ICX switch is not registering to SZ100
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2019 06:38 AM
Hi all,
I'm quite new to configuring Ruckus products and new to configuring a smartzone in general and I'm having a little trouble getting my 7150 ICX switch to register to our SZ100.
The switch I'm using has two lag ports and has multiple vlans. Our sz100 is in a separate vlan from the virtual interface (maybe that has something to do with it), so if anybody can see what's wrong, please let me know.
Here is my config so far:
!
ver 08.0.91T213
!
stack unit 1
module 1 icx7150-24p-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-4-sfp-plus-port-40g-module
stack-port 1/3/1
stack-port 1/3/3
!
!
global-stp
!
lag NOC-UPLINK dynamic id 2
ports ethe 1/1/23 to 1/1/24
!
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 15 name NOC-Servers by port
tagged lag 2
untagged ethe 1/1/1
spanning-tree
!
vlan 100 name Office-Net-MGMT by port
tagged lag 2
router-interface ve 2
spanning-tree
!
vlan 200 name Office-Net-DATA by port
tagged lag 2
untagged ethe 1/1/2 ethe 1/1/10 to 1/1/12
spanning-tree
!
vlan 300 name Office-Net-Voice by port
tagged lag 2
untagged ethe 1/1/3 to 1/1/9
spanning-tree
!
!
!
!
!
!
!
!
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
console timeout 5
enable aaa console
enable user disable-on-login-failure 10
enable user password-masking
hostname NOC-ICX7150-24p
ip dhcp-client disable
ip route 0.0.0.0/0 10.1.10.1
!
username super password .....
username pngadmin password .....
username netmgmt password .....
username velofiadmin password .....
!
cdp run
fdp run
!
!
!
!
ntp
source-interface ve 2
server 10.1.10.1
!
!
no web-management http
!
!
sz registrar
sz active-list 10.1.12.11
!
!
!
!
!
!
!
!
!
interface ethernet 1/3/1
speed-duplex 1000-full
!
interface ethernet 1/3/2
speed-duplex 1000-full
!
interface ethernet 1/3/3
speed-duplex 1000-full
!
interface ethernet 1/3/4
speed-duplex 1000-full
!
interface ve 2
ip address 10.1.10.3 255.255.254.0
!
!
!
!
!
!
!
!
!
!
!
!
end
Here is an SZ log:
NOC-ICX7150-24p(config)#sh sz logs
Start i/max/iter 270/512/2
Oct 24 09:03:05:https_connmgr_send_request>Entered.
Oct 24 09:03:05:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Oct 24 09:03:20:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Oct 24 09:03:20:sz_parse_sz_query_response -- Status: 600 <<
Oct 24 09:03:20:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Oct 24 09:03:20:HTTP Request Error:Http remote connection close called.
Oct 24 09:08:20:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, TIMER/2002
Oct 24 09:08:20:
And according to the sz status, there is no connection and all attempts have failed.
If you need any other information, please let me know.
Thanks!
I'm quite new to configuring Ruckus products and new to configuring a smartzone in general and I'm having a little trouble getting my 7150 ICX switch to register to our SZ100.
The switch I'm using has two lag ports and has multiple vlans. Our sz100 is in a separate vlan from the virtual interface (maybe that has something to do with it), so if anybody can see what's wrong, please let me know.
Here is my config so far:
!
ver 08.0.91T213
!
stack unit 1
module 1 icx7150-24p-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-4-sfp-plus-port-40g-module
stack-port 1/3/1
stack-port 1/3/3
!
!
global-stp
!
lag NOC-UPLINK dynamic id 2
ports ethe 1/1/23 to 1/1/24
!
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 15 name NOC-Servers by port
tagged lag 2
untagged ethe 1/1/1
spanning-tree
!
vlan 100 name Office-Net-MGMT by port
tagged lag 2
router-interface ve 2
spanning-tree
!
vlan 200 name Office-Net-DATA by port
tagged lag 2
untagged ethe 1/1/2 ethe 1/1/10 to 1/1/12
spanning-tree
!
vlan 300 name Office-Net-Voice by port
tagged lag 2
untagged ethe 1/1/3 to 1/1/9
spanning-tree
!
!
!
!
!
!
!
!
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
console timeout 5
enable aaa console
enable user disable-on-login-failure 10
enable user password-masking
hostname NOC-ICX7150-24p
ip dhcp-client disable
ip route 0.0.0.0/0 10.1.10.1
!
username super password .....
username pngadmin password .....
username netmgmt password .....
username velofiadmin password .....
!
cdp run
fdp run
!
!
!
!
ntp
source-interface ve 2
server 10.1.10.1
!
!
no web-management http
!
!
sz registrar
sz active-list 10.1.12.11
!
!
!
!
!
!
!
!
!
interface ethernet 1/3/1
speed-duplex 1000-full
!
interface ethernet 1/3/2
speed-duplex 1000-full
!
interface ethernet 1/3/3
speed-duplex 1000-full
!
interface ethernet 1/3/4
speed-duplex 1000-full
!
interface ve 2
ip address 10.1.10.3 255.255.254.0
!
!
!
!
!
!
!
!
!
!
!
!
end
Here is an SZ log:
NOC-ICX7150-24p(config)#sh sz logs
Start i/max/iter 270/512/2
Oct 24 09:03:05:https_connmgr_send_request>Entered.
Oct 24 09:03:05:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, TIMER/2002 RC: 1
Oct 24 09:03:20:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007
Oct 24 09:03:20:sz_parse_sz_query_response -- Status: 600 <<
Oct 24 09:03:20:sz_execute_state_machine>Exit with state/event: SZ QUERY/5, SZ QUERY RESPONSE/2007 RC: 1
Oct 24 09:03:20:HTTP Request Error:Http remote connection close called.
Oct 24 09:08:20:sz_execute_state_machine>Entering with state/event: SZ QUERY/5, TIMER/2002
Oct 24 09:08:20:
And according to the sz status, there is no connection and all attempts have failed.
If you need any other information, please let me know.
Thanks!
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2019 11:49 AM
I see you have the sz active-list server-ip in config
run this command...
from the switch CLI
dm verify-device-certs
you should see one of two responses
1 -> Good
Commencing sanity check for device certs ...
Verifying TPM (or non-TPM) Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs
2-> Bad
Commencing sanity check for device certs ...
Verifying TPM (or non-TPM) Platform ...
Successfully verified
Error: Failed to rad PEM PrivateKey, key file might be corrupted..!!
Error: The device key pair is not valid..!!
If 1) you should be able to join SZ ( may need non-tpm-switch-cert-validate ) executed on the switch.
If 2) the device key is corrupt and will need to be restored. run the following two commands:
config terminal
(config)# crypto device-key-zeroize
(config)# crypto device-cert-zeroize
Then reload the device
run this command...
from the switch CLI
dm verify-device-certs
you should see one of two responses
1 -> Good
Commencing sanity check for device certs ...
Verifying TPM (or non-TPM) Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs
2-> Bad
Commencing sanity check for device certs ...
Verifying TPM (or non-TPM) Platform ...
Successfully verified
Error: Failed to rad PEM PrivateKey, key file might be corrupted..!!
Error: The device key pair is not valid..!!
If 1) you should be able to join SZ ( may need non-tpm-switch-cert-validate ) executed on the switch.
If 2) the device key is corrupt and will need to be restored. run the following two commands:
config terminal
(config)# crypto device-key-zeroize
(config)# crypto device-cert-zeroize
Then reload the device
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2019 12:01 PM
Thank you for your response.
I got the 1st one, with the Encrypt/Decrypt test is successful.
I believe that non-tpm-switch command is meant for 7250's and up. The 7150 should have it embedded already, is that correct?
Edit: I have just learned that the switch is not talking to the SZ. Attempted to ping 10.1.12.11 and got no reply.
The ip add of the switch is 10.1.10.3, a different subnet. Could this be the problem? If so, what would be the best approach to getting them to talk?
Thanks
I got the 1st one, with the Encrypt/Decrypt test is successful.
I believe that non-tpm-switch command is meant for 7250's and up. The 7150 should have it embedded already, is that correct?
Edit: I have just learned that the switch is not talking to the SZ. Attempted to ping 10.1.12.11 and got no reply.
The ip add of the switch is 10.1.10.3, a different subnet. Could this be the problem? If so, what would be the best approach to getting them to talk?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2019 06:01 PM
Hi Glenn,
That is one issue, if you cannot communicate between ICX and Smart Zone, it will not work.
You need to connect your smartzone to a port on ICX where it has IP connectivity.
Add port going to smart zone to vlan 100 and it should work.
Hope this helps.
Thanks
Hashim
That is one issue, if you cannot communicate between ICX and Smart Zone, it will not work.
You need to connect your smartzone to a port on ICX where it has IP connectivity.
Add port going to smart zone to vlan 100 and it should work.
Hope this helps.
Thanks
Hashim
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2019 12:57 AM
Hi Glen,
You can designate the GW router to route to 10.1.12.xx subnet to have reachability.
Also note that When SmartZone or ICX devices are behind NAT, be sure to forward TCP ports 443 and 22 through NAT.
You can designate the GW router to route to 10.1.12.xx subnet to have reachability.
Also note that When SmartZone or ICX devices are behind NAT, be sure to forward TCP ports 443 and 22 through NAT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2019 05:46 AM
Jijo,
Thank you for your advice. I added a policy to the GW and it worked like a charm! The switch is talking to the smartzone!
Thanks for the advice everyone!
Thank you for your advice. I added a policy to the GW and it worked like a charm! The switch is talking to the smartzone!
Thanks for the advice everyone!
