failed to connect ICX 7150 to SZ

  • 2
  • Question
  • Updated 10 months ago
  • Answered
Hi,
i have installed an ICX7150-C12-2X1G POE 12-port - Version:10.1.15T225
and i am trying to connect it to my Smartzone vSZ-H - 5.1.1.0.598

i have followed the guide and configure the switch with the "sz Active-list command
and i have verified there is connectivity between both devices on all ports, but this doesnt seem to work for me


[email protected]#show sz status

============    SZ Agent State Info     ===================
Config Status: None     Operation Status: Enabled
State: SZ QUERY             Prev State: INIT                 Event: SZ QUERY RESPONSE

SWR List            : None
Active List         : 10.31.3.8
DHCP Option 43      : No
DHCP Opt 43 List    : None
Passive List        : None
Merged List         : 10.31.3.8
Merged Idx: 0    IP : 10.31.3.8
Switch registrar host: sw-registrar.ruckuswireless.com
Switch registrar discovery retry count: 7
Switch registrar host resolve failure count: 7

SZ IP Used          : 10.31.3.8
SZ Query Status     :
        In Progress. Response Not Received.

sz logs
-------------------------
Jan  1 19:48:35:https_connmgr_send_request>Entered.
Jan  1 19:48:35:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Jan  1 19:48:35:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Jan  1 19:48:35:sz_parse_sz_query_response -- Status: 600 <<
Jan  1 19:48:35:sz_fsm_sz_query_state>Moving to IP:10.31.3.8 because of retry count: 36
Jan  1 19:48:35:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Jan  1 19:48:35:HTTP Request Error:Http remote connection close called.


any ideas? thanks.


Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 2
Photo of Nik Kul

Nik Kul

  • 15 Posts
  • 1 Reply Like
Did you create new SwitchGroup in SmartZone?
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
no,
but i have just did, is there something else i should do?
thanks for the reply.
Photo of Nik Kul

Nik Kul

  • 15 Posts
  • 1 Reply Like
I created new SwitchGroup and added my switch in it. That's all.
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
i see, in my case it fails to be added to SZ so i am before the stage of moving between groups
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 69 Posts
  • 25 Reply Likes
You may create a switch registration rule  and move the switch to non default group first and try joining. Also have clock or ntp set on ICX.
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
configured switch registration rule  and time  , still fail to connect.
thanks.
Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
Check the SZ, the switch is probably in the Default switch group, it will fully connect once you have moved it to the group you created.
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
it is not added to the SZ,
the state stuck on SZ Query and it appears to fail to get a response,
so its not added :\
thanks.
Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
Your switch should be running the latest version 8.0.90 software and it should have been upgraded using the UFI image (see the 8.0.90 release notes for details). 
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
this is my SW version - SW: Version 08.0.90bT211
appears to be updated

Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
When you do show version does it look like this: 

  Copyright (c) Ruckus Networks, Inc. All rights reserved.
    UNIT 1: compiled on May 23 2019 at 23:27:11 labeled as SPS08090b
      (28596544 bytes) from Primary SPS08090b.bin (UFI)
        SW: Version 08.0.90bT211

If the (UFI) is missing then you will need to redo the upgrade with the UFI image.
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
I've got the UFI

[email protected]#show version
  Copyright (c) Ruckus Networks, Inc. All rights reserved.
    UNIT 1: compiled on May 23 2019 at 23:27:11 labeled as SPS08090b
      (28596544 bytes) from Primary SPS08090b.bin (UFI)
        SW: Version 08.0.90bT211
      Compressed Primary Boot Code size = 786944, Version:10.1.15T225 (mnz10115)
       Compiled on Thu Jan 31 09:08:55 2019

  HW: Stackable ICX7150-C12-POE

Photo of eric brement

eric brement

  • 2 Posts
  • 1 Reply Like
Hi ,
have ICX valid licence on SZ ? In 5.0 version ICX licence it is not mandatory
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
my license is still valid

CAPACITY-SWITCH-BUNDLED
Ruckus-Cluster-1
 
Permanent
1
Default Switch Capacity License for vSZ



Photo of Simon

Simon, Employee

  • 99 Posts
  • 52 Reply Likes
Try removing the switch registrar configuration, it's not needed and may be causing an issue. command is; no sz registrar 

And I assume that you can ping the SZ from the switch. 
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
removed it still no response,
the SZ is reachable

when i run the "show sz logs"

{"serial_number":"XXXXXXXX", "ipaddress":"10.31.3.210", "macaddress":"XXXXXXXXX", "switch/stack/spx":"stack", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}
==============

Jul 11 18:06:29:https_connmgr_send_request>Entered.
Jul 11 18:06:29:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Jul 11 18:06:29:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Jul 11 18:06:29:sz_parse_sz_query_response -- Status: 600 <<
Jul 11 18:06:29:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Jul 11 18:06:29:HTTP Request Error:Http remote connection close called.
End i/max/iter 436/436/0


Photo of Simon

Simon, Employee

  • 99 Posts
  • 52 Reply Likes
Looking at this it appears that your compact switch is stacked;

{"serial_number":"XXXXXXXX", "ipaddress":"10.31.3.210", "macaddress":"XXXXXXXXX", "switch/stack/spx":"stack", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}


As your SZ only has a license for one switch then this is a problem, for your config you will need two switch licenses on the SZ.
Photo of Hashim Bharoocha

Hashim Bharoocha, Employee

  • 78 Posts
  • 40 Reply Likes
Hey Tomer,

Please get outputs of:
"show tech"
"show ntp status."
"dm verify-device-certs"
"show License"

Thanks
Hashim
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
Hi,
[email protected]#show license
Unit  License Name    L3 Premium Port Speed Upgrade   Speed    Ports    MACsec
1     2X10GR          Yes        Yes                  10G      2        NA


[email protected]#dm verify-device-certs
Commencing sanity check for device certs ...
Verifying TPM files ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs

[email protected]#show ntp status
 Clock is unsynchronized, no reference clock
 NTP server mode is disabled, NTP client mode is disabled
 NTP master mode is disabled, NTP master stratum is 8
 NTP is not in panic mode


and the tech support is has very long output but this seems relevant - 
Jan  1 20:38:20:I:System: SSL server 10.31.3.8:443 is disconnected
Jan  1 20:38:05:I:SZAgent: Failed to connect to management device at 10.31.3.8 Error: HTTPS Connection Error

thanks.
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 138 Posts
  • 42 Reply Likes
Please configure ntp, you may use public servers if you dont have one in-house.
Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
With reference to my last comment; what does the show stack output look like?
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes

[email protected]#show stack
T=4d18h28m19.4: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7150-C12P  alone   c0c5.2091.5df1   0 local   None:0
2  S ICX7150-48P   member  0000.0000.0000   0 reserve


     +---+
  3/1| 1 |3/2
     +---+
Current stack management MAC is d4c1.9e9a.f0f4

Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
You need to remove the stack configuration from the 7150-C12P with the stack unconfigure command 

Your SZ only has a single switch license and your 7150 is identifying itself as a two switch stack so the SZ will not let it join as there is not sufficient license capacity.  Alternatively add switch management licenses to the SZ. 

Your show stack output needs to look like this;

***** Warning! stack is not enabled. *****

T=50m46.8: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7150-C12P alone   d4c1.9e29.0d09   0 local   None:0


     +---+
  3/1| 1 |3/2
     +---+
Current stack management MAC is d4c1.9e29.0d09


Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes
done,

[email protected]#show stack

***** Warning! stack is not enabled. *****

T=4d19h25m58.2: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7150-C12P  alone   c0c5.2091.5df1   0 local   None:0
2  S ICX7150-48P   member  0000.0000.0000   0 reserve


     +---+
  3/1| 1 |3/2
     +---+
Current stack management MAC is d4c1.9e9a.f0f4


still not connecting 
Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
What does the show sz logs look like now?
Photo of tomer iyar

tomer iyar

  • 15 Posts
  • 0 Reply Likes

Build String: size 205
============
{"serial_number":"FEK3210Q06M", "ipaddress":"10.31.3.210", "macaddress":"d4:c1:9e:9a:f0:f4", "switch/stack/spx":"switch", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}
==============

Jul 15 15:31:27:https_connmgr_send_request>Entered.
Jul 15 15:31:27:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Jul 15 15:31:27:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Jul 15 15:31:27:sz_parse_sz_query_response -- Status: 600 <<
Jul 15 15:31:27:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Jul 15 15:31:27:HTTP Request Error:Http remote connection close called.
End i/max/iter 438/438/0

Photo of Simon

Simon, Employee

  • 101 Posts
  • 52 Reply Likes
The switch is still declaring itself as two units;

{"serial_number":"FEK3210Q06M", "ipaddress":"10.31.3.210", "macaddress":"d4:c1:9e:9a:f0:f4", "switch/stack/spx":"switch", "numOfUnits":2, "firmware_version":"SPS08090b.bin", "switch_model":"ICX7150-C12P"}

The second switch needs to be removed from the config.

It might be worth resetting the C12P to factory default and starting again, whichever is easiest for you.



Photo of Hashim Bharoocha

Hashim Bharoocha, Employee

  • 78 Posts
  • 40 Reply Likes
hey Tomer,
So one thing is issue with NTP,  We need NTP for the certificates not work.

What about:
"dm verify-device-certs"
"show License"

Thanks
Hashim

Photo of RF0V1K

RF0V1K

  • 10 Posts
  • 4 Reply Likes
I'm having an issue connecting my ISC 7450 switch to my vSZ. I think the issue is because I dont have a legit certificate on my vSZ as I see this error in my connection logs. Is it possible to override this cert check for my homelab use? I'm keen to resolve this soon as Id like to experiment with this feature before my complimentary switch license period expires. 

Dec 27 22:36:45:I:SZAgent: Failed to connect to management device at 192.168.10.19 Error: HTTP Response Code 400
In case Im wrong, other details that look pertinent to the issue include 

dm verify-device-certs
Commencing sanity check for device certs ...
Verifying files on Non-TPM Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs


show license
Unit  License Name    L3 Premium Port Speed Upgrade   Speed    Ports    MACsec
1     l3-prem-macsec  Yes        NA                   NA       NA       Yes


[email protected]#show stack

***** Warning! stack is not enabled. *****

T=5d1h48m0.7: alone: standalone, D: dynamic cfg, S: static
ID   Type          Role    Mac Address    Pri State   Comment
1  S ICX7450-32ZP  alone   609c.9f1d.dc90   0 local   None:0


     +---+
  4/1| 1 |
     +---+
Current stack management MAC is 609c.9f1d.dc90


show ntp status
 Clock is synchronized, stratum 3, reference clock is 192.168.10.1
 precision is 2**-16
 reference time is 3786812526.1705005662 (12:22:06.1705005662 GMT-08 Tue Dec 31 2019)
 clock offset is 1.2229 msec, root delay is 0.8835 msec
 root dispersion is 21.5554 msec,  peer dispersion is 12.5557 msec
 system poll interval is 64,  last clock update was 143 sec ago
 NTP server mode is disabled, NTP client mode is enabled
 NTP master mode is disabled, NTP master stratum is 8
 NTP is not in panic mode

Dec 31 12:06:11:https_connmgr_send_request>Entered.
Dec 31 12:06:11:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Dec 31 12:06:14:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Dec 31 12:06:14:sz_parse_sz_query_response -- Status: 400 <<
Dec 31 12:06:14:sz_fsm_sz_query_state>Moving to IP:192.168.10.19 because of retry count: 12
Dec 31 12:06:14:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Dec 31 12:06:29:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, TIMER/2002
Dec 31 12:06:29:

Build String: size 206
============
{"serial_number":"xxxxxxxxxxxx", "ipaddress":"192.168.10.7", "macaddress":"60:9c:9f:1d:dc:90", "switch/stack/spx":"switch", "numOfUnits":1, "firmware_version":"SPR08090d.bin", "switch_model":"ICX7450-32ZP"}
==============



Photo of RF0V1K

RF0V1K

  • 10 Posts
  • 4 Reply Likes
Solved my problem, more RTFM'ing needed. For anyone else getting stuck the command needed to be entered into SZ is non-tpm-switch-cert-validate as documented here http://docs.ruckuswireless.com/smartzone/5.0/sz100-vsze-administrator-guide/GUID-E963118F-F9C6-44EF-...

this is how my sz status looks now

[email protected]#show sz status

============    SZ Agent State Info     ===================
Config Status: None	Operation Status: Enabled
State: SZ SSH CONNECTED     Prev State: SZ SSH CONNECTING    Event: NONE

SWR List            : None
Active List         : 192.168.10.19
DHCP Option 43      : No
DHCP Opt 43 List    : None
Passive List        : None
Merged List         : 192.168.10.19
Merged Idx: 0    IP : 192.168.10.19

SZ IP Used          : 192.168.10.19
SZ Query Status     :
	Response Received

SSH Tunnel Status - :
 Tunnel Status     : Established
 CLI IP/Port       : 127.255.255.253/27612
 SNMP IP/Port      : 127.255.255.254/50027
 Syslog IP/Port    : 127.0.0.1/20514
 HTTP SERVER IP/Port: 127.255.255.252/52633
 HTTP CLIENT IP/Port: 127.0.0.1/5080

Timer Status        : Not Running