Skip to main content

Thu, Jul 11, 2019 12:35 PM

Answered

failed to connect ICX 7150 to SZ

Hi,
i have installed an ICX7150-C12-2X1G POE 12-port - Version:10.1.15T225
and i am trying to connect it to my Smartzone vSZ-H - 5.1.1.0.598

i have followed the guide and configure the switch with the "sz Active-list command
and i have verified there is connectivity between both devices on all ports, but this doesnt seem to work for me


[email protected]#show sz status

============    SZ Agent State Info     ===================
Config Status: None     Operation Status: Enabled
State: SZ QUERY             Prev State: INIT                 Event: SZ QUERY RESPONSE

SWR List            : None
Active List         : 10.31.3.8
DHCP Option 43      : No
DHCP Opt 43 List    : None
Passive List        : None
Merged List         : 10.31.3.8
Merged Idx: 0    IP : 10.31.3.8
Switch registrar host: sw-registrar.ruckuswireless.com
Switch registrar discovery retry count: 7
Switch registrar host resolve failure count: 7

SZ IP Used          : 10.31.3.8
SZ Query Status     :
        In Progress. Response Not Received.

sz logs
-------------------------
Jan  1 19:48:35:https_connmgr_send_request>Entered.
Jan  1 19:48:35:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Jan  1 19:48:35:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Jan  1 19:48:35:sz_parse_sz_query_response -- Status: 600 <<
Jan  1 19:48:35:sz_fsm_sz_query_state>Moving to IP:10.31.3.8 because of retry count: 36
Jan  1 19:48:35:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Jan  1 19:48:35:HTTP Request Error:Http remote connection close called.


any ideas? thanks.


Responses

15 Messages

 • 

286 Points

2 years ago

Did you create new SwitchGroup in SmartZone?

15 Messages

 • 

202 Points

no,
but i have just did, is there something else i should do?
thanks for the reply.

15 Messages

 • 

286 Points

I created new SwitchGroup and added my switch in it. That's all.

15 Messages

 • 

202 Points

i see, in my case it fails to be added to SZ so i am before the stage of moving between groups

Official Rep

 • 

159 Messages

 • 

2.5K Points

You may create a switch registration rule  and move the switch to non default group first and try joining. Also have clock or ntp set on ICX.

15 Messages

 • 

202 Points

configured switch registration rule  and time  , still fail to connect.
thanks.

Official Rep

 • 

100 Messages

 • 

2.1K Points

2 years ago

Check the SZ, the switch is probably in the Default switch group, it will fully connect once you have moved it to the group you created.

15 Messages

 • 

202 Points

it is not added to the SZ,
the state stuck on SZ Query and it appears to fail to get a response,
so its not added :\
thanks.

Official Rep

 • 

100 Messages

 • 

2.1K Points

Your switch should be running the latest version 8.0.90 software and it should have been upgraded using the UFI image (see the 8.0.90 release notes for details). 

15 Messages

 • 

202 Points

this is my SW version - SW: Version 08.0.90bT211
appears to be updated

Official Rep

 • 

100 Messages

 • 

2.1K Points

When you do show version does it look like this: 

  Copyright (c) Ruckus Networks, Inc. All rights reserved.
    UNIT 1: compiled on May 23 2019 at 23:27:11 labeled as SPS08090b
      (28596544 bytes) from Primary SPS08090b.bin (UFI)
        SW: Version 08.0.90bT211

If the (UFI) is missing then you will need to redo the upgrade with the UFI image.

15 Messages

 • 

202 Points

I've got the UFI

[email protected]#show version
  Copyright (c) Ruckus Networks, Inc. All rights reserved.
    UNIT 1: compiled on May 23 2019 at 23:27:11 labeled as SPS08090b
      (28596544 bytes) from Primary SPS08090b.bin (UFI)
        SW: Version 08.0.90bT211
      Compressed Primary Boot Code size = 786944, Version:10.1.15T225 (mnz10115)
       Compiled on Thu Jan 31 09:08:55 2019

  HW: Stackable ICX7150-C12-POE

2 Messages

 • 

90 Points

2 years ago

Hi ,
have ICX valid licence on SZ ? In 5.0 version ICX licence it is not mandatory

15 Messages

 • 

202 Points

my license is still valid

CAPACITY-SWITCH-BUNDLED
Ruckus-Cluster-1
 
Permanent
1
Default Switch Capacity License for vSZ



Official Rep

 • 

100 Messages

 • 

2.1K Points

Try removing the switch registrar configuration, it's not needed and may be causing an issue. command is; no sz registrar 

And I assume that you can ping the SZ from the switch. 

15 Messages

 • 

202 Points

removed it still no response,
the SZ is reachable

when i run the "show sz logs"

{"serial_number":"XXXXXXXX", "ipaddress":"10.31.3.210", "macaddress":"XXXXXXXXX", "switch/stack/spx":"stack", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}
==============

Jul 11 18:06:29:https_connmgr_send_request>Entered.
Jul 11 18:06:29:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Jul 11 18:06:29:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Jul 11 18:06:29:sz_parse_sz_query_response -- Status: 600 <<
Jul 11 18:06:29:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Jul 11 18:06:29:HTTP Request Error:Http remote connection close called.
End i/max/iter 436/436/0


Official Rep

 • 

100 Messages

 • 

2.1K Points

Looking at this it appears that your compact switch is stacked;

{"serial_number":"XXXXXXXX", "ipaddress":"10.31.3.210", "macaddress":"XXXXXXXXX", "switch/stack/spx":"stack", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}


As your SZ only has a license for one switch then this is a problem, for your config you will need two switch licenses on the SZ.

Official Rep

 • 

89 Messages

 • 

2K Points

2 years ago

Hey Tomer,

Please get outputs of:
"show tech"
"show ntp status."
"dm verify-device-certs"
"show License"

Thanks
Hashim

15 Messages

 • 

202 Points

Hi,
[email protected]#show license
Unit  License Name    L3 Premium Port Speed Upgrade   Speed    Ports    MACsec
1     2X10GR          Yes        Yes                  10G      2        NA


[email protected]#dm verify-device-certs
Commencing sanity check for device certs ...
Verifying TPM files ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs

[email protected]#show ntp status
 Clock is unsynchronized, no reference clock
 NTP server mode is disabled, NTP client mode is disabled
 NTP master mode is disabled, NTP master stratum is 8
 NTP is not in panic mode


and the tech support is has very long output but this seems relevant - 
Jan  1 20:38:20:I:System: SSL server 10.31.3.8:443 is disconnected
Jan  1 20:38:05:I:SZAgent: Failed to connect to management device at 10.31.3.8 Error: HTTPS Connection Error

thanks.

Official Rep

 • 

159 Messages

 • 

2.5K Points

2 years ago

Please configure ntp, you may use public servers if you dont have one in-house.

Official Rep

 • 

100 Messages

 • 

2.1K Points

2 years ago

With reference to my last comment; what does the show stack output look like?

15 Messages

 • 

202 Points


[email protected]#show stack
T=4d18h28m19.4: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7150-C12P  alone   c0c5.2091.5df1   0 local   None:0
2  S ICX7150-48P   member  0000.0000.0000   0 reserve


     +---+
  3/1| 1 |3/2
     +---+
Current stack management MAC is d4c1.9e9a.f0f4

Official Rep

 • 

100 Messages

 • 

2.1K Points

You need to remove the stack configuration from the 7150-C12P with the stack unconfigure command 

Your SZ only has a single switch license and your 7150 is identifying itself as a two switch stack so the SZ will not let it join as there is not sufficient license capacity.  Alternatively add switch management licenses to the SZ. 

Your show stack output needs to look like this;

***** Warning! stack is not enabled. *****

T=50m46.8: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7150-C12P alone   d4c1.9e29.0d09   0 local   None:0


     +---+
  3/1| 1 |3/2
     +---+
Current stack management MAC is d4c1.9e29.0d09


15 Messages

 • 

202 Points

2 years ago

done,

[email protected]#show stack

***** Warning! stack is not enabled. *****

T=4d19h25m58.2: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7150-C12P  alone   c0c5.2091.5df1   0 local   None:0
2  S ICX7150-48P   member  0000.0000.0000   0 reserve


     +---+
  3/1| 1 |3/2
     +---+
Current stack management MAC is d4c1.9e9a.f0f4


still not connecting 

Official Rep

 • 

100 Messages

 • 

2.1K Points

2 years ago

What does the show sz logs look like now?

15 Messages

 • 

202 Points


Build String: size 205
============
{"serial_number":"FEK3210Q06M", "ipaddress":"10.31.3.210", "macaddress":"d4:c1:9e:9a:f0:f4", "switch/stack/spx":"switch", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}
==============

Jul 15 15:31:27:https_connmgr_send_request>Entered.
Jul 15 15:31:27:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Jul 15 15:31:27:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Jul 15 15:31:27:sz_parse_sz_query_response -- Status: 600 <<
Jul 15 15:31:27:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Jul 15 15:31:27:HTTP Request Error:Http remote connection close called.
End i/max/iter 438/438/0

Official Rep

 • 

100 Messages

 • 

2.1K Points

2 years ago

The switch is still declaring itself as two units;

{"serial_number":"FEK3210Q06M", "ipaddress":"10.31.3.210", "macaddress":"d4:c1:9e:9a:f0:f4", "switch/stack/spx":"switch", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}

The second switch needs to be removed from the config.

It might be worth resetting the C12P to factory default and starting again, whichever is easiest for you.



Official Rep

 • 

89 Messages

 • 

2K Points

2 years ago

hey Tomer,
So one thing is issue with NTP,  We need NTP for the certificates not work.

What about:
"dm verify-device-certs"
"show License"

Thanks
Hashim

11 Messages

 • 

264 Points

a year ago

I'm having an issue connecting my ISC 7450 switch to my vSZ. I think the issue is because I dont have a legit certificate on my vSZ as I see this error in my connection logs. Is it possible to override this cert check for my homelab use? I'm keen to resolve this soon as Id like to experiment with this feature before my complimentary switch license period expires. 

Dec 27 22:36:45:I:SZAgent: Failed to connect to management device at 192.168.10.19 Error: HTTP Response Code 400
In case Im wrong, other details that look pertinent to the issue include 

dm verify-device-certs
Commencing sanity check for device certs ...
Verifying files on Non-TPM Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs


show license
Unit  License Name    L3 Premium Port Speed Upgrade   Speed    Ports    MACsec
1     l3-prem-macsec  Yes        NA                   NA       NA       Yes


[email protected]#show stack

***** Warning! stack is not enabled. *****

T=5d1h48m0.7: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7450-32ZP  alone   609c.9f1d.dc90   0 local   None:0


     +---+
  4/1| 1 |
     +---+
Current stack management MAC is 609c.9f1d.dc90


show ntp status
 Clock is synchronized, stratum 3, reference clock is 192.168.10.1
 precision is 2**-16
 reference time is 3786812526.1705005662 (12:22:06.1705005662 GMT-08 Tue Dec 31 2019)
 clock offset is 1.2229 msec, root delay is 0.8835 msec
 root dispersion is 21.5554 msec,  peer dispersion is 12.5557 msec
 system poll interval is 64,  last clock update was 143 sec ago
 NTP server mode is disabled, NTP client mode is enabled
 NTP master mode is disabled, NTP master stratum is 8
 NTP is not in panic mode

Dec 31 12:06:11:https_connmgr_send_request>Entered.
Dec 31 12:06:11:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Dec 31 12:06:14:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Dec 31 12:06:14:sz_parse_sz_query_response -- Status: 400 <<
Dec 31 12:06:14:sz_fsm_sz_query_state>Moving to IP:192.168.10.19 because of retry count: 12
Dec 31 12:06:14:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Dec 31 12:06:29:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, TIMER/2002
Dec 31 12:06:29:

Build String: size 206
============
{"serial_number":"xxxxxxxxxxxx", "ipaddress":"192.168.10.7", "macaddress":"60:9c:9f:1d:dc:90", "switch/stack/spx":"switch", "numOfUnits":1, "firmware_version":"SPR08090d.bin", "switch_model":"ICX7450-32ZP"}
==============



11 Messages

 • 

264 Points

a year ago

Solved my problem, more RTFM'ing needed. For anyone else getting stuck the command needed to be entered into SZ is non-tpm-switch-cert-validate as documented here http://docs.ruckuswireless.com/smartzone/5.0/sz100-vsze-administrator-guide/GUID-E963118F-F9C6-44EF-...

this is how my sz status looks now

[email protected]#show sz status

============    SZ Agent State Info     ===================
Config Status: None	Operation Status: Enabled
State: SZ SSH CONNECTED     Prev State: SZ SSH CONNECTING    Event: NONE

SWR List            : None
Active List         : 192.168.10.19
DHCP Option 43      : No
DHCP Opt 43 List    : None
Passive List        : None
Merged List         : 192.168.10.19
Merged Idx: 0    IP : 192.168.10.19

SZ IP Used          : 192.168.10.19
SZ Query Status     :
	Response Received

SSH Tunnel Status - :
 Tunnel Status     : Established
 CLI IP/Port       : 127.255.255.253/27612
 SNMP IP/Port      : 127.255.255.254/50027
 Syslog IP/Port    : 127.0.0.1/20514
 HTTP SERVER IP/Port: 127.255.255.252/52633
 HTTP CLIENT IP/Port: 127.0.0.1/5080

Timer Status        : Not Running