Skip to main content

27 Messages

 • 

510 Points

Tue, Mar 15, 2016 3:30 PM

Connection between AP and vSZ

The vSZ runs on an server with a public ip. Once a new AP is added to the customers network with an 100.... Firmware, it cannot connect to the vSZ via public IP.

We tried

·         DHCP option 43 as described in https://support.ruckuswireless.com/answers/000003197

·         manually add the director ip (set director ip x.x.x.x) on the ap

but the AP doesn’t connect and/or perform no firmware update.

 

When we first connect the AP internally to the vSZ and move the AP to the appropriate Zone, it will work at the customer ́s Network.

 

Did we miss something or doing it wrong?

Responses

333 Messages

 • 

5.1K Points

5 years ago

Is the AP behind a NAT?

Also have you enabled the discovery agent on the AP?:
set discovery-agent enabled

27 Messages

 • 

510 Points

Hi,

thx for the replies.

The APs are behind a NAT Router (local IP 192.168.101.x). We tried „set discovery-agent enabled“ without success. The vSZ is behind a firewall but the ports are forwarded/open (telnet 22/443 test ok). 

333 Messages

 • 

5.1K Points

What about the LWAPP ports?

UDP 12222
UDP 12223

Also when AP's are behind a NAT you need to use Ruckus GRE.

Is the public IP on the SZ confgured on the Data Plane?

302 Messages

 • 

4.8K Points

5 years ago

Good questions Sean.
And do you have any firewall in front of the vSZ, are the correct port open ?

Kind regards
Martin

2 Messages

 • 

70 Points

5 years ago

Have you applied this to the controller?

Enabling LWAPP2SCG

If the LWAPP2SCG application is pre-installed but disabled in your controller

release, do the following to enable it:

1 Log on to the controller’s console.

2 Enter en to enable privileged mode.

3 Enter config.

4 Enter lwapp2scg.

5 Enter policy accept-all.

You have completed enabling the LWAPP2SCG application on the controller.

126 Messages

 • 

2.4K Points

5 years ago

Hi,  probably one of 2 reasons:
1.  From some version (I think 3.2) you need additional ports to be opened on firewall for firmware download (16384-65000 Tcp). When AP is already initially connected to v-SZ (and has proper v-SZ image), it works without troubles, but firmware upgrade to the next version will fail.
2. If you have out of box APs which has been delivered for use with ZD, you need both Ruckus vendor options on DHCP, directing to same v-SZ IP. ZD APs are interested in one option, v-SZ - in second. So in the beginning AP with universal image gets v-SZ IP as a ZD IP, contacts v-SZ and gets converted.

Ports to be forwarded are:

443 TCP, 22 tcp, 91 tcp, 123 tcp, 1812-1813, tcp 23233  udp, 23232  Tcp, 80 tcp, 6868 tcp, 12223 Tcp, 161 Tcp, 21 Tcp, 8080 Tcp, 8443 Tcp, 8099-8111 Tcp, 9997-9998 Tcp, 9080 Tcp, 9443 Tcp, 1143 Tcp,  udp,   8090 Tcp,  12223 Tcp, 16384-65000 Tcp.

Additional comment -- if AP was in fact connected to ZD, even after factory reset, when connected to vSCG, it will not work properly. You need to reset it to factory default again after it get's v-SZ firmware, only than it will work properly.

Hope it helps,

Eizens


333 Messages

 • 

5.1K Points

Firewall Ports are follows:


Note: Taken from SCG/vSZ-H 3.2 Administrator Guide

27 Messages

 • 

510 Points

5 years ago

All required Ports are opened/forwarded to the vSZ.

LWAPP2SCG is active for all APs.

We configured 03 as well as 06 in DHCP option 43

 

Here a picture of our configuration:


But it still does not work...

333 Messages

 • 

5.1K Points

5 years ago

AP's in this environment need to use Ruckus GRE and a GRE Tunnel Profile:

Zone Config Example


Ruckus GRE Profile Example


I have had this working but my data plane on the SCG had a public facing IP and the AP' pointed to that IP.

Note: the Ruckus GRE Profile needs to be configured prior to choosing it in the zone.

As a side measure I would recommend that you sniff to see what's happening with the lwapp frame from the AP i.e. is the AP sending one as I have seen it before when certain AP's dont and you haev to factory reset them in this case.

Also sniff the SCG data plane and see if the SCG is recieving the lwapp frame and what is happening with it when recieved if its being received at all.

Good luck

27 Messages

 • 

510 Points

I thought GRE is  just important for tunneling all traffic between AP and v-SZ and not the initially connection itself.
I will try to sniff the lwapp frames though. 

Thanks for your help!