ICX support on FIPS enabled SZ

Summary

FIPS enabled SZ can only support non-FIPS ICX switches, and cannot support FIPS ICX switches due to resource constraints

Question

How to manage ICX switches on FIPS enabled SZ?
Can we manage ICX switch with FIPS SKU in FIPS enabled SZ?

Customer Environment

SZ in FIPS version 5.2.1.3.1695 Non-FIPS ICX in 8095

Symptoms

Switches fail to discover SZ in FIPS
We see ICX to SZ failing at both port # 443 and 987

Root Cause

SZ by default has ICX port management disabled by default

Troubleshooting Steps

Manually configured SZ IP on switch

ICX7550-24 Router#show sz status

============    MGMT Agent State Info     ===================
Config Status: None     Operation Status: Enabled
State: QUERY                Prev State: INIT                 Event: QUERY RESPON                                                                             SE

SWR List            : None
Active List         : 10.177.89.141
DHCP Option 43      : No
DHCP Opt 43 List    : None
DNS Entry           : No
DNS IP              : None
Backup List         : None
Merged List         : 10.177.89.141
Switch registrar host: sw-registrar.ruckuswireless.com
Switch registrar discovery retry count: 994

SZ IP Used          : 10.177.89.141
Port List           : 987
Query Status        : In Progress. Response Not Received.

The SZ status will be stuck in "In Progress. Response Not Received"

In the SZ error.log, we will get to see only 443 traffic, and it is expected to be blocked

2025/06/02 13:56:33 [info] 12537#12537: *1273 SSL_do_handshake() failed (SSL: error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied:SSL alert number 49) while SSL handshaking, client: ::ffff:10.177.89.141, server: [::]:443
2025/06/02 13:56:33 [info] 12538#12538: *1274 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: ::ffff:10.177.89.141, server: [::]:8443

Check the ICX port open status from SZ
vSZ-H-83(config)# get open-icx-management-status
Switch Port Closed

Resolution

The FIPS enabled SZ can only support non-FIPS ICX switches (applicable to 8092 and higher ICX versions)
The FIPS ICX switches cannot be managed by SZ due to resource constraints
The non-FIPS ICX switches communicate to SZ over the port # 987, unlike APs and DPs, who communicate over 443
To facilitate ICX management on FIPS SZ, we need to manually open the port from SZ CLI
vSZ-H-141(config)# open-icx-management
Successful operation

Validate the port status
vSZ-H-141(config)# get open-icx-management-status
Switch Port Opened

The switch, then got connected to SZ

ICX7550-24 Router#show sz status

============    MGMT Agent State Info     ===================
Config Status: None     Operation Status: Enabled
State: SSH CONNECTED        Prev State: SSH CONNECTING       Event: NONE

SWR List            : None
Active List         : 10.177.89.141
DHCP Option 43      : No
DHCP Opt 43 List    : None
DNS Entry           : No
DNS IP              : None
Backup List         : None
Merged List         : 10.177.89.141
Switch registrar host: sw-registrar.ruckuswireless.com
Switch registrar discovery retry count: 994

SZ IP Used          : 10.177.89.141
Port List           : 987
Server Port Used    : 987
Query Status        : Response Received

We could get the switch connected to SZ

Article Number:
000014835

Updated:
June 05, 2025 04:28 AM (30 days ago)

Tags:
Configuration, Troubleshooting, Ruckus ICX Switches, SmartCell Gateway

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close