topic Re: R320 started making requests to international endpoint in Unleashed

R320 started making requests to international endpoint

defect — Tue, 07 Mar 2023 23:22:23 GMT

Hello. I have two Ruckus R320 APs running 200.12.10.105.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.

I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.

This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?

Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 03:28:06 GMT

Hi @defect
I believe you are not from the exands. Could you please confirm if there is any special configuration done for the AP or with regards to the UMM settings?
Also, is this the first time the router reported this?
Any changes done before this issue triggerred?
Please confirm the AP location (Country)

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 03:48:27 GMT

@defect
BTW, you can disable this feature if you are not using the UMM or any special settings. Go to Unleashed WEB GUI -- Admin&Service --Administration--NetworkManagement--Unleashed MultiSite Manager.

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 04:15:32 GMT

@sanjay_kumar Thanks for your response. I see now looking at the MSM settings that it was enabled and set to "https://umm1.exands.com/intune/server". I have disabled it now.

Is this - "exands.com" - specific to a particular client? Can it be "pushed" to the AP? Or would my AP have had this configured the whole time? I never checked this setting before.

> Could you please confirm if there is any special configuration done for the AP or with regards to the UMM settings?

No. I bought both of these APs second-hand and installed the Unleashed firmware fresh. This is for home use, just the two APs.

> Also, is this the first time the router reported this?

This is the first time to my knowledge. I suppose it's possible it happened before, I only have 24 hours of history and it started up suddenly looking at the timeline.

> Any changes done before this issue triggerred?

Not that I can think of. I haven't touched the Unleashed configuration in months.

> Please confirm the AP location (Country)

United States.

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 04:16:09 GMT

@defect
"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 04:19:54 GMT

I see. I'm pretty sure that I did do a factory reset on both, since I was installing new firmware on both devices, I remember getting the initial setup flow and everything.

So there's no way that the AP had configuration pushed to it? This MSM would have had to be configured the whole time?

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 04:21:22 GMT

@sanjay_kumar Also, could you comment on the constant calls to captive.apple.com? I can't imagine that's an MSM feature.

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 04:24:53 GMT

This is from the apple devices like iphones and MAC when connecting to SSID to determine if the captive portal is enabled or not.
This is by design.

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 04:29:29 GMT

I understand what it's normally for, but why is the traffic originating from the AP? I also occasionally see calls to time.google.com, but Unleashed is set to use ntp.ruckuswireless.com.

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 04:39:41 GMT

Hi @defect

For the NTP, both the URL are actually same resolving to same IP address 216.239.35.0.

For the captive.apple.com, The URL captive.apple.com <https://captive.apple.com/> is apple CNA (Captive Network Assistance) URL. It is different for Android and windows client devices.
When apple device connect to any captive portal enabled SSID, it auto pop-up the browser and try to access captive.apple.com <https://captive.apple.com/> to redirect to the portal's splash page. After successful authentication the client will be redirected to redirect captive.apple.com <https://captive.apple.com/> as the default start page configuration is "URL that the user intends to visit".

If you need to understand where is the actual request is coming from, then you can take the packet from the AP.
From GUI:
1. Go to Admin & Services > Administration > Diagnostics > Packet Capture.
2. For Radio, select 2.4 GHz or 5 GHz.
3. Under Currently Managed APs, select APs from the list and click Add to Capture APs.
4. Select Local Mode or Streaming Mode as the capture mode.
• To capture a limited snapshot on each AP, select Local Mode.
a. Click Start to begin capturing packets.
b. Click Stop to end the capture.
c. Click Save to save the packet capture to a local file.
• To stream the captured packets to Wireshark, select Streaming Mode.
a. Click Start to launch Wireshark.
b. Select Capture Options. Under Capture: Interface, select Remote. A Remote Interface dialog box is displayed.
c. Under Host, enter the IP address of the AP you want to view. Leave the Port field empty and click OK.
The remote host interface list on the right side is updated.
d. Select wifi0 or wifi1 from the list, depending on whether you are streaming on the 2.4-GHz or 5-GHz radio.
5. Click on Start.

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 06:10:34 GMT

I appreciate the detail, but I'm still confused; I do understand that captive.apple.com is how a device can check to see if it's behind a captive portal. I'm not running a captive portal, and more importantly: my router doesn't report _all_ traffic that happens to be traversing the access point (like web requests from my devices on wifi). It's reporting that connections to "captive.apple.com" are _originating_ from the AP. In other words, it's not that some android or ios device is checking that URL, at least if I'm interpreting this correctly.

What am I looking for in the dump in Wireshark to discern the source? I've looked at TCP and HTTP traffic before, but I haven't been able to find anything that would help me identify this CNA traffic.

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 06:10:23 GMT

Hi @defect
Even if the AP is not bradcasting a Captive portal enabled SSID, the apple client by default it will send a query to preconfigured URL captive.apple.com whenever it connects to the SSID.

Since the Firewall is pointing that the source is AP, we can take the capture on the AP to see the real source.

You can follow the steps mentioned to take the capture, or you can open a support case so that the TAC team can help you on this.

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 06:14:44 GMT

I understand that the CNA URL will be accessed. And it would make sense if my router was reporting that my mobile devices were accessing it, but the source of the connections are the master AP's MAC address. That's what is confusing me.

I did perform a capture per your instructions but I'm having trouble interpreting. I'll see if I can get help via support ticket, thanks for your time.

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 06:16:18 GMT

Hi @defect
Sure, let me the case number once you create it.

Re: R320 started making requests to international endpoint

defect — Wed, 08 Mar 2023 06:26:26 GMT

Case number is 01444881

Re: R320 started making requests to international endpoint

sanjay_kumar — Wed, 08 Mar 2023 06:32:49 GMT

Hi @defect
Check out this thread, I hope it might help you.

https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/DNS-Requests-to-baidu-com-from-Unleashed-AP/m-p/39502/page/2