topic Re: AP rejected on vSG "because of ACL setting" in SmartZone and Virtual SmartZone

AP rejected on vSG "because of ACL setting"

jim_michael — Thu, 18 Jan 2018 18:34:04 GMT

I am unable to add multiple R600 APs at a remote site to our vSZ. I'm moving them from a local (to them) ZD to a remote (central location) vSZ, but the procedure I've used many times no longer works. I factory defaulted the AP, then "set director ip xxx.xxx.xxx.xxx" and rebooted, and it does contact the vSZ, but the controller is rejecting it with this error:

"
ZD-AP [obscured] model [R600] is not being upgraded with Virtual SmartZone AP firmware because of ACL setting."

I then tried upgrading the AP to 100.x standalone firmware, but same results... it gets rejected with that error. Any idea what is wrong? I've added APs from remote sites with no problem, so this is a first for me.

Re: AP rejected on vSG "because of ACL setting"

marcus_burton — Thu, 18 Jan 2018 19:32:29 GMT

Hi Jim,
The ACL setting referred to here is for the lwapp2scg conversion utility that allows ZD-based APs to connect to the SZ. In the SZ CLI, you can change this setting:

vSZ# config

vSZ (config)# lwapp2scg

vSZ (config-lwapp2scg)# policy accept-all

If the problem persists after this, try (just for confirmation) to change the policy to "accept" and then enter a rule (vSZ (config-lwapp2scg)# acl-ap...) to add an allow rule for that specific AP.

Also, can you share what build you are working from?

thanks,
Marcus

Re: AP rejected on vSG "because of ACL setting"

jim_michael — Thu, 18 Jan 2018 20:01:18 GMT

Thank you! This solved my problem immediately. Appreciate the help,.

Re: AP rejected on vSG "because of ACL setting"

hyosang_choi — Fri, 19 Jan 2018 04:09:31 GMT

I have met same problem.

At that time, I did diabling and re-enabling the command as "policy accept-all".

As a result this solved.

It may a bit bug becaue default setting is "policy accept-all".

Re: AP rejected on vSG "because of ACL setting"

new_life_it — Fri, 20 Jul 2018 04:56:53 GMT

Solved our problem as well - thank you!

Re: AP rejected on vSG "because of ACL setting"

greg_marcoux — Sat, 18 Aug 2018 21:01:44 GMT

Yep, same here. Thanks!

Re: AP rejected on vSG "because of ACL setting"

john_duling — Wed, 30 Oct 2019 18:32:07 GMT

I hope I'm not hi jacking this thread I thought this was my issue as well becuase of the "ACL" error which is
ZD-AP [MAC/Serial #] model [R600] is not being upgraded with Virtual SmartZone AP firmware because of ACL setting.

BUT the recommended change to the Smartzone lwapp2scg policy, did not solve my problem. I have an open support case on this but they haven't been very responsive thus far. I have tried both accept-all and accept (along with adding the MAC of the AP). In both cases and all along here is what the get syslog log on the AP is showing:

-------Begin AP Log----
Oct 30 16:04:12 RuckusAP local2.err syslog: (ap state) AP begin to join ac.
Oct 30 16:04:25 RuckusAP daemon.err wsgclient[486]: httpRecv:315 http status is 400
Oct 30 16:04:25 RuckusAP daemon.err wsgclient[486]: crHttpRequestWithAuth:472 ret:116
Oct 30 16:04:25 RuckusAP daemon.err wsgclient[486]: registration:676 Failed to send Discovery packet! ret:116
Oct 30 16:04:57 RuckusAP daemon.err wsgclient[486]: httpRecv:315 http status is 400
Oct 30 16:04:57 RuckusAP daemon.err wsgclient[486]: crHttpRequestWithAuth:472 ret:116
Oct 30 16:04:57 RuckusAP daemon.err wsgclient[486]: registration:676 Failed to send Discovery packet! ret:116
Oct 30 16:05:16 RuckusAP local2.err syslog: Proceed to IDLE state from JOIN state, no resp after 15 re-transmits
-------End AP Log-------

I migrated 21 APs but the 22nd isn't wanting to move(actually it was the 12th or 13th ap to migrate, just saying I moved all but 1 by using the following commands:
Manually upgrade ZD aps to a new smart zone controller:

Establish an SSH connection to an AP

set factory

reboot

Reconnect with SSH

fw set host 172.xxx.xxx.xxx

fw set proto tftp

fw set user xxxxxxxxx

fw set password xxxxxxx

fw set port 69

fw set control R600_104.0.0.0.1347.bl7

fw update

set director ip 172.xxx.xxx.xxx

reboot

And TADA for all except 1.... I have 2 more locations to move and I have to stagger them. Fortunately it is only one AP in 1 facility thus far that has this issue but I need to resolve it and I'm sure I have a dead/weak spot.
Thanks

Re: AP rejected on vSG "because of ACL setting"

john_duling — Thu, 31 Oct 2019 18:56:18 GMT

So ...There is also a certificate check that might need to be disabled apparently:
https://support.ruckuswireless.com/articles/000005390
I forget the exact command I think it was SSH to SZC enter configure mode and type >>
ap-cert-check
I could be wrong on the exact command, that is what I recall though. Once disabled the AP was able to register and connect fine. After all APs are connected I will then need to go to System >> Certificates >> AP Certification Replacement and update the certificates for any aps that don't pass the check correctly. When I do update the ap certificate, there is the possibility of some downtime on the aps that must update their certificate, if I understood support correctly.

Re: AP rejected on vSG "because of ACL setting"

Vineet_nejwala — Mon, 04 Nov 2019 12:00:53 GMT

Hello cdshow,

I am adding the correct commands , on the AP side to validate if the certificate is correct you can execute below command, If the output contains the string "RuckusPKI", it means the AP has the new certificate, otherwise,it has the old certificate.

rkscli: get rpki-cert issuer

*The old certificate looks like below :

rkscli: get rpki-cert issuer
Issuer: Ruckus Wireless, Inc.
OK

*Whereas the new certificate is as below :

rkscli: get rpki-cert issuer
Issuer: RuckusPKI-DeviceSubCA-2
OK

*For disabling the Cert check from the controller (to connect AP with old cert) you can run the command:

vszh-251> enable
Password: ***********

vszh-251# config

vszh-251(config)# no ap-cert-check
Do you want to continue to disable (or input 'no' to cancel)? [yes/no] yes

vszh-251(config)# exit

*For enabling the Cert check from the controller you can run the command:

vszh-251> enable
Password: ***********

vszh-251# config

vszh-251(config)# ap-cert-check
Successful operation

vszh-251(config)# exit

At last to validate the cert check config on controller :

vszh-251# show running-config ap-cert-check

Best Regards
Vineet