Unable to connect Multitech Conduit AEP to TTN V3

@ElectronicallyE
hey you did a very nice summary of the setup in your post, you forgot to mention in there the LNS KEY creation which is part of the process.

also seems that TTN updated the documentation on this step and now you can add this LNS API key in the GW General Settings page

where before this was done only with the CLI tool

question: can this LNS key be created once for all the GWs in the Personal API keys or in Org keyst, or does it have to be created per gateway?

another comment: if you are using The Things Industries or the things stack, do use this command to grab the cert:
openssl s_client -showcerts -servername au1.cloud.thethings.network -connect au1.cloud.thethings.network:443

i was about to give up as I faced the same issue as bakir. i did all the steps mentioned here but the

gateway still disconnected(and it is still ).

however, just before I was about to delete the gateway and go back to TTN V2, I suspected an old

issue that used to happens in V2, which was a disconnected state on the gateway console but the

application console still receives live data. I configured an application and a device (with a

disconnected gateway status on the console). surprisingly, the same issue seems to be still

happening. i was receiving data from my sensor. unfortunately, TTN removed the gateway ID from the

meta-data hence I suspected that maybe another gateway around caught my packet so I disconnected

my gateway and retransmit again from the sensor but nothing received on the application’s live data.

So I guess that V3 maybe still suffers from that old problem.

It does that for data caught by a V2 GW coming through PacketBroker into V2 applications…so one would suspect your GW was/still is registered in V2 and not yet on V3? (If so DON’T delete from V2 just in case - just change key to stop it being picked up in V2 via console)

Thank you Jeff, The Gateway was deleted but the sensor was registered on V2…but I think this is not related to the fact that the GW is in a disconnected state, No?

To use a basic station, it must be 1.5 lora hardware and above.Unfortunately my 1.0

Can this LNS key be created once for all the GWs in the Personal API keys or in Org keyst, or does it have to be created per gateway?

Keys must be created for each gateway.

another comment: if you are using The Things Industries or the things stack, do use this command to grab the cert:
openssl s_client -showcerts -servername au1.cloud.thethings.network -connect au1.cloud.thethings.network:443

For some reason, the ISRG Root X1 pem 7 certificate was working for a couple of days then the gateway went offline. I tried rebooting the unit and had still had no luck. After reseting the gateway and using the above command to get the certificate (it’s the second one printed in the output), the gateway connected.

I’m deleting and reposting my procedure to reduce confusion.

Thanks for the information @tom-iotexperts. I’ve been able to get my gateway online and working.

Before doing this, you need to configure CUPS and LNS keys on TTS. Have a read here: LoRa Basics™ Station | The Things Stack for LoRaWAN

Gateway Specifications
Model Number: MTCDTIP-LEU1-266A
Firmware: 5.3.3
LoRa Module Model Number: MTAC-LORA-H-915
LoRa Module Hardware: MTAC-LORA-1.5
Frequency Band: 915
FPGA Version 35
Basic Station: 2.0.5-1-r3.0 RUNNING

Credentials
CUPS

URI
https://au1.cloud.thethings.network:443

Station Config
Copied from here . Also accessible via MultiTech Developer Resources » Running Basic Station on Conduit at MTCDT station.conf . This is NOT the default station config after factory reset.

Server Cert
In a terminal, enter the command openssl s_client -showcerts -servername au1.cloud.thethings.network -connect au1.cloud.thethings.network:443 which is mentioned in MultiTech Developer Resources » Running Basic Station on Conduit . Copy the second certificate printed (starting with -----BEGIN CERTIFICATE-----):

1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----

Gateway Cert
Leave blank

Gateway Key
Authorization: Bearer CUPS_API_KEY
Get the key by creating an API key in The Things Stack with the following permissions:

• View gateway information
• Retrieve secrets associated with a gateway
• Edit basic gateway settings

Click “Submit” (bottom of page) → “Save and Apply” (left)
Click “Commands” → “Restart Device” (gateway must be completely rebooted for it to connect to the network)

I did not need to adjust the gateway EUI in The Things Stack (moving four zeros from the middle to the front of the EUI).

The following PR has been merged in v3.13.0 and deployed; Remove hardware specific fields in LBS Router Config by KrishnaIyer · Pull Request #4190 · TheThingsNetwork/lorawan-stack · GitHub

There’s no need to hack the clksrc field anymore since the server does not set this field and leaves it to the gateway.

I tested this with an MTCAP AEP gateway and if you just follow the instructions in the docs, this just works out of the box
https://www.thethingsindustries.com/docs/gateways/lora-basics-station/

I’ve studied this thread numerous times, read the TTN LBS documentation and that supplied by Multitech, but still no further getting a Conduit connected via Basics Station and would appreciate any suggestions for things to try.

H/W + F/W: MTCDTIP-L4E1-266A Firmware 5.3.3

Connecting to EU1. If I run station with sudo I get:

admin@mtcdt:/var/run/lora/1$ sudo ./station
Password: 
2021-09-10 15:35:15.820 [SYS:INFO] Logging     : stderr (maxsize=100000, rotate=3)
2021-09-10 15:35:15.821 [SYS:INFO] Station Ver : 2.0.5(mlinux/std) 2021-02-19 22:27:11
2021-09-10 15:35:15.822 [SYS:INFO] Package Ver : (null)
2021-09-10 15:35:15.822 [SYS:INFO] proto EUI   : 80:0:a000:8232	(station.conf)
2021-09-10 15:35:15.822 [SYS:INFO] prefix EUI  : ::0	(station.conf)
2021-09-10 15:35:15.823 [SYS:INFO] Station EUI : 80:0:a000:8232
2021-09-10 15:35:15.823 [SYS:INFO] Station home: ./	(builtin)
2021-09-10 15:35:15.823 [SYS:INFO] Station temp: /var/tmp/	(builtin)
2021-09-10 15:35:16.025 [TCE:INFO] Starting TC engine
2021-09-10 15:35:16.027 [TCE:ERRO] No TC URI configured
2021-09-10 15:35:16.027 [CUP:INFO] Starting a CUPS session in 0 seconds.
2021-09-10 15:35:16.028 [TCE:INFO] Router rejected or retry limit reached. Invoking CUPS.
2021-09-10 15:35:16.028 [TCE:INFO] Terminating TC engine
2021-09-10 15:35:16.028 [CUP:INFO] Starting a CUPS session now.
2021-09-10 15:35:16.029 [CUP:INFO] Connecting to CUPS ... https://eu1.cloud.thethings.network:443 (try #1)
2021-09-10 15:35:16.034 [any:INFO] ./cups.trust: 
cert. version     : 3
serial number     : 82:10:CF:B0:D2:40:E3:59:44:63:E0:BB:63:82:8B:00
issuer name       : C=US, O=Internet Security Research Group, CN=ISRG Root X1
subject name      : C=US, O=Internet Security Research Group, CN=ISRG Root X1
issued  on        : 2015-06-04 11:04:38
expires on        : 2035-06-04 11:04:38
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL S2021-09-10 15:35:16.034 [AIO:INFO] cups has no cert configured - running server auth and client auth with token
2021-09-10 15:35:16.495 [CUP:INFO] Interaction with CUPS failed - retrying in 1m
2021-09-10 15:35:16.495 [TCE:INFO] Starting TC engine
2021-09-10 15:35:16.496 [TCE:ERRO] No TC URI configured
2021-09-10 15:35:16.497 [TCE:INFO] Router rejected or retry limit reached. Invoking CUPS.
2021-09-10 15:35:16.497 [TCE:INFO] Terminating TC engine
2021-09-10 15:35:16.497 [CUP:INFO] Starting a CUPS session in 60 seconds.
2021-09-10 15:36:16.498 [CUP:INFO] Starting a CUPS session now.
2021-09-10 15:36:16.498 [CUP:ERRO] No CUPS-bak URI configured
2021-09-10 15:36:16.498 [TCE:INFO] Starting TC engine
2021-09-10 15:36:16.499 [TCE:ERRO] No TC URI configured
2021-09-10 15:36:16.499 [TCE:INFO] Router rejected or retry limit reached. Invoking CUPS.
2021-09-10 15:36:16.500 [TCE:INFO] Terminating TC engine
2021-09-10 15:36:16.500 [CUP:INFO] Starting a CUPS session in 60 seconds.

And this just repeats.

I am having exactly the same setup and error when trying to migrate my gateway from v2 to v3 today.

I could only recreate your error by using a key with the wrong permissions.

Can you run with the -l0 logging option? It will probably show a 401 Unauthorized HTTP response which is expected when using a key with wrong permissions.

sudo ./station -l0

According to https://www.thethingsindustries.com/docs/gateways/concepts/lora-basics-station/cups/

CUPS requires an API key for your gateway with the following rights:

• View gateway information
• Edit basic gateway settings
• Retrieve secrets associated with a gateway

The CUPS key will go into the Conduit AEP UI Gateway Key field with HTTP header info prefix “Authorization: Bearer”.

Authorization: Bearer NNSXS.AAA.BBB

LNS requires an API Key with the following rights:

• Link as Gateway to a Gateway Server for traffic exchange, i.e. write uplink and read downlink

The LNS key will go into the TTN UI Gateway Settings LNS Authentication Key field

For sanity check you could enable all permissions for both keys then it would not matter if you have them flipped. This is NOT recommended for actual deployment.

Thanks for your suggestion @jreiss. I tried again with my existing and a new Gateway API Key with all rights.

Running with l0 logging I get the following logs:

admin@mtcap:/var/run/lora/1$ sudo ./station -l0
2021-09-12 14:46:50.518 [SYS:INFO] Logging     : stderr (maxsize=10485760, rotate=3)
2021-09-12 14:46:50.519 [SYS:INFO] Station Ver : 2.0.5(mlinux/std) 2021-02-19 22:26:41
2021-09-12 14:46:50.521 [SYS:INFO] Package Ver : (null)
2021-09-12 14:46:50.522 [SYS:INFO] proto EUI   : 0:8:4a:7240    (/sys/class/net/eth0/address)
2021-09-12 14:46:50.523 [SYS:INFO] prefix EUI  : ::1    (builtin)
2021-09-12 14:46:50.525 [SYS:INFO] Station EUI : 8:ff:fe4a:7240
2021-09-12 14:46:50.550 [SYS:INFO] Station home: ./     (builtin)
2021-09-12 14:46:50.551 [SYS:INFO] Station temp: /var/tmp/      (builtin)
2021-09-12 14:46:50.755 [TCE:INFO] Starting TC engine
2021-09-12 14:46:50.756 [TCE:ERRO] No TC URI configured
2021-09-12 14:46:50.756 [CUP:INFO] Starting a CUPS session in 0 seconds.
2021-09-12 14:46:50.757 [TCE:INFO] Router rejected or retry limit reached. Invoking CUPS.
2021-09-12 14:46:50.757 [TCE:INFO] Terminating TC engine
2021-09-12 14:46:50.757 [CUP:INFO] Starting a CUPS session now.
2021-09-12 14:46:50.757 [CUP:INFO] Connecting to CUPS ... https://eu1.cloud.thethings.network:443 (try #1)
2021-09-12 14:46:50.787 [any:INFO] ./cups.trust:
cert. version     : 3
serial number     : 40:01:75:04:83:14:A4:C8:21:8C:84:A9:0C:16:CD:DF
issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
subject name      : C=US, O=Let's Encrypt, CN=R3
issued  on        : 2020-10-07 19:21:40
expires on        : 2021-09-29 19:21:40
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage         : Digital Signature, Key Cert Sign, CRL Sign
2021-09-12 14:46:50.787 [AIO:INFO] cups has no cert configured - running server auth and client auth with token
2021-09-12 14:46:50.891 [CUP:VERB] Retrieving update-info from CUPS https://eu1.cloud.thethings.network:443...
2021-09-12 14:46:52.363 [AIO:XDEB] [3] http_read state=4
2021-09-12 14:46:52.401 [AIO:XDEB] [3] http_read state=4
2021-09-12 14:46:52.402 [any:VERB] Failed to retrieve TCURI from CUPS: (404) Not Found
2021-09-12 14:46:52.402 [AIO:DEBU] [3] HTTP connection shutdown...
2021-09-12 14:46:52.403 [CUP:INFO] Interaction with CUPS failed - retrying in 1m
2021-09-12 14:46:52.403 [TCE:INFO] Starting TC engine
2021-09-12 14:46:52.405 [TCE:ERRO] No TC URI configured
2021-09-12 14:46:52.405 [TCE:INFO] Router rejected or retry limit reached. Invoking CUPS.
2021-09-12 14:46:52.405 [TCE:INFO] Terminating TC engine
2021-09-12 14:46:52.405 [CUP:INFO] Starting a CUPS session in 60 seconds.

The 404 looks like there is something else wrong.

What certificate did you put in Server Cert? And where did you get it from. From the official TTN v3 docs and Multitech docs I get different ones.

The X1 cert is recommended.
https://www.thethingsindustries.com/docs/reference/root-certificates/

@TomStein did you register the GW with this EUI?

8:ff:fe4a:7240

This is generated from the eth MAC and is not the EUI for lora seen in the mPower UI. Perhaps there is something in station.conf that is not expected.

The 404 response is received if the GW record is not found.

@jreiss The mPower UI shows the Gateway EUI: 00-80-00-00-00-01-42-76 which I used to register the Gateway with on TTN (working in v2 and packet Forwarder Mode for v3). I didn’t use 8:ff:fe4a:7240 yet. I’ll try to register another v3 gateway with that ID and let you know how that goes.Thanks for the hint.

Since basic station generated an EUI value I assume the default placeholder was removed from the station.conf.

There should be a routerid field in the JSON input into the UI. I the placeholder is used, any value between angled brackets, such as “<WILL-BE…>” then the init script will replace this with the Gateway EUI shown in the UI.

In addition to what @jreiss said, if you still get a 404 error, the other possibility is that the gateway does not have a frequency plan configured on The Things Stack.

Running the station with additional options shows the problem to be permission related:

2021-09-13 16:49:19.048 [any:VERB] Failed to retrieve TCURI from CUPS: (401) Unauthorized

However, giving the CUPS key all permissions doesn’t help.

In the console I have the EUI set as 00800000A0008232, whereas station prints this out as:

2021-09-13 15:45:40.220 [SYS:INFO] proto EUI   : 80:0:a000:8232	(station.conf)
2021-09-13 15:45:40.221 [SYS:INFO] prefix EUI  : ::0	(station.conf)
2021-09-13 15:45:40.222 [SYS:INFO] Station EUI : 80:0:a000:8232

The frequency plan is set to EU_863_870.

Are you following the documentation here?
https://www.thethingsindustries.com/docs/gateways/multitechconduit/lbs/

Specifically, is your API Key prefixed with bearer?

The correct format would be

Authorization: Bearer NNSXS......

My Gateway Key in the Conduit UI starts:

Authorization: Bearer NNSXS.AZ4

And is terminated with ^M.

Looking at /var/run/lora/1/cups.key confirms it is set there also.

In the Console this is configured as a key called CUPS with Gateway All privs.