CommScope RUCKUS Community Forums

I hope I'm not hi jacking this thread I thought this was my issue as well becuase of the "ACL" error which is
ZD-AP [MAC/Serial #]  model [R600] is not being upgraded with Virtual SmartZone AP firmware because of ACL setting.

BUT the recommended change to the Smartzone lwapp2scg policy, did not solve my problem.  I have an open support case on this but they haven't been very responsive thus far.  I have tried both accept-all and accept (along with adding the MAC of the AP).  In both cases and all along here is what the get syslog log on the AP is showing:

-------Begin AP Log----
Oct 30 16:04:12 RuckusAP local2.err syslog: (ap state) AP begin to join ac.
Oct 30 16:04:25 RuckusAP daemon.err wsgclient[486]: httpRecv:315 http status is 400
Oct 30 16:04:25 RuckusAP daemon.err wsgclient[486]: crHttpRequestWithAuth:472 ret:116
Oct 30 16:04:25 RuckusAP daemon.err wsgclient[486]: registration:676 Failed to send Discovery packet! ret:116
Oct 30 16:04:57 RuckusAP daemon.err wsgclient[486]: httpRecv:315 http status is 400
Oct 30 16:04:57 RuckusAP daemon.err wsgclient[486]: crHttpRequestWithAuth:472 ret:116
Oct 30 16:04:57 RuckusAP daemon.err wsgclient[486]: registration:676 Failed to send Discovery packet! ret:116
Oct 30 16:05:16 RuckusAP local2.err syslog: Proceed to IDLE state from JOIN state, no resp after 15 re-transmits
-------End AP Log-------

I migrated 21 APs but the 22nd isn't wanting to move(actually it was the 12th or 13th ap to migrate, just saying I moved all but 1 by using the following commands:
Manually upgrade ZD aps to a new smart zone controller:

Establish an SSH connection to an AP

set factory

reboot

 Reconnect with SSH

fw set host 172.xxx.xxx.xxx

fw set proto tftp

fw set user xxxxxxxxx

fw set password xxxxxxx

fw set port 69

fw set control R600_104.0.0.0.1347.bl7

fw update

set director ip 172.xxx.xxx.xxx

reboot

And TADA for all except 1....  I have 2 more locations to move and I have to stagger them.  Fortunately it is only one AP in 1 facility thus far that has this issue but I need to resolve it and I'm sure I have a dead/weak spot.
Thanks

So ...There is also a certificate check that might need to be disabled apparently:
https://support.ruckuswireless.com/articles/000005390
I forget the exact command I think it was SSH to SZC enter configure mode and type >>
ap-cert-check
I could be wrong on the exact command, that is what I recall though.  Once disabled the AP was able to register and connect fine.  After all APs are connected I will then need to go to System >> Certificates >> AP Certification Replacement and update the certificates for any aps that don't pass the check correctly.  When I do update the ap certificate, there is the possibility of some downtime on the aps that must update their certificate, if I understood support correctly.

Hello cdshow,

I am adding the correct commands , on the AP side to validate if the certificate is correct you can execute below command, If the output contains the string "RuckusPKI", it means the AP has the new certificate, otherwise,it has the old certificate. 

rkscli:  get rpki-cert issuer

*The old certificate looks like below :

rkscli: get rpki-cert issuer
Issuer: Ruckus Wireless, Inc.
OK

*Whereas the new certificate is as below :

rkscli:  get rpki-cert issuer
Issuer: RuckusPKI-DeviceSubCA-2
OK

*For disabling the Cert check from the controller (to connect AP with old cert) you can run the command:

vszh-251> enable
Password: ***********

vszh-251# config

vszh-251(config)# no ap-cert-check
Do you want to continue to disable (or input 'no' to cancel)? [yes/no] yes

vszh-251(config)# exit

*For enabling the Cert check from the controller you can run the command:

vszh-251> enable
Password: ***********

vszh-251# config

vszh-251(config)# ap-cert-check
Successful operation

vszh-251(config)# exit

At last to validate the cert check config on controller :

vszh-251# show running-config ap-cert-check

Best Regards
Vineet