Showing results for 
Search instead for 
Did you mean: 

vSZ & vSZ-D Tunnel mode not broadcasting SSID

New Contributor III


I have both vSZ & Data Plane instances installed. I have an issue where when enabled in tunnel mode, it stops broadcasting the SSID for some strange reason. However when I do disable the tunneling method in vSZ - the AP starts to broadcast the SSID again. I have these instances installed on a bare metal @ a colocation center.

Any ideas about what it could be? I read a post on here about doing the:

get tunnelmgr

However I'm not entirely sure what it is that I'm looking for in this output. It says on that post that the AP may not be able to see the controller when doing data plane functionality? 

I'm currently running this environment in Essentials mode. 


The first step to see what the issue is would be to make ping and trace-router from AP to external vDP address (NAT IP), and from vDP to AP (external) IP address. From your description is not clear how AP is connected to the network. 

Typical multisite configuration is that both sides (vSZ + vDP) and AP are behind Firewall with NAT. Management tunnel from AP to vSZ uses different ports and different destination IP (vSZ NAT IP). It works as much as I understand.

Data tunnel need to be established from AP internal IP through firewall with NAT to external vDP address (vDP NAT IP) and it uses different port. So you need to check all route -- if local firewall permits outgoing connection on ports UDP 23233/23233, if on vSZ/vDP side firewall allows this connection in and NATs it to vDP  internal IP, that default route is set properly on vDP data  interface, so it can send a reply to AP and firewall allows it... You have to look on both  firewalls if tunnel setup actually is initiated and if replies are sent and received.  

New Contributor III

Sorry about that, the AP is connected to a mikrotik router (basic config). With DHCP assigned for that AP.

I'll give the Mikrotik a look further on the AP's side. So when setting up the vDP's data interface, that needs to be set for an external NAT IP ?


There will be 3 tunnel formed.

  1. Controller/management tunnel between v/SZ to v/SZ-D
  2. Controller tunnel between v/SZ - AP
  3. Data tunnel between AP - vSZ-D

Make sure these devices can reach each other for each tunnel.

Image_ images_messages_61732522fb751956f52b3c04_95d2c5364b8a960f7c969d4b09f08cac_topology-129e5c4b-102d-458a-9fe2-7aa9c108f21e-1362391510.png

Syamantak Omer
Official Rep | Staff TSE | CWNA | CCNA | RASZA | RICXI


I'm able to ping the vSZ from the vDP. As well as from vDP to vSZ.

Doing the "Get scg" command via the AP: 

------ SCG Information ------
SCG Service is enabled.
AP is managed by SCG.
Server List:,PUBLIC-IP
SSH tunnel connected to PUBLIC-IP
Failover List: Not found
Failover Max Retry: 2
DHCP Opt43 Code: 6
Server List from DHCP (Opt43/Opt52): Not found
SCG default URL: RuckusController
SCG config|heartbeat intervals: 30|30
SCG gwloss|serverloss timeouts: 1800|7200
Controller Cert Validation : disable

From the AP itself, these are located remotely. It shows the LAN IP (vSZ) in the server list, but that's the LAN IP from the controller itself behind a router located at our colo.  

My server is a different IP than the NAT IP I assigned my vSZ. So do I need to remove the PUBLIC-IP of the controller above, and make that the server IP (which is my router) ?

Colo Topology:

Router <--- - (5 IP Block)

vSZ <---- LAN -- (WAN)

vDP <---- LAN

Port Forwards:

  • vSZ >> 22,443
  • vDP >> 23233

Remote Location: 

My H510 (at a location) is pointed at the controller:

The LAN side behind my router

Image_ images_messages_6175ca0bb14ac91af59607ab_b3be7b5580cc3392237dc6b9aadc2a49_download-0650545d-b917-4d05-9745-7fcfa5b2f38d-1107943363.png