Reverse proxy issues with CWMP


using CWMP with reverse proxy is a pain. With Apache I have to use disableReuse=on but then many requests end with “Connection dropped” rendering provisioning of some devices impossible. Without “disableReuse=on” almost everything works except some requests, eg. setting WiFi SSID on Huawei ONT I get “Bad session”:

2021-03-04T08:38:44.363Z [INFO] 00259E-HG8546M-4857544359AE748A: ACS request; acsRequestId="177fc63a2fc0101" acsRequestName="GetParameterValues"
2021-03-04T08:38:44.473Z [ERROR] 00259E-HG8546M-4857544359AE748A: Bad session state

This must be related to session cache as the CWMP backend maps the response to invalid IP address.

CWMP without reverse proxying works like a charm. I also tried Nginx with the same results (eg. Connection dropped without setting keepalive on upstream or Bad session with keepalive enabled).

Has anyone got a working CWMP reverse proxy?


I can share my apache setup which is using a Balancer as well. We have the ACS server running on port 7548 as we used a previous ACS server and are redirecting it to GenieACS.

<Proxy balancer://acs>
    BalancerMember http://IP.GOES.HERE:7548 disablereuse=On keepalive=On
    ProxySet lbmethod=byrequests

<VirtualHost *:7547>
    ServerName acs.domain:7547
    ProxyVia on
    RewriteEngine On
    ProxyPass "/service/cwmp" "balancer://acs/"
    ProxyPassReverse "/service/cwmp" "balancer://acs/"

    ProxyPass "/service/cwmp/" "balancer://acs/"
    ProxyPassReverse "/service/cwmp/" "balancer://acs/"

    ProxyPass "/" "balancer://acs/"
    ProxyPassReverse "/" "balancer://acs/"

on which versions?
I had similar problems with 1.2.3 and 1.2.4

Unfortunatly it did not see this topic and created one.

Unfortunately it does not work for me, I always get Connection dropped od Bad session errors:

2021-03-10T07:11:14.620Z [ERROR] 00259E-HG8546M-4857544359AE748A: Connection dropped
2021-03-10T07:11:14.620Z [WARN] 00259E-HG8546M-4857544359AE748A: Channel has faulted; channel="huawei" retries=1 faultCode="session_terminated" faultMessage="The TR-069 session was unsuccessfully terminated"

Only way it works is direct connection to Genieacs.

This is my reverse proxy setup as suggested:

<Proxy balancer://cwmp>
    BalancerMember disablereuse=On keepalive=On
    ProxySet lbmethod=byrequests


  ProxyVia          On

  ProxyPass         /  "balancer://cwmp/"
  ProxyPassReverse  /  "balancer://cwmp/"

  RequestHeader       set Forwarded expr=for=%{REMOTE_ADDR}


I am now getting the same error after going to 1.2.4 as well.

I found by changing the ACS Url that I defined in the inform to point to the ACS itself instead of the reverse proxy resolved the errors I was getting.

That’s not my case. InternetGatewayDevice.ManagementServer.URL of my devices is set to which is the reverse proxy itself, since Genieacs is bound to loopback on the same machine (see above).

In my case, HTTP 1.1 post via nginx passed like HTTP 1.0 it causes data loss (HTTP headers).
To fixe this I added on nginx conf : proxy_http_version 1.1
Best regards

There is no such thing in Apache reverse proxy as far as I know.

I reduced the problem at my installation by speeding up external scripts.
(E.g. if the external DB is not already in the memory, it will take too long and it will produce the error)
It is definitely not perfect, because it is still something like a race condition.

Well, how is that possible that directly exposing Genieacs eliminates the errors completely?

I do not know.
In wireshark I see, that the connection from nginx to genieacs is HTTP 1.0 but the answer is HTTP 1.1,
Maby there is some kind of timeout with the proxy constellation, that caused that problem.
I have not tried setting HTTP proxy version to 1.1, yet.

I’m using HaProxy with genieACS and it works like a charm. However I had to move authentication to the ACS servers because HaProxy didn’t handle it too well.

Looks promising, thanks for the tip.

@bajojoba that sounds great.
Could you please provide us some details.
e.g. which versions of haproxy and genieacs you are using and maby some advice for the haproxy configuration.

I’m also using HaProxy version 1.7.5-2 and works great.
Here’s a copy of my haproxy backend config from haproxy.cfg

backend ACS_Updated
        mode http
        http-reuse never
        option http-keep-alive
        option forwardfor
        http-request add-header "Forwarded" %[src,regsub(^,for=,g)] 
        server NAME_OF_OTHER_ACS x.x.x.x:7547    #IP of my other ACS