LwM2M FOTA Download Stalls at 1–2% on nRF9160 over NB-IoT/LTE-M

Question

I am using nRF9160 DK with nRF Connect SDK v2.9 and the LwM2M client sample ( /samples/cellular/lwm2m_client/ ) , converted from PSK to X.509 certificates . The device connects successfully to my custom Leshan server on AWS , and works with Onomondo SIM cards . Security handshake with X.509 works fine after adjusting the server settings. However, firmware update over-the-air (FOTA) fails : The download starts and reports 1–2% progress . After that, the download stalls and no more CoAP requests are observed on the server. This happens even when testing with PSK against the demo LwM2M server. Network connection seems stable, no obvious LTE disconnects, and device registration updates continue. Also, on the server UI, I see it show me "Request Timeout." [00:00:15.417,205] app_lwm2m_client: LwM2M is connected to server [00:00:15.417,266] app_lwm2m_client: Obtained date-time from modem [00:00:38.783,386] app_lwm2m_client: FOTA download started for instance 0 [00:00:38.784,667] lwm2m_firmware: Image type 1 [00:00:38.787,139] lwm2m_firmware: Application firmware download started. [00:00:57.482,666] lwm2m_firmware: Downloaded 1% [00:00:59.722,747] lwm2m_firmware: Downloaded 2% [00:01:15.415,527] app_lwm2m_client: rd_client_event: Registration update started [00:01:15.810,852] net_lwm2m_rd_client: Update callback (code:2.4) [00:01:15.810,882] app_lwm2m_client: rd_client_event: Registration update complete [00:01:15.810,974] net_lwm2m_rd_client: Update Done CONFIG_LWM2M=y CONFIG_LWM2M_COAP_BLOCK_SIZE=1024 CONFIG_LWM2M_COAP_MAX_MSG_SIZE=2048 CONFIG_LWM2M_CLIENT_UTILS=y CONFIG_LWM2M_ENGINE_MAX_MESSAGES=15 CONFIG_LWM2M_ENGINE_MAX_PENDING=15 CONFIG_LWM2M_ENGINE_MAX_REPLIES=15 Questions: Is there a recommended configuration for LwM2M FOTA over NB-IoT/LTE-M for large firmware images? Should PSM/eDRX be disabled during FOTA, or is there a way to pause registration updates to avoid blocking the download? What are the recommended CoAP block sizes and engine parameters to reliably transfer large images? Are there known limitations when using Onomondo SIM + AWS Leshan for large firmware downloads? Additional Info: MCUboot v2.1.0 Zephyr OS v3.7.99 LTE-M/NB-IoT tested with Onomondo SIM

luqman · Answer

Hi, Looking at your logs, the issue is clear: downloader: Setting up TLS credentials, sec tag count 1 downloader: Failed to connect, err -111 You're using https:// in your firmware URI, but the modem can't establish TLS because no valid CA certificate is provisioned for that Leshan server. That's why it connects on TCP level (you can see it resolves the IP fine) but fails at the TLS handshake. You have two options: Option A (recommended, easiest, and most reliable over cellular) Switch to plain HTTP. Host the firmware on your server: bash cd ~/ota python3 -m http.server 8000 Then in Leshan UI write to /5/0/1 (Package URI): http://:8000/zephyr.signed.bin Make sure port 8000 is open in your firewall/security group inbound rules. Option B — Keep HTTPS, provision the CA certificate bash openssl s_client -connect leshan.yourserver.com:443 /dev/null | openssl x509 -outform PEM > leshan_ca.pem Provision it into the modem at a security tag: modem_key_mgmt_write(1, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, cert, cert_len); And add to prj.conf: CONFIG_FOTA_DOWNLOAD_SEC_TAG=1 Also regarding app_update.bin, atleast for me in newer NCS with sysbuild it's no longer generated. The equivalent file is build/app/zephyr/zephyr.signed.bin. It's the same MCUboot-signed OTA image, just renamed. Use it directly in your firmware URL. hope that ressolve your issue