How to troubleshoot Access Point (AP) connectivity with different RUCKUS Wireless Controller solutions

Summary

This document provides a comprehensive guide to troubleshoot a connection between Access Points (AP) and Controller/Cloud. It includes necessary steps, troubleshooting tips, and resolution methods.

Question

How to troubleshoot AP connectivity with ZD, SZ, R1 or Unleashed Network?

Customer Environment

Virtual SmartZone (vSZ). SmartZone-144 (SZ-144). SmartZone-100 (SZ-100). SmartZone-300 (SZ-300). ZoneDirector-1200 (ZD-1200). Ruckus One (R1). Unleashed.

Symptoms

Access Point failing to discover the RUCKUS Wireless Controller?
Access Point getting CONN_GET_ADDR_STATE and DISC_REQ_STATE messages.
 

Troubleshooting Steps

First, let's understand the communication process between the RUCKUS Access Point with RUCKUS Wireless Controller using this flow diagram

User-added image
 

Now, let's look into troubleshooting for each RUCKUS Controller solution.


SmartZone and Virtual-SmartZone

User-added image  User-added image

1. Power Supply to AP: Is the AP receiving sufficient power from the PoE injector or switch? To understand the power requirement of specific AP models, refer the official AP model datasheet at support.ruckuswireless.com.
2. AP Mode: Ensure that the AP is in Solo (Standalone) mode before connecting to SZ.
3. Verifying AP-SZ Connectivity: Can the AP ping the SZ (either the control interface or NAT IP) and vice versa? This is the first step in diagnosing connectivity issues.
3. License Availability: Check if the SZ has available AP licenses to support the AP.
4. AP Model Compatibility: Check if the AP model is supported on the SZ. This can be verified through the release note or upgrade guide of the SZ version.
5. Default Zone Firmware Compatibility: For vSZ-E, SZ-144, SZ-104, or SZ-124, verify if the 'Default Zone' firmware version supports the AP model.
6. Country Code Compatibility: Ensure that the SZ and AP are using compatible country codes.
7. Verifying AP Joining SZ: Use the following command on the AP to verify if it joins the SZ:

# set scg ip <SZ Control IP>

8. Checking Firewall/ACL Permissions: Ensure that both TCP 443 and TCP 22 are permitted on all firewalls/ACLs between the AP management network and the SZ control interface. For a complete list of required ports between AP and SZ, refer to the official documentation here.
9. Collecting AP Logs: Collect the AP support log or the output of the following commands from the AP CLI:

# get rpki-cert issuer
# get rpki-cert validity
# get boarddata
# get scg
# fw sh all
# get syslog log
 
To generate and view the support log from the AP's CLI, use the following commands:
 
# support (to generate the log)
# support show (support log gets updated in putty. Take putty session)
 

RUCKUS One (Formerly known as RUCKUS Cloud)

User-added image
1. Power Supply to AP: Is the AP receiving sufficient power from the PoE injector or switch? To understand the power requirement of specific AP models, refer the official AP model datasheet at support.ruckuswireless.com.
2. AP Mode: Ensure that the AP is in Solo (Standalone) mode before connecting to the Cloud.
3. Verifying AP-Cloud Connectivity: Can the AP ping the appropriate device.ruckus.cloud?
Note: The domain varies based on the region. For example, device.ruckus.cloud is for the US region, device.eu.ruckus.cloud is for the European Region, and device.asia.ruckus.cloud is for the Asia Region.
4. License Availability: Check if the Cloud has available AP licenses to support the AP.
5. AP Serial Number Verification: Is the AP Serial Number added to the Cloud?
6. AP Model Compatibility: Check if the AP model is supported on the Cloud. Refer to the Ruckus One Supported Network Devices for verification here.
7. Verifying AP Joining Cloud: Use the following commands on the AP to verify if it joins the Cloud:
# set scg ip device.ruckus.cloud
# set acx ip device.ruckus.cloud

Note: The domain varies based on the region. For example, device.ruckus.cloud is for the US region, device.eu.ruckus.cloud is for the European Region, and device.asia.ruckus.cloud is for the Asia Region.
8. Checking Firewall Permissions: Verify if all the URLs and ports are allowed in a firewall for APs to contact the Cloud. Refer to the Ruckus One User Guide for more details here.
9. Collecting AP Logs: Collect the AP support log or the output of the following commands from the AP CLI:
 
# get rpki-cert issuer
# get rpki-cert validity
# get boarddata
# get scg
# get acx
# fw sh all
# get syslog log

To generate and view the support log from the AP's CLI, use the following commands:
 
# support (to generate the log)
# support show (support log gets updated in putty. Take putty session)
 

Unleashed

User-added image
1. Power Supply: Is the AP receiving sufficient power from the PoE injector or switch? To understand the power requirement of specific AP models, refer the official AP model datasheet at support.ruckuswireless.com.
2. Verifying Master AP and Member AP Connectivity: Verify if the member AP can ping the master AP and vice versa.
3. Firmware Consistency: Ensure that the firmware version of the member AP is the same or lower than that of the master AP.
4. Country Code Consistency: Confirm that the member AP and the master AP are using the same country codes.
5. Master AP IP Verification: To verify if the Member AP joins the Master AP, execute the following command on the AP: 
 
# set director ip <Master AP IP>
 
6. AP Support Log: Provide the AP support log or the output from the following commands executed in the AP CLI:
 
# get boarddata 
# fw sh all 
# get director 
# get syslog log
# get countrycode
# get discovery-agent
 
To generate the AP support log from the AP's CLI, use the following commands:
 
# support (to generate the log)
# support show (support log gets updated in putty. Save the putty session)
 

ZoneDirector (EoL)

User-added image
1. Power Supply to AP: Is the AP receiving sufficient power from the PoE injector or switch? To understand the power requirement of specific AP models, refer the official AP model datasheet at support.ruckuswireless.com.
2. AP Mode: Ensure that the AP model is in Solo (Standalone) mode before connecting to ZD.
3. Verifying AP-ZD Connectivity: Can the AP ping the ZD and vice versa? This is the first step in diagnosing connectivity issues.
4. License Availability: Check if the ZD has available AP licenses to support the AP.
5. AP Model Compatibility: Check if the AP model is supported on the ZD. This can be verified through the release note of the ZD version.
6. Country Code Compatibility: Ensure that the ZD and AP are using compatible country codes.
7. Verifying AP Joining ZD: Use the following command on the AP to verify if it joins the ZD:
 
# set director ip <ZD IP>

8. Checking Firewall/ACL Permissions: Ensure that ports 12222, 12223, 443, 22, 21 are permitted on all firewalls/ACLs between the AP management network and the ZD. Note that ports 12222 & 12223 are used for the LWAPP protocol.
9. Collecting AP Logs: Collect the AP support log or the output of the following commands from the AP CLI:
 
# get boarddata
# fw sh all
# get director
# get syslog log

To generate and view the support log from the AP's CLI, use the following commands:
 
# support (to generate the log)
# support show (support log gets updated in putty. Take putty session)
 

Resolution

SmartZone

1. First, confirm ICMP reachability between the AP and SZ by issuing the "ping" command from the AP CLI. If no response is received, check the Firewall/ACL rules protecting the SZ control IP and ensure that ICMP is permitted for the AP subnet. If a response is received, layer 3 reachability is confirmed and you may progress to layer 4 testing. 
On the AP CLI, issue the command: 
 
# get syslog log 

If a "Failed to send Discovery packet!" error is observed (as below), it indicates that the AP was unable to reach the SZ control IP on TCP 443. At this time it is important to check access to this port from the AP management subnet. 

Oct 14 08:15:29 AP02-LS-EG-Check-In daemon.err /usr/sbin/wsgclient[687]: httpRecv 277 http status is 0  
Oct 14 08:15:29 AP02-LS-EG-Check-In daemon.err /usr/sbin/wsgclient[687]: crHttpRequestWithAuth 564 ret:9798  
Oct 14 08:15:29 AP02-LS-EG-Check-In daemon.err /usr/sbin/wsgclient[687]: registration 390 Failed to send Discovery packet! ret:9798  

Finally, check if the SSH tunnel is up, by issuing the command: 
 
# get sshtunnel 

If the result indicates that the SSH service is enabled, yet no SSH tunnel exists, it may indicate a reachability issue from the AP to the SZ control IP on TCP 22. Please confirm reachability of port 22 toward the control IP of the SZ from the AP management network.  

2. Check the AP certificate output and see if “RuckusPKI” string is available or not using the command “get rpki-cert issuer” 
Refer to the New and Old authority examples: 
Updated/New certificate output: 
 
rkscli:  get rpki-cert issuer 
Issuer: RuckusPKI-DeviceSubCA-2 

Old certificate output: 
 
rkscli:  get rpki-cert issuer 
Issuer: Ruckus Wireless, Inc. 
 
If Ruckus Wireless is seen as the output, then on the SZ CLI disable the AP certificate check using the below command in the enable mode: 
 
#enable 
#config 
#no ap-cert-check 
 
If AP certificate command shows any error, please reach out to support. 
 
rkscli: get rpki-cert issuer 

Error opening Certificate /writable/data/webs-certs/cert.pem 
3069781056:error:02001002:system library:fopen:No such file or directory:bss_file.c:406:fopen('/writable/data/webs-certs/cert.pem','r') 
3069781056:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408: 
unable to load certificate 
Error: unknown err code -1 


RUCKUS One (Cloud)

1. Confirm ICMP reachability between the AP and Cloud by issuing the "ping" command from the AP CLI.  
Check if the AP can ping ap-registrar.ruckuswireless.com? 
Next, verify if the required Ports and URLs are allowed in the Firewall for the communication between the AP management network and the Cloud. In addition, confirm AP has a DNS configured. 
2. Check the AP certificate output and see if “RuckusPKI” string is available or not using the command “get rpki-cert issuer” 
If "Ruckus Wireless" is seen as the output, please contact support with the .req file. 
If the AP certificate command shows any error, please reach out to support. 
 

Unleashed

1. Enabled 'discovery-agent' from AP CLI by executing the command 'set discovery-agent enable'. The member AP should start sending out discovery packets and join the Master AP.
2. Member APs should be on the same subnet or need to manually point the Master AP or use DHCP option 43.
3. Any new AP joining Unleashed Network should be on 200.x.x.x firmware.


ZoneDirector

1. Confirm ICMP reachability between the AP and ZD by issuing the "ping" command from the AP CLI. If no response is received, check the Firewall/ACL rules protecting the ZD control IP and ensure that ICMP is permitted for the AP subnet. If a response is received, layer 3 reachability is confirmed then make sure Ports12222 and 12223, 443, 22, 21 are permitted on all firewalls/ACLs between the AP management network and the ZD. 

 

NOTE: Check all the steps suggested in the Troubleshooting Section and provide this information to further investigate with Ruckus Support, if you cannot solve/isolate the issue. To reach out to support click here.

Article Number:
000014382

Updated:
October 09, 2024 01:25 PM (2 months ago)

Tags:
Configuration, Firmware, Installation, Troubleshooting, R720 UNL, SZ144, Ruckus Cloud WiFi, SZ300, virtual SmartCell Gateway, SZ100, ZoneDirector 1200

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close