Connection between AP and vSZ

  • 2
  • Question
  • Updated 1 year ago
The vSZ runs on an server with a public ip. Once a new AP is added to the customers network with an 100.... Firmware, it cannot connect to the vSZ via public IP.

We tried

·         DHCP option 43 as described in https://support.ruckuswireless.com/answers/000003197

·         manually add the director ip (set director ip x.x.x.x) on the ap

but the AP doesn’t connect and/or perform no firmware update.

 

When we first connect the AP internally to the vSZ and move the AP to the appropriate Zone, it will work at the customer ́s Network.

 

Did we miss something or doing it wrong?

Photo of Patrick

Patrick

  • 27 Posts
  • 2 Reply Likes

Posted 1 year ago

  • 2
Photo of Sean

Sean

  • 342 Posts
  • 87 Reply Likes
Is the AP behind a NAT?

Also have you enabled the discovery agent on the AP?:
set discovery-agent enabled
(Edited)
Photo of Patrick

Patrick

  • 27 Posts
  • 2 Reply Likes
Hi,

thx for the replies.

The APs are behind a NAT Router (local IP 192.168.101.x). We tried „set discovery-agent enabled“ without success. The vSZ is behind a firewall but the ports are forwarded/open (telnet 22/443 test ok). 

Photo of Sean

Sean

  • 342 Posts
  • 87 Reply Likes
What about the LWAPP ports?

UDP 12222
UDP 12223

Also when AP's are behind a NAT you need to use Ruckus GRE.

Is the public IP on the SZ confgured on the Data Plane?
(Edited)
Photo of Martin

Martin, Official Rep

  • 196 Posts
  • 42 Reply Likes
Good questions Sean.
And do you have any firewall in front of the vSZ, are the correct port open ?

Kind regards
Martin
Photo of Bernie Reynoso

Bernie Reynoso

  • 2 Posts
  • 0 Reply Likes
Have you applied this to the controller?

Enabling LWAPP2SCG

If the LWAPP2SCG application is pre-installed but disabled in your controller

release, do the following to enable it:

1 Log on to the controller’s console.

2 Enter en to enable privileged mode.

3 Enter config.

4 Enter lwapp2scg.

5 Enter policy accept-all.

You have completed enabling the LWAPP2SCG application on the controller.
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
Hi,  probably one of 2 reasons:
1.  From some version (I think 3.2) you need additional ports to be opened on firewall for firmware download (16384-65000 Tcp). When AP is already initially connected to v-SZ (and has proper v-SZ image), it works without troubles, but firmware upgrade to the next version will fail.
2. If you have out of box APs which has been delivered for use with ZD, you need both Ruckus vendor options on DHCP, directing to same v-SZ IP. ZD APs are interested in one option, v-SZ - in second. So in the beginning AP with universal image gets v-SZ IP as a ZD IP, contacts v-SZ and gets converted.

Ports to be forwarded are:

443 TCP, 22 tcp, 91 tcp, 123 tcp, 1812-1813, tcp 23233  udp, 23232  Tcp, 80 tcp, 6868 tcp, 12223 Tcp, 161 Tcp, 21 Tcp, 8080 Tcp, 8443 Tcp, 8099-8111 Tcp, 9997-9998 Tcp, 9080 Tcp, 9443 Tcp, 1143 Tcp,  udp,   8090 Tcp,  12223 Tcp, 16384-65000 Tcp.

Additional comment -- if AP was in fact connected to ZD, even after factory reset, when connected to vSCG, it will not work properly. You need to reset it to factory default again after it get's v-SZ firmware, only than it will work properly.

Hope it helps,

Eizens


Photo of Sean

Sean

  • 342 Posts
  • 87 Reply Likes
Firewall Ports are follows:


Note: Taken from SCG/vSZ-H 3.2 Administrator Guide
(Edited)
Photo of Patrick

Patrick

  • 27 Posts
  • 2 Reply Likes
All required Ports are opened/forwarded to the vSZ.

LWAPP2SCG is active for all APs.

We configured 03 as well as 06 in DHCP option 43

 

Here a picture of our configuration:


But it still does not work...

Photo of Sean

Sean

  • 342 Posts
  • 87 Reply Likes
AP's in this environment need to use Ruckus GRE and a GRE Tunnel Profile:

Zone Config Example


Ruckus GRE Profile Example


I have had this working but my data plane on the SCG had a public facing IP and the AP' pointed to that IP.

Note: the Ruckus GRE Profile needs to be configured prior to choosing it in the zone.

As a side measure I would recommend that you sniff to see what's happening with the lwapp frame from the AP i.e. is the AP sending one as I have seen it before when certain AP's dont and you haev to factory reset them in this case.

Also sniff the SCG data plane and see if the SCG is recieving the lwapp frame and what is happening with it when recieved if its being received at all.

Good luck
(Edited)
Photo of Patrick

Patrick

  • 27 Posts
  • 2 Reply Likes
I thought GRE is  just important for tunneling all traffic between AP and v-SZ and not the initially connection itself.
I will try to sniff the lwapp frames though. 

Thanks for your help!