ICX switch is not registering to SZ100

  • 1
  • Question
  • Updated 8 months ago
Hi all,

I'm quite new to configuring Ruckus products and new to configuring a smartzone in general and I'm having a little trouble getting my 7150 ICX switch to register to our SZ100.

The switch I'm using has two lag ports and has multiple vlans. Our sz100 is in a separate vlan from the virtual interface (maybe that has something to do with it), so if anybody can see what's wrong, please let me know.

Here is my config so far:
!
ver 08.0.91T213
!
stack unit 1
  module 1 icx7150-24p-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-4-sfp-plus-port-40g-module
  stack-port 1/3/1
  stack-port 1/3/3
!
!
global-stp
!
lag NOC-UPLINK dynamic id 2
 ports ethe 1/1/23 to 1/1/24
!
!
!
vlan 1 name DEFAULT-VLAN by port
 spanning-tree
!
vlan 15 name NOC-Servers by port
 tagged lag 2
 untagged ethe 1/1/1
 spanning-tree
!
vlan 100 name Office-Net-MGMT by port
 tagged lag 2
 router-interface ve 2
 spanning-tree
!
vlan 200 name Office-Net-DATA by port
 tagged lag 2
 untagged ethe 1/1/2 ethe 1/1/10 to 1/1/12
 spanning-tree
!
vlan 300 name Office-Net-Voice by port
 tagged lag 2
 untagged ethe 1/1/3 to 1/1/9
 spanning-tree
!
!
!
!
!
!
!
!
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
console timeout 5
enable aaa console
enable user disable-on-login-failure 10
enable user password-masking
hostname NOC-ICX7150-24p
ip dhcp-client disable
ip route 0.0.0.0/0 10.1.10.1
!
username super password .....
username pngadmin password .....
username netmgmt password .....
username velofiadmin password .....
!
cdp run
fdp run
!
!
!
!
ntp
 source-interface ve 2
 server 10.1.10.1
!
!
no web-management http
!
!
sz registrar
sz active-list 10.1.12.11
!
!
!
!
!
!
!
!
!
interface ethernet 1/3/1
 speed-duplex 1000-full
!
interface ethernet 1/3/2
 speed-duplex 1000-full
!
interface ethernet 1/3/3
 speed-duplex 1000-full
!
interface ethernet 1/3/4
 speed-duplex 1000-full
!
interface ve 2
 ip address 10.1.10.3 255.255.254.0
!
!
!
!
!
!
!
!
!
!
!
!
end

Here is an SZ log:

NOC-ICX7150-24p(config)#sh sz logs
Start i/max/iter 270/512/2
Oct 24 09:03:05:https_connmgr_send_request>Entered.
Oct 24 09:03:05:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Oct 24 09:03:20:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Oct 24 09:03:20:sz_parse_sz_query_response -- Status: 600 <<
Oct 24 09:03:20:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Oct 24 09:03:20:HTTP Request Error:Http remote connection close called.
Oct 24 09:08:20:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, TIMER/2002
Oct 24 09:08:20:

And according to the sz status, there is no connection and all attempts have failed.

If you need any other information, please let me know.

Thanks!
Photo of Hailey Bjorndahl

Hailey Bjorndahl

  • 12 Posts
  • 3 Reply Likes

Posted 8 months ago

  • 1
Photo of Abi

Abi

  • 120 Posts
  • 58 Reply Likes
Hi Hailey,

Did you create a new switch group and move your switch to that newly created group from default group ?

If it's not done the please try creating a new switch group, and move the switch to this newly created group the switch should show on SZ100.

I hope there is connectivity from SZ100 to the switch, if it does then there shouldn't be any issue.

Regards,
Abilash PR.
Photo of Hailey Bjorndahl

Hailey Bjorndahl

  • 12 Posts
  • 3 Reply Likes
Abi,

There is connectivity between the SZ100 and the switch. I have created a group for the switch, but it's not showing up in either the default or the new group. I think it's just not registering at all.
Photo of Jeff T

Jeff T

  • 9 Posts
  • 1 Reply Like

Can you run "show sz status" from switch? 

Does SSH Tunnel Status show Established ?


Photo of Hailey Bjorndahl

Hailey Bjorndahl

  • 12 Posts
  • 3 Reply Likes
the SSH tunnel status shows Not Initiated
Photo of Jeff T

Jeff T

  • 9 Posts
  • 1 Reply Like
I see you have the sz active-list server-ip in config

run this command...
from the switch CLI
dm verify-device-certs

you should see one of two responses

1 -> Good
Commencing sanity check for device certs ...
Verifying TPM (or non-TPM) Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs


2-> Bad
Commencing sanity check for device certs ...
Verifying TPM (or non-TPM) Platform ...
Successfully verified
Error: Failed to rad PEM PrivateKey, key file might be corrupted..!!
Error:  The device key pair is not valid..!!


If 1) you should be able to join SZ ( may need non-tpm-switch-cert-validate ) executed on the switch.

If 2) the device key is corrupt and will need to be restored.  run the following two commands:
config terminal
(config)# crypto device-key-zeroize
(config)# crypto device-cert-zeroize

Then reload the device
Photo of Hailey Bjorndahl

Hailey Bjorndahl

  • 12 Posts
  • 3 Reply Likes
Thank you for your response.

I got the 1st one, with the Encrypt/Decrypt test is successful.

I believe that non-tpm-switch command is meant for 7250's and up. The 7150 should have it embedded already, is that correct?

Edit: I have just learned that the switch is not talking to the SZ. Attempted to ping 10.1.12.11 and got no reply.

The ip add of the switch is 10.1.10.3, a different subnet. Could this be the problem? If so, what would be the best approach to getting them to talk?

Thanks
(Edited)
Photo of Hashim Bharoocha

Hashim Bharoocha, Employee

  • 65 Posts
  • 39 Reply Likes
Hi Glenn,

That is one issue, if you cannot communicate between ICX and Smart Zone, it will not work.
You need to connect your smartzone to a port on ICX where it has IP connectivity.

Add port going to smart zone to vlan 100 and it should work.

Hope this helps.

Thanks
Hashim
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 102 Posts
  • 35 Reply Likes
Hi Glen,

You can designate the GW router to route to 10.1.12.xx subnet to have reachability.
Also note that When SmartZone or ICX devices are behind NAT, be sure to forward TCP ports 443 and 22 through NAT.



Photo of Hailey Bjorndahl

Hailey Bjorndahl

  • 12 Posts
  • 3 Reply Likes
Jijo,

Thank you for your advice. I added a policy to the GW and it worked like a charm! The switch is talking to the smartzone!

Thanks for the advice everyone!