Firmware upgrade to 4.2.30 broke secure port link with Elk - how to fix?

[zorax2]

I'm using a 994 Pro with the Elk M1 and Elk Module.  Up until I did the firmware upgrade, I was able to use a secure connection utilizing port 2601.  Once I did the firmware upgrade, the connection between the ISY and the Elk no longer worked.

 

In trying to fix this, I tried all kinds of permutations within the security settings of the ISY dashboard and within the ISY Admin Console and was not able to reestablish a secure connection.  I have now reverted back to using unsecure port 2101.

 

To get back to a secure port:

 

What security settings should be used in the ISY Dashboard?  TLS 1.0, TLS 1.2, something else?  Strength - high, medium or low? Should verify be checked?

 

In the Admin console for secure port setting 2601, should the SSL box be checked?

 

Within the RP2 software for the ELK - are there any specific settings other than unchecking the box to "Enable Secure Port"?

 

Some people have mentioned rebooting the Elk's M1XEP and/or changing between enabling and disabling the non-secure port checkbox.

 

Has anyone else experienced this problem and does anyone have any ideas as to how to fix the problem?

 

Thank you!

[zorax2]

I just received an answer from UDI Tech Support - use port 2101 - do not use port 2601.  Everything is now working and the problem is solved.  Thanks!!

[kstock]

But 2101 is the unsecure port, which always worked. Is UDI saying there is no "secure" port?

[zorax2]

Even though I have everything working with port 2101, I'm a bit confused as the pinned ELK Wiki and Connection Troubleshooting link instructions say to start with port 2101 and then switch to port 2601.  See:  http://wiki.universal-devices.com/index.php?title=ISY-994i_Series_INSTEON:ELK_Security_Module

 

Perhaps this web page needs to be updated if port 2601 is no longer recommended by Universal Devices.  I spoke with technical support at ELK and they said the ELK integration Module for ISY is only supposed to support port 2101.

 

I'm definitely not a security guru so maybe someone else can chime in on the merits of secured vs. unsecured integration between the ELK and ISY and whether the wiki page needs updating to reflect that users should only use port 2101.

[zorax2]

I found this thread:

Can't Connect To Secure Port After Firmware Upgrade

Started by shannong , Apr 04 2015 11:38 AM

 

http://forum.universal-devices.com/topic/15809-cant-connect-to-secure-port-after-firmware-upgrade/

 

This thread explains that 2101 is the port to use now.  It appears that the wiki should be updated so people don't struggle to try to use the "secure port 2601" connection.  I wish I would have found this thread earlier as it would have saved me a lot of time given the wiki instructions are no longer accurate.

[shannong]

You can connect using the secure port on 2601. In the Dashboard, Network-> HTTP Client Settings->TLS 1.0 and Medium is configured on mine.

 

Also, if you have users added on your Password tab of the M1XEP setup then the Elk will attempt to authenticate u/p for the TLS/SSL session which the ISY cannot respond to. So users must be blank for TLS/SSL to the ISY.

[cyberk]

So am I understanding correctly...we cannot use the elk m1xep if it's secure by username/password?

[giesen]

You can, just not on the secure port (2601)

[tandar]

Did you recently upgrade to Windows 10? I'm not sure if this is related, but Win 10 does not communicate with the M1XEP unless you upgrade the firmware of the M1XEP;

http://forum.universal-devices.com/index.php?/topic/16701-Elk-M1XEP-not-compatible-with-windows-10

[Michel Kohanim]

Hi cyberk,

 

4.2.30 disabled SSL ... ELK was still using SSL up until recently with their new firmware.

 

True: you cannot secure TLS with username/password as it's an out of band from TLS specs perspective.

 

With kind regards,

Michel

[zorax2]

I just upgraded my firmware for the M1EXP and everything works properly via RP2 however my link between the ISY and the ELK which worked previously is now broken (again . . .).

 

I've tried the following without success:

 

In RP2 M1EXP Setup tab for TCP/IP - Put a check in the box to enable non-secure port 2101

 

In ISY Network settings - set HTTPS Server to TLS 1.2 High with no verify

Set HTTPS Client to TLS 1.0 Medium with no verify

 

Then I did the following:

1. Open ELKRP2
2. Click the M1XEP setup button in the lower right
3. Go to the Passwords tab
4. Check "Disable username/passwords"
5. Connect to your M1 using RP2 and push changes to the controller
6. Go to the ISY Admin console go to Configuration | Elk | Configuration
7. Put the non-secure port number in the Port field (typically 2101)
8. Uncheck SSL
9. Save

I then rebooted my ISY - still no luck.

 

Is there anything that I might be missing with these steps or something else I should try?

[giesen]

Did you save the changes to the M1XEP and hit the reboot button after you made the changes? Also, you don't need to remove the usernames/passwords, the Elk only prompts for them when connecting to the secure port (and your ISY is connecting to the non-secure port)

[DennisC]

Also try the "find" button to insure the M1XEP is still on the same port and the upgrade didn't change it.

[cyberk]

Per UDI tech support, the API does not use the port username password, so that's not needed.

 

I tried cycling the dashboard client (and the server for giggles) through every TLS setting and "all". I could not get the elk and ISY to communicate. In the event viewer I would see frequent disconnects and fails during file transfer. Setting to the un-secure port works fine. Tech support was under the impression that tls 1.2 and "all" would work but it did not, closest I got was tls 1.0 and although it caused less frequent disconnects, data would not transfer. 

[zorax2]

Cyberk - I feel your pain as I seem to be in the same boat.

 

Giesen - I did save changes and rebooted the M1XEP without success.

 

DennisC - I used the find command and noted that it says the M1XEP uses port 2601.  Should this list port as 2101?  If so, how do I change it here?  I've already enabled port 2101 in the other spot with the check mark.

[giesen]

Are you able to telnet to port 2101 on the M1XEP's IP?

[zorax2]

I went to telnet (I haven't used this before) via the command prompt:

 

Microsoft Telnet> o 2101

Connecting to 2101... Could not open connection to the host, on port 23: connect failed

 

Hopefully I did this correctly - I don't understand the reference to port 23.  Should this telnet command have opened port 2101?

[giesen]

Open a command prompt, then:

 

telnet <M1XEP IP> 2101

[DennisC]

 

DennisC - I used the find command and noted that it says the M1XEP uses port 2601.  Should this list port as 2101?  If so, how do I change it here?  I've already enabled port 2101 in the other spot with the check mark.

If the find button reports port 2601, then that is the port you need to connect with until you load the update configuration. What port is shown on the right side of the main screen just before you select connect?

 

If that is anything other then 2601 you will not connect.

 

Dennis

[zorax2]

I seem to have gone from bad to worse. I now cannot connect to the M1XEP via RP2 (current version RP 2.0.24). The error message was "System did not respond. Connection may have been terminated." I did a hard reboot of the M1XEP by removing power and restarting and still no luck connecting. What is strange to me is that I can find the M1EXP from within RP2. I don't understand how the M1EXP can be found but the system cannot communicate through the network "connect" selection.  I did have this happen a couple times yesterday (the error), but was able to get a successful connection on most attempts.  Could this be a component or other issue?

 

Geisen - I tried the telnet command and received an error message.  Do I need to type <M1XEP_IP> (include underscore)?

 

Dennis - I've attached JPG files which show the main screen, the TCP/IP screen and the "Find M1XEP" screen.  Hopefully this will help you to better see how I have everything configured in case I've done something incorrectly.

 

 

 

[giesen]

Geisen - I tried the telnet command and received an error message.  Do I need to type <M1XEP_IP> (include underscore)?

 

 

No, the <M1XEP IP> meant put the IP address of your M1XEP in there. So judging from the screenshots you posted, you would do:

 

telnet 192.168.1.51 2101

 

 

Since you're saying ElkRP cannot connect anymore, I would make sure the M1XEP is still on that IP address (trying pinging it). Do you have it setup for a static IP? Or is it using DHCP?

[zorax2]

It's all working now - I can connect via RP2 and the ISY.  I checked with Elk Tech Support and one of the things we did was leave the ISY unplugged while trying to re-establish the connection with RP2.  RP2 then connected properly.

 

Next, I rebooted ISY without luck.  I then rebooted the ISY again about 10 minutes later, started ISY and everything worked properly.

 

I have no idea as to why all of this happened.  It must be important to reboot the ISY after the firmware upgrade I'm guessing.

 

Thank you very much to all of you who have helped me to try to troubleshoot this problem.  I really appreciated your kind help!

[zorax2]

Whoops! I spoke too soon.  I tried to log on to the ISY again and found that the connection to the ELK was broken.  I unplugged and rebooted the ISY and everything worked again.  I exited ISY and tried restarting ISY and yet again the connection broke between the ISY and ELK.  Is anyone else experiencing this or have ideas to prevent this from recurring?

[DennisC]

I don't have access to my system right now or the documentation, but looking at your screen capture, I think you need to add the access code. I don't remember what it is, but double check the documentation.

 

Dennis

[zorax2]

I found that there isn't a complete break in communication between the ISY and Elk.  For example, when I open a door from my garage to the mudroom, the program to turn on the light (activated via the Elk contact switch) does work.  What appears to operate inconsistently (which is why I thought the link was broken) is that the Arming state and the ability to arm and disarm the alarm system from the ISY didn't work. When I returned from work just now, the ability to arm via the ISY was working correctly.  I'm confused regarding the consistency of operation.  On the positive side, things do seem to work for the most part and RP and the M1XEP works on Windows 10 now.