CC3220SF: Sl_Connect Failed with -708

Hi Ketan, 

Did something change in your application layer? Which SDK are you using? 

Hi,

I didn't changed anything because device is running on field..

I'm using 4x series of sdk.

Can you tell me what this error means .?

From searching in the net error 708 means "access denied, traffic not accepted from this IP". Has you device connected to the internet before? Maybe there is some change to where you are connecting to or accessing that is why you are getting this error.

-kel

Hi, 

Yes there is some point which we observed.

1  sometime device failed on first attempt of connection with -708

2. suppose device connected on first attempt, then device failed on second attempt with -708 error. (second attempt happen only when device failed to publish something, so on failure of publish method, device close the mqtt connection and socket.)

One more highlights I have to do, we have a multiple device with same framework and same aws broker point, but those device still not failed yet.

So the access denied means what, like device not able to access the server IP address or TI API is blocked ?

Note:-  We have aws endpoint url, So i am using @sl_NetAppDnsGetHostByName API to get IP address. Please check the code.

I am using following code to connect aws server IP address.

int TLSConnectNetwork(Network *n, char *addr, int port,
                      SlSockSecureFiles_t *certificate,
                      unsigned char sec_method,
                      unsigned int cipher)
{
    SlSockAddrIn_t sAddr;
    int addrSize;
    int retVal;

    uint32_t hostIp = 0;

    retVal = sl_NetAppDnsGetHostByName((_i8*) addr, strlen(addr),
                                       (_u32*) &hostIp, AF_INET);

    if (retVal < 0)
    {
        ASSERT_ON_ERROR(retVal, "sl_NetAppDnsGetHostByName() failed");
    }

    sAddr.sin_family = AF_INET;
    sAddr.sin_port = sl_Htons((unsigned short) port);
    sAddr.sin_addr.s_addr = sl_Htonl(hostIp);
    WMLogInfo(GEN_LOG, "host IP address %08lx", sAddr.sin_addr.s_addr);

    addrSize = sizeof(SlSockAddrIn_t);

    n->my_socket = sl_Socket(SL_AF_INET, SL_SOCK_STREAM, SL_SEC_SOCKET);
    if (n->my_socket < 0)
    {
        sl_Close(n->my_socket);
        ASSERT_ON_ERROR(n->my_socket, "sl_Socket() failed");
    }

    SlSockSecureMethod_t method;
    method.SecureMethod = sec_method;

    retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET, SL_SO_SECMETHOD,
                           &method, sizeof(method));
    if (retVal < 0)
    {
        sl_Close(n->my_socket);
        ASSERT_ON_ERROR(retVal, "sl_SetSockOpt() failed");
    }

    //disable the store the certificate
    _u32 dummyVal;

    retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET,
                           SL_SO_SECURE_DISABLE_CERTIFICATE_STORE,
                           &dummyVal, sizeof(dummyVal));
    if (retVal < 0)
    {
        sl_Close(n->my_socket);
        ASSERT_ON_ERROR(retVal, "sl_SetSockOpt() failed");
    }

    SlSockSecureMask_t mask;
    mask.SecureMask = cipher;

    //_u8 mask= cipher;
    retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET, SL_SO_SECURE_MASK,
                           &mask, sizeof(mask));
    if (retVal < 0)
    {
        sl_Close(n->my_socket);
        ASSERT_ON_ERROR(retVal, "sl_SetSockOpt() failed");
    }

    if (certificate != NULL)
    {

        if (certificate->SecureFiles[0] == 1)
        {
            retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET,
                                   SL_SO_SECURE_FILES_CA_FILE_NAME,
                                   "/cert/amazonrootca3.pem", strlen("/cert/amazonrootca3.pem"));

            if (retVal < 0)
            {
                sl_Close(n->my_socket);
                ASSERT_ON_ERROR(retVal, "sl_SetSockOpt() failed");
            }
        }

        if (certificate->SecureFiles[1] == 1)
        {
            retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET,
                                   SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME,
                                   "/cert/device.pem", strlen("/cert/device.pem"));

            if (retVal < 0)
            {
                sl_Close(n->my_socket);
                ASSERT_ON_ERROR(retVal, "sl_SetSockOpt() failed");
            }
        }
        if (certificate->SecureFiles[2] == 1)
        {
            retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET,
                                   SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME,
                                   "/cert/private.pem", strlen("/cert/private.pem"));

            if (retVal < 0)
            {
                sl_Close(n->my_socket);
                ASSERT_ON_ERROR(retVal, "sl_SetSockOpt() failed");
            }
        }
    }

    retVal = sl_Connect(n->my_socket, (SlSockAddr_t*) &sAddr, addrSize);

    if (retVal < 0)
    {
        if (retVal != -453)
        {
            sl_Close(n->my_socket);
            ASSERT_ON_ERROR(retVal, "sl_Connect() failed");
        }
    }

    return retVal;
}

Hi,

It looks like the TLS handshake is failing but it is strange that sometimes it works and sometimes not.

Maybe you get connected to a different server each time and the other server has a different set of cipher suites it is using?

What method and Cipher are you using as socket options?

What I suggest is:

• print the IP address of the server you are trying to connect to
• capture an NWP log file to see more what happens during the TLS handshake. You can see some guidelines from one of my previous threadshttps://e2e.ti.com/support/wireless-connectivity/wi-fi-group/wifi/f/wi-fi-forum/1174888/cc3220mod-cc3220mod-lock-state/4425739#4425739

Shlomi

Hi,

Thank you for your reply.

I am connecting one common AWS endpoint for the all the device. every time it will connect with same URL. bellow code will be used connection purpose.  

Yes IP address is always print once aws URL resolved IP address through this @sl_NetAppDnsGetHostByName API.

For NWP Log, that is hard to get it now. but still we will try to get it because device is in singapore region, and those NWP UART Also used for other purpose so need to soldering and all, that hard to do at client place.

Router firewall can block the resolved IP address. ? because this problem still we not able to generated in our lab condition. 

    SlSockSecureFiles_t cert;

    cert.SecureFiles[0] = 1;
    cert.SecureFiles[1] = 1;
    cert.SecureFiles[2] = 1;

    rc = TLSConnectNetwork(&gAppState.network, MSD_deviceMQTT.mqttURL, 8883, &cert,
                           SL_SO_SEC_METHOD_TLSV1_2,
                           SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);

Hi,

So is there inconsistency with when it succeeds and when it doesn't? 

From your description, it may be that the firewall blocks port 8883 at some point and maybe allow it for a while but I am not sure (could also be that firewall blocks NTP ports).

Is it possible to test with hotspot maybe just to see if it works as expected? 

NWP is mandatory here in case the firewall cannot be bypassed.

Regards,

Shlomi

Hi,

As I told most of the time it connect on first attempt but once MQTT not able to publish the payload, device will disconnected and it will try to next connection, Here most of time I feel it's falling.

I am also not sure about the firewall block, because as I discussed with IT department of client. they said all access is granted for the device. so not sure.

Yes we are trying with different router and hotspot method too but it may take days to result.

Let me see for NWP log.

OK thanks. Please let me know when you have more info.

Shlomi

Hi,

One Quick Help, Not creating thread for that.

I want to rebuild the third party fatts driver from the sdk, because i am not able to use the f_findnext function, I have changed .h file to make enable but need to rebuild the third party fatts driver.

Can you tell me how do I re-build sdk ?

I am using simplelink_cc32xx_sdk_4_20_00_07 sdk.

Hi,

For the FATFS, I strongly suggest you open a new thread for clarity and for others to follow according to appropriate thread title.

Regards,

Shlomi

Hi,

No worry now. able to build the sdk .

For Sl_Connect Error we will provided you NWP Log soon.

Thank you!.

perfect, if you haven't done it before, please make sure it is recorded as binary stream.

Hi,

Yes I had gone through the process early.  Here 

You need MAC Log too ?

no, NWP is enough in this case.

Hi, 

Sure. 

We will try to get it by next Monday if possible otherwise will update the thread for next step.

thanks

Hi,

As we discussed early about the NWP Log capture, I think it will take while, I don't know how much it will.

I will reopen the case again once NWP Log captured, with reference of this case.

Thank you !.

sure, no worries.