V.35, X.21, and RS-232                      

    One 10BaseT Ethernet LAN port for either shielded or unshielded        
    twisted pair                                                           
    (software selectable) or 10Base2 with BNC.                             

    Four front panel lights indicating diagnostic conditions and traffic   
    flow                                                                   

    Console port for out-of-band management                                

    Media and installation manual                                          

    AC 110/220 volt universal power supply                                 

    Factory-installed software  specific to GTSecure-60 system's           
    application                                                            

    Boot code is V1.25                                                     

Software Features

I   IP with access control and antispoofing for additional security        

R   RIP, ARP, PPP, Frame Relay, Dialup Serial Interface                    

    Compression using Stac                                                 

    SNMP                                                                   

    UDP Broadcast                                                          

    IP Dynamic Filters                                                     

    RADIUS Authentication                                                  

    RSA Data Security, Inc. MD5 Message-Digest Algorithm                   

    Static and dynamic IP routing                                          

    Chat Scripts                                                           

    PAP and CHAP security features                                         

    Plug-and-play hardware installation with preloaded routing software    

    A Command Line Interface for configuration by service providers        

    Quick Config menu/prompting configurator program                       

    Standards-based interoperability with ISP existing backbone equipment  

Key Functionality

IP Filters for GTSecure

A profile implements an access policy that controls the network access into and out of a secure network. You can set up profiles to provide access to specific resources in a private network for a user or group of users. You can also set up profiles that let users inside your private network have access to public networks, while keeping your private network secure.

There are two types of profiles:

• Dynamic profiles are profiles that the software installs when a user is authenticated. In such cases, the authenticator may supply information to complete certain address recognition components of filters in the profile.
• Static profiles are profiles that you associate with an interface. The interface consults the filters in its associated profile(s) on each incoming and outgoing packet.

You can associate a single profile with multiple interfaces. This means that you can easily use a profile on a router with many interfaces.

A profile contains a collection of filters. A filter has attributes that describe the types of packets it recognizes, and it has actions to take when it recognizes a packet.

Filters can contain still more filters. When a filter contains other filters, it is called a parent filter and the filters it contains are called child filters.

When a parent filter recognizes a packet, it installs copies of its child filters into the running system. This is in addition to the other actions defined for the parent filter. At such time, the parent filter may replace certain components of the child filters with values taken from the recognized packet.

Such parent/child groups are what makes the system dynamic. The filtering system, by monitoring data flows, can modify itself and automatically learn what it should be doing from moment to moment.

The following are the GTSecure IP Filtering commands available at the
IP Filters Config> prompt:

RADIUS Authentication

RADIUS (Remote Authentication Dial In User Service) is used to authenticate remote users so that a specific IP filter profile is installed for that user. The installed profile allows the remote user access to specific services inside the firewall. RADIUS is being developed in the IETF and currently is at the Internet draft stage.

The following are the RADIUS configuration commands available at the RADIUS Config> prompt:

UDP Broadcast

The UDP (User Datagram Protocol) broadcast feature allows the router to forward UDP broadcast frames to specific IP addresses.

For example, NetBIOS uses UDP broadcasts in some client-server applications to broadcast Name-Query frames.

You can configure UDP broadcast so that the router directs frames to a network-level or subnet broadcast IP address. You can set up UDP broadcast to forward packets to the next destination by broadcasting to the next router, or to forward to the final destination by supplying a host address or directed broadcast address on the final network.

IP configuration commands for UDP Broadcast available at the IP Config> prompt include:

Data Compression on PPP, with Stac

Data compression lets the router software pack more user data into the packets moving through router interfaces. If the rate of packet transfer stays constant, the data transfer rate (throughput) for the router increases proportionally.

The data compression software works by replacing frequently-occurring character sequences with single characters that represent the sequences. The sequences can be words, blank spaces, numbers, or any other string in the data stream. The substitution characters are called index characters.

For example, the character sequences that make up the words "the" and "computer" may appear separately throughout an ASCII text file in a data stream. The data compression software substitutes a single character for each of the words. Further, if the words appear together as "the computer," a different index character replaces the phrase. This substitution scheme in effect compresses the data.

Data compression dictionaries maintain an association between each repeatedly occurring sequence and its index character. The dictionaries must be the same at the transmitting and receiving routers to ensure accurate compression and decompression. Compression protocol messages implement the dictionary coordination; and the router must monitor the communication link between the routers closely to maintain the coordination.

Data compression commands available at the PPP Config> prompt include

disable ccp

enable ccp

set ccp options

set ccp algorithms

list ccp

PPP monitoring commands available at the PPP> prompt include

list

list comp

clear

Dialup Services

The Dialup Serial Interface (DSI) supports asynchronous and synchronous RS-232 communication, including synchronous V.25 bis, and V.35 communication through the general switched telephone network. The figure below shows a sample DSI configuration.

You can set up the DSI

• To dial on demand when there is data to send.
• As a dedicated serial link that connects automatically when you restart the router or connects manually on command.

Each DSI consists of a serial interface that is connected to a modem and a dial circuit. Dial circuits are virtual circuits that you configure on the router. Each dial circuit is a normal serial line network, running Point-to-Point Protocol (PPP). Dial circuits control the process of placing and receiving calls. You can configure more than one dial circuit for a DSI. You provide each dial circuit with a name and a telephone number to enable users to connect to designated sites.

Interoperability With GTSecure-60 Routers

Using OpenROUTE 2.1

 GT60 w/ Async  Applicabl  Cisco    Bay   Livingsto  Xylogics  
   Supported        e      2503     AN      n PM2       2K     
   Features      Proteon    Rel     Rel      Rel     Rel 10.1  
                 Routers   11.00    8.3     3.3.1              
                Rel 16.1                                       

PHYSICAL                                                       

     X.21                   S/T     Note     N/A       N/A     
                                     #1                        

     RS232                          S/T                S/T     

     V.35                           Note     N/A       N/A     
                                     #2                        

                                                               

DATA LINK                                                      

   Sync                                                        

        PPP                         S/T      N/A       N/A     

        FR                          S/T      N/A       N/A     

                                    N/T      S/T       S/T     
V.25bis                                                        

   Async                                                       

       PPP                  N/T     N/A                S/T     

                                                               

MODEMS                                                         

  Sync                                                         

    Motorola       S/T      S/T     N/T      N/A       N/A     
V.3400                                                         

    Penril                          N/T      N/A       N/A     
p2433-01                                                       

    Hayes          S/T      N/T     N/T      N/A       N/A     
Optima                                                         

Interoperability With GTSecure-60 Routers

Using OpenROUTE 2.2 (Continued)

 GT60 w/ Async  Applicabl  Cisco    Bay   Livingsto  Xylogics  
   Supported        e      2503     AN      n PM2       2K     
   Features      Proteon    Rel     Rel      Rel     Rel 10.1  
                 Routers   11.00    8.3     3.3.1              
                Rel 16.1                                       

  Async                                                        

    Hayes          S/T    Note #3   Note     S/T       S/T     
Optima                               #3                        

    USR Sport      S/T    Note #3   Note     S/T       S/T     
28.8K                                #3                        

    USR Sport      S/T    Note #3   Note     S/T       S/T     
14.4K                                #3                        

    Practical     S/T-    Note #3   Note     S/T               
PC288MT                              #3                        

    Microcom              Note #3   Note               S/T     
DP28.8p                              #3                        

                                                               

SECURITY                                                       

    PAP                             S/T      Note      S/T     
                                             #4                

    CHAP                            S/T                S/T     

    PAP &                 Note #5   S/T                N/T     
    CHAP                                                       

    CHAT                    N/A     N/A                S/T     

    Secure                  N/A     N/A      N/A       N/A     
Static Filters                                                 

    Secure                  N/A     N/A      N/A       N/A     
Dynamic                                                        
    Filters                                                    

    Radius                  N/A     N/A      N/A       N/A     
                                                               
Authentication                                                 

    User                    N/A     N/A      N/A       N/A     
Defined ELS                                                    

    SNMP Traps              N/A     N/A      N/A       N/A     

                                                               

PROTOCOLS                                                      

    IP                              S/T                S/T     

    RIP                             S/T              Note #5   

    ARP                             S/T                S/T     

    TCP                             S/T                S/T     

    UDP                             S/T                S/T     

    ICMP                            S/T                S/T     

                                                               

Dial                                                           

    In                              S/T                S/T     

    Out                     N/T     N/T                S/T     

Interoperability Legends

• - Passed the Test.
• N/A - Not Applicable.
• S/T - Tested as part of the standard GlobeTrotter 60 and 62 release, but not re-tested with GTSecure-60 product.
• N/T - Should work but was not covered during the qualification effort.

NOTES:

1) The Bay AN has problems w/X.21 DCE.

2) DTE runs okay on the Bay AN but the GTSecure-60 configured for DCE to Bay AN doesn't work.

3) Not tested, because router models used, did not support ASYNC PPP.

4) You must use software version 3.3.1 or better on the Livingston to make PAP work on calls originating from the Livingston to the GTSecure-60.

5) Cisco doesn't support PAP and CHAP at the same time on one interface.

Ordering Information

When placing an order for a GTSecure-60, order the appropriate model number.

Model Description

p5730-sec GTSecure-60

gtsadmin-pro GTSecure Login (PC and Unix disk)

gtsrad-pro GTSecure RADIUS Tool

WAN Cables

NOTE: Only Proteon WAN cables work with the GTSecure-60 Series routers.

Documentation

Each GTSecure-60 ships with the GlobeTrotter 60 and 62 Getting Started Guide that instructs the user on how to install the product. Other documents shipped include the GTSecure IP Filters Guide and the GTSecure Read Me First Guide. The printed OpenROUTE documentation set and the CD-ROM are available for those customers who are interested in more advanced configurations of OpenROUTE 2.1 software, as well as providing the complete command line instruction set. Proteon recommends that each ISP who is providing GTSecure-60 systems purchase at least one OpenROUTE printed documentation set for reference.

Model Description

p4391V2.1-sp OpenROUTE Documentation Set Printed Copy

p4956-g OpenROUTE Documentation Set CD-ROM

Tech Tips

Modem Requirements

To interoperate with the DSI, your modem must support the following V.24 circuits and configuration:

• Circuit 103 - Transmitted Data
• Circuit 104 - Received Data
• Circuit 105 - Request To Send (RTS)
• Circuit 106 - Clear To Send (CTS)
• Circuit 107 - Data Set Ready (DSR)
• Circuit 108/2 - Data Terminal Ready (DTR)
• Circuit 109 - Data Carrier Detect (DCD)
• Circuit 125 - Ring Indicator (RI)

DSI support assumes that the modem configuration

• Enables hardware flow control between the GTSecure-60 and modem using RTS and CTS.
• Sets automatic dial and answer capabilities in order not to conflict with dial circuit configuration. Auto answering is enabled in the DSI modem definition as the default. If you enable manual answering in the DSI modem definition, thereby disabling auto answering, you also need to disable auto answering on the modem.
• Sets a fixed speed between the DSI and the modem.
• Matches the device type (synchronous or asynchronous).

NOTE: Some modems support a mode in which async is used to dial the phone and then talk sync. DSI cannot support this mode of operation.

Proteon also recommends the disabling of echoing by the modem of command strings that the GTSecure-60 issues to the modem. The DSI assumes that any data it receives from a modem in response to a modem command is a result code string. In addition, Proteon strongly recommends setting DCD to track the state of carrier signal. Setting DCD always on at the modem makes it impossible to detect that the line has disconnected.

Modems Tested

Proteon has qualified the following modems for use with the asynchronous dialup capabilities of the GTSecure-60:

• Hayes Optima 288
• US Robotics Sportster 14.4 and 28.8
• Practical Peripherals PC288MT
• Microcom DeskPort 28.8
• Motorola V3400

If a modem has not been tested but meets the requirements defined above, it should work. It just requires you to provide the GTSecure-60 with the appropriate modem script.

Modem Initialization Commands

Proteon recommends that you use the modem initialization commands shown below for the following modems:

Modem                Commands                             

Practical            AT&FE0M0S0=1&C1&D2&K3&S0\r           
Peripherals PC288MT                                       

Microcom DeskPort    AT&FE0M0S0=1&C1&D2$B115200\\Q3&S0\r  
28.8                                                      

Hayes Optima 288     AT&FE0M0S0=1&C1&D2&K3&S0\r           

US Robotics          AT&FE0M0S0=1&C1&D2&B1&H1&S0\r        
Sportster                                                 

If you need to disable auto answer, change S0=1 in the commands above to S0=0.

Using &F in the modem initialization commands shown above can cause some modems to ignore the rest of the commands in the string. If you encounter this problem, remove the &F from the initialization command string.

The commands shown above have the following meanings:

Command   Meaning                                        

&F        Resets the modem to factory default settings   

E0        Disables modem echoing of commands             

M0        Turns off the modem speaker                    

S0=1      Answers on the first ring in auto-answer mode  

&B1       Sets the modem's serial port speed to the      
          speed at which the last AT command was issued  

&C1       Turns CD on when the modem connects, off when  
          the modem disconnects                          

&D2       Causes the modem to hang up when DTR is        
          turned off                                     

&D3       Causes the modem to hang up and reset when     
          DTR is turned off                              

&H1       Enables hardware (RTS/CTS) flow control        

&K3       Enables hardware (RTS/CTS) flow control        

$B115200  Sets the modem's serial port speed to 115200   
          bps                                            

\\Q3      Enables hardware (RTS/CTS) flow control        

&S0       Sets DSR always on                             

\r        Sends carriage return to the modem at the end  
          of the initialization string                   

Modem Result Codes

It is usually not necessary to configure a value for any result code. You can just accept the default values.

In particular, it is usually not necessary to configure a value for the CONNECT result code. The value configured for the CONNECT result code matches any result code that begins with the same character string. The default value, "CONNECT", matches any result code that begins with the characters "CONNECT", so "CONNECT" matches "CONNECT 28800", and so on.

Similarly, the NO DIALTONE result code matches both "NO DIALTONE" and "NO DIAL TONE".

GTSecure-60 Asynchronous Line Speed

For a 28.8 Kbps asynchronous modem, set the line speed of the DSI interface to 115200. For a 14.4 Kbps asynchronous modem, set the line speed of the DSI interface to 57600.

Tips for Chat Scripts

Be sure to add a carriage return (\r) at the end of character strings to be transmitted by the chat script transmit command.

The first character of a character string received from the remote system may be case sensitive. For example, a login prompt might be Login: or login:. If you do not know the case of the first character, then enter the string in the chat script receive command without the first character. For example, enter ogin: instead of Login: or login:, because ogin will match both.

Additional GlobeTrotter Products

GlobeTrotter 60

The GlobeTrotter 60 is based on IP with access control and antispoofing for added security. The GlobeTrotter 60 supports Stac Compression and Dialup Serial Interface (DSI) for asynchronous and synchronous RS-232 communication, including synchronous V.25 bis. Additional software features include PAP and CHAP security features, RIP, ARP, PPP, and Frame Relay. The current version of the GlobeTrotter 60 software is OpenROUTE 2.1a. For proper interaction with the GlobeTrotter Setup Utility software, use version 2.1. The current revision of the boot code for the GlobeTrotter 60 is V1.30.

GlobeTrotter 62

The GlobeTrotter 62 builds on basic IP routing of the GlobeTrotter 60 with multiprotocol, standards-based bridging and routing capabilities. The GlobeTrotter 62 supports Stac Compression and Dialup Serial Interface (DSI) for asynchronous and synchronous RS-232 communications. The GlobeTrotter 62 runs many of the industry's most popular protocols TCP/IP, IPX, and AppleTalk 2 and forwards nonroutable protocols using transparent bridging services. The GlobeTrotter 62 is a perfect fit for multiprotocol branch office communications, distributed LAN-to-WAN connectivity, and remote LAN to corporate internetworking. The current revision of the GlobeTrotter 62 software is OpenROUTE 2.1a. For proper interaction with the GlobeTrotter Setup Utility software, use version 2.1. The current revision of the boot code for the GlobeTrotter 62 is V1.30.

GlobeTrotter 70

The GlobeTrotter 70 includes 1 MB flash memory for system load storage and 2 MB of DRAM to run the system software and maintain routing tables. The unit has a compact form-factor, a single Ethernet connection and ISDN WAN connection, and a console port for out-of-band management. The GlobeTrotter 70 supports one ISDN BRI WAN port, PPP, IP, PAP and CHAP, UDP Broadcast and Stac compression. The current revision of the GlobeTrotter 70 software is OpenROUTE 2.1 [R3]. For proper interaction with the GlobeTrotter Setup Utility software, use version 3.1. The current revision of the boot code for the GlobeTrotter 70 is V1.10.

GlobeTrotter 100

The GlobeTrotter 100 supports the protocols of the GlobeTrotter 60 and 62 and more. In addition to IP, IPX, and AppleTalk, it supports antispoofing, filtering, OSPF, MOSPF, ARP, MAC Filtering, Bandwidth Reservation, ASRT Bridging, and NetBIOS Name Caching/Filtering. The GlobeTrotter 100 provides a 4 port Ethernet repeater and 2 WAN ports. The WAN ports support RS-232, V.35, and X.21 with up to T1/E1 speeds. The current revision of the GlobeTrotter 100 software is OpenROUTE 2.1a and does not support the new DSI function. The current revision of the boot code for the GlobeTrotter 100 is V1.30.

GlobeTrotter Access Manager

The GlobeTrotter Access Manager provides support for either 8 or 32 MB of memory and is a full-featured, interoperable IP software suite that supports remote GlobeTrotters and other popular, industry-standard Internet access devices as well. Internet Service Providers find the GlobeTrotter Access Manager the lowest cost, highest performing Internet point-of-presence platform on the market. The current revision of the GlobeTrotter Access Manager software is OpenROUTE 2.0a [R1] and does not support the new DSI function. The current revision of the boot code for the GlobeTrotter Access Manager is V1.10. Version 1.10 of the boot code is to support the new 32 MB of memory for the GlobeTrotter Access Manager.

NOTE: If one of the two power supplies of the GlobeTrotter Access Manager is powered off during system initialization, a diagnostic failure Bad ISR message appears during the operation of power up diagnostics. You can ignore this message. It does not indicate a true failure.

2.0 Known Deficiencies, Limitations, and/or Clarifications in the GTSecure-60 Software

• The following additional features, although present, are currently not supported by the GTSecure-60.
• IP packet filters
• Access control
• Antispoofing
• GlobeTrotter Setup Utility (GUI)

• It is important to note that dynamic profiles are always installed on the interface through which the user attempts to make the Telnet connection. For example, if an authentication user runs Telnet from the WAN side of the router through to the Ethernet side, GTSecure installs the profiles on the WAN interface.

• When you are connected to a router via the modem, and you issue the reload command at the opcon (*) prompt, wait for at least 7 seconds before typing CTRL C to enter the Bootstrap Monitor (>), otherwise you may lose your modem connection.

• Autobaud has been disabled in the GlobeTrotter 60 and GlobeTrotter 62 boot code and router code. The baud rate defaults to 9600, but is manually selectable using the set baudrate configuration command.

• When installing the GTSecure-60, ensure that the power cord is fully inserted into the GTSecure-60. If the power cord is not fully inserted in the GTSecure-60, some units will fail.

• There is a problem when running RIP between the GTSecure-60 and a Xylogics Annex/2000 over async PPP. With the default IP parameters, the GTSecure-60 learns the RIP routes from the Annex, but the Annex will not learn the GTSecure-60 RIP routes. A workaround for this is to configure the IP BROADCAST TYPE to LOCAL-WIRE for the PPP interface on the GTSecure-60.

Example:

• IP config>set broadcast
• Set for which interface address [0.0.0.0]? 50.2.88.45
• Use a NETWORK or LOCAL-WIRE style address [NETWORK]? LOCAL-WIRE
• Fill pattern for wildcard part (0 or 1) [1]? 1

• At the DSI Config> prompt, the set hdlc speed command indicates the speed of a DSI synchronous interface in bits per second. The range is 0 to 2048000. The default for this parameter is 0.

• For DSI, clocking is always external, so the only uses for the value set hdlc command are:
• 1. Reporting line speed by the INTERFACE command at the + prompt.
• 2. Setting a line speed for upper layer protocols, such as IPX, to use.

Example:

DSI Config> set hdlc speed 56000

• In the GTSecure-60 console login capability, do not add or change the Proteon user name without first contacting Proteon customer service. Proteon customer service uses this user name and password and only Proteon customer service knows the password and challenge secret.

• There are two way to eliminate the Proteon user name if you feel that this is an unacceptable security risk.

When you add the first administrative user to the router, the software queries you as to whether or not you want to add Technical Support access.

• Enter no to prevent Proteon Technical Support access. If you
• answer no, you cannot add this access later, and the software never
• queries you for this option again.

• Enter yes to allow Proteon Technical Support access. You can
• later delete this access. To delete this access,

1. Log in as an administrative user.

2. At the Config> prompt, enter list user. The software displays a

list of users, including a user with Tech Support permission and a

username of Proteon.

3. Enter delete user proteon and enter yes to the confirmation query.

This removes Proteon Technical Support access, and you cannot add this access again later.

• When you dynamically disable SNMP at the + prompt, the software shows SNMP as disabled, but the Command Line Interface or Quick Config can still access the router.

• You should increase any table sizes with caution. Proteon advises that you need an understanding of the routing environment and available memory on the router to do so.

• If you are connecting a Proteon router to a Livingston Portmaster (model PM2, software version 3.1.4) and you are running authentication across PPP, then you must be aware of the following special setup needed for the Livingston Portmaster.

• During the initial negotiation stage of authentication, the Proteon router responds with an ACK (OK) to the request for PAP from the Livingston Portmaster, but the Livingston Portmaster sends a NAK (not OK) in response to the Proteon PAP request and suggests CHAP.

• Proteon must have CHAP configured and enabled in order to satisfy the desire of the Livingston Portmaster to respond only to CHAP. This has been corrected in Livingston software release 3.3.1.

• In previous releases and products, all Proteon routers that supported dial circuits used a proprietary protocol, which is known as the Line ID protocol, to identify the calling router to the called router. The GTSecure-60 routers do not support the Proteon proprietary Line ID protocol because they are designed for connection to ISPs where more powerful forms of authentication-PAP and CHAP-are prevalent.

• Because GTSecure-60 routers do not support the Line ID protocol, a dial circuit configured on a GTSecure-60 for incoming calls must have the ANY_INBOUND parameter set. If the ANY_INBOUND parameter is not set, the dial circuit will not accept incoming calls.

• Similarly, dial circuits configured for incoming calls on Proteon routers other than the GTSecure-60 must also have the ANY_INBOUND parameter set in order to accept calls from the GTSecure-60. If the ANY_INBOUND parameter is not set, they will not be able to accept incoming calls from the GTSecure-60.

• The maximum number of dial circuits that you can configure on a GTSecure-60 is 32. Attempting to configure more than 32 dial circuits on a GTSecure-60 causes the router to exhaust available memory and crash during initialization. If you configure more than the maximum number of dial circuits and cause the router to crash, you have to clear your configuration before reloading, unless you saved a configuration with no more than the maximum number of dial circuits.

• Do not configure routing protocols on the DSI base network supporting a dial circuit. This can sometimes also occur as an undesirable side effect when you change data link protocols after you configure the routing protocol.

• The Proteon V.25 bis implementation requires V.25 bis DCEs (modems) to adhere to a subset of the allowed interchange circuit (modem signal) transitions described in the V.25 bis Recommendation in Fascicle VIII.1 of the CCITT Series V Recommendations.

• To operate successfully with the Proteon V.25 bis implementation, V.25 bis modems must turn on CTS (circuit 106) when the router turns on DTE (circuit 108/2) and must turn CTS off when an answering tone is detected or when the router turns off DTR. Modems that make the transition directly from state 9 (incoming call recognized) to state 13 (line seized) without first turning on CTS will not work with the Proteon V.25 bis implementation.

• Call collisions may not resolve satisfactorily. When you configure two routers to call one another in any mode (demand, fixed, or particularly for WAN restoral), it is possible that both callers get a busy signal, back off, try again, and so on. You can resolve this problem by designating one end as the caller (CALLS OUTBOUND) and the other end as the called party (CALLS INBOUND).

• Under extremely heavy loads over a WAN interface, routing packets for some protocols may be dropped on transmit or receive. This can destabilize the routing protocols, causing sporadic reachability. This is inherent in the nature of these routing protocols. To avoid this condition, enable Bandwidth Reservation (BRS) on both ends of the WAN connection.

• Some vendor's routers do not properly handle the PPP Magic Number. An easy workaround to this problem is not to negotiate the Magic Number. This can be done via the set lcp option command, and setting the Magic Number to no.

• During the boot process the LAN LED and the OK LED both blink when booting from the WAN interface. When booting from the IBD, only the OK LED blinks.

• The timeout configuration parameter of the add dump-entry command should be left at its default value of 10. Large values (such as 120 seconds) cause crash dumps sometimes not to complete.

• Cisco routers (and some other vendor's routers) do not allow the router dialing in to request PAP authentication. You must have PAP disabled to dial into their routers. If the remote router requests PAP, the GTSecure-60 still replies correctly even though PAP is disabled, providing you configured the remote router name and password in the GTSecure-60 PAP password table.

• In the Point-to-Point setup menu under LCP and NCP, for better interoperability with other units you should lower the following default settings:
• Config request tries 20 reset to 10
• Terminate tries 10 reset to 2
• Config NAK tries 10 reset to 5
• When using either the Command Line Interface or Quick Config, ensure your console connection to the GTSecure-60 is set for 9600 baud, 8 data bits, 1 stop bit, and no parity. Settings other than these result in garbled data display reported through the console. If you change the baud rate, then the baud rate on your console device should be matched to that new baud rate in the configuration memory. If you clear your configuration, the console baud rate is reset to the default baud rate of 9600.

• The GTSecure-60 does not have a time of day clock chip with battery backup. For time to be meaningful, you have to get the time from a nearby host. The time commands at the Config> prompt allow for this operation. You must do this at restarts or set up to poll a nearby host.

• The interval timer is set up to log out a user from console inactivity equal to the interval period set. If the console is connected via a modem, the router drops the modem connection when the user gets logged out.