This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

R320 started making requests to international endpoint

Go to solution
defect
New Contributor

‎03-07-2023 02:15 PM - edited ‎03-07-2023 03:22 PM

Hello. I have two Ruckus R320 APs running 200.12.10.105.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.

I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.

This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?

Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
sanjay_kumar
RUCKUS Team Member
In response to defect

‎03-07-2023 08:16 PM

@defect 
"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.

View solution in original post

15 REPLIES 15

Go to solution
defect
New Contributor
In response to sanjay_kumar

‎03-07-2023 08:19 PM

I see. I'm pretty sure that I did do a factory reset on both, since I was installing new firmware on both devices, I remember getting the initial setup flow and everything.

So there's no way that the AP had configuration pushed to it? This MSM would have had to be configured the whole time?

0 Kudos

Go to solution
defect
New Contributor

‎03-07-2023 08:21 PM

@sanjay_kumar Also, could you comment on the constant calls to captive.apple.com? I can't imagine that's an MSM feature.

0 Kudos

Go to solution
sanjay_kumar
RUCKUS Team Member
In response to defect

‎03-07-2023 08:24 PM

This is from the apple devices like iphones and MAC when connecting to SSID to determine if the captive portal is enabled or not.
This is by design.

0 Kudos

Go to solution
defect
New Contributor
In response to sanjay_kumar

‎03-07-2023 08:28 PM - edited ‎03-07-2023 08:29 PM

I understand what it's normally for, but why is the traffic originating from the AP? I also occasionally see calls to time.google.com, but Unleashed is set to use ntp.ruckuswireless.com.

0 Kudos

Go to solution
sanjay_kumar
RUCKUS Team Member
In response to defect

‎03-07-2023 08:39 PM

Hi @defect 

For the NTP, both the URL are actually same resolving to same IP address 216.239.35.0.

For the captive.apple.com, The URL captive.apple.com <https://captive.apple.com/> is apple CNA (Captive Network Assistance) URL. It is different for Android and windows client devices.
When apple device connect to any captive portal enabled SSID, it auto pop-up the browser and try to access captive.apple.com <https://captive.apple.com/> to redirect to the portal's splash page. After successful authentication the client will be redirected to redirect captive.apple.com <https://captive.apple.com/> as the default start page configuration is "URL that the user intends to visit". 

If you need to understand where is the actual request is coming from, then you can take the packet from the AP.
From GUI:
1. Go to Admin & Services > Administration > Diagnostics > Packet Capture.
2. For Radio, select 2.4 GHz or 5 GHz.
3. Under Currently Managed APs, select APs from the list and click Add to Capture APs.
4. Select Local Mode or Streaming Mode as the capture mode.
• To capture a limited snapshot on each AP, select Local Mode.
a. Click Start to begin capturing packets.
b. Click Stop to end the capture.
c. Click Save to save the packet capture to a local file.
• To stream the captured packets to Wireshark, select Streaming Mode.
a. Click Start to launch Wireshark.
b. Select Capture Options. Under Capture: Interface, select Remote. A Remote Interface dialog box is displayed.
c. Under Host, enter the IP address of the AP you want to view. Leave the Port field empty and click OK.
The remote host interface list on the right side is updated.
d. Select wifi0 or wifi1 from the list, depending on whether you are streaming on the 2.4-GHz or 5-GHz radio.
5. Click on Start.

0 Kudos
Copyright © 2024 Khoros, LLC