Comcast residential sporadically switching to deactivated, websites reporting no https

[HCHTech]

We did a residential install about 3 months ago now, new Arris SB8200 cable modem, a Unifi USG, U6 Mesh AP & a U6 Extender. Customer has a single Macbook, 2 iPads, 2 iPhones, 2 Roku devices, and a video doorbell. Everything worked fine until a couple of weeks ago. Client reports they are unable to log into various websites, Safari giving the standard "unsafe" message even though the sites are clearly https and work fine when bypassing the comcast connection with a cell phone hotspot. Many times, they will get the "your connection is not activated" web page like you get when you replace a cable modem and it hasn't been registered with Comcast yet. This goes away if you refresh the page, but the https errors continue.

What issue might result in this behavior? I thought originally that the time must be screwed up on the Macbook, but they are getting these symptoms on all devices, and they report that the time settings are correct. This is a bog-standard configuration in Unifi with just a single wifi network. All of their devices are wifi - the only thing connected to the USG is the U6 Mesh. The U6 Extender is meshing to the U6 Mesh, and there are no errors in the Unifi console other than the disconnection / reconnection that happens when we try power-cycling everything. The experience rating in the controller for both APs is "Excellent". A speed test run from the Unifi controller (Hostifi) consistently reports 175-200Mbps Down and 15-28Mbps Up.

I am using the Comcast DNS in the USG configuration, so I could certainly try switching to an public DNS server, but I'm unable to get connected remotely, so will have to go onsite to diagnose further. The client reports that there were no new devices added and that nothing was changed coincident with the start of this problem. Grain of salt on that, but they are an older couple so I'm inclined to believe them.

 

[YeOldeStonecat]

By chance did this client get the Comcast "security" services turned on? We've had similar symptoms like that on a few resi and even small biz installs...had to call Comcast and have them turn off that blasted security service.

 

[HCHTech]

Ahhhh, maybe. I was SO hoping to avoid another call to Comcast. It took almost 2 hours to get the new modem activated back in March - I'd rather have a root canal.

 

[YeOldeStonecat]

I know the feeling, residential is a pain. Business support...not bad though.

 

[HCHTech]

I'm heading onsite today to look at this. From my reading, the Xfinity Xfi Advanced Security is only available if you use their modem - at least I think so- - they don't say that in as many words, but that's my conclusion anyway. It's still likely a problem on their end because of the sporadic redirects to the activation page.

I also found a warning on the advanced security documentation:

'Note for customers with Apple devices: If you have Apple's iCloud Private Relay feature enabled, Advanced Security won’t work. Learn more about iCloud Private Relay.'

So that's another thread I could pull on. I can look to see if disabling this on their Macbook changes the symptoms.

 

[HCHTech]

Update: The problem was on Comcast's end. I went onsite today and connected a computer directly to the modem, then power-cycled it - I immediately got the Comcast activation page. There was almost no cell coverage at the location, so we couldn't download the Xfinity app, which was the only way to proceed without calling them. Fortunately, after battling the infernal IVR and getting through to a person, it was easier than last time. They found the tech who did the activation back in March had left the old modem also activated on the account and that was causing some problem on their end. They reactivated the new modem, removed the old and everything starting working again.

Edit: Oh, and I did confirm with their tech (which is only good if we assume they knew what they were talking about) that the XFi Advanced Security thing (where they hijack your DNS) is only possible if you use their modem...