Showing results for 
Search instead for 
Did you mean: 

R320 started making requests to international endpoint

New Contributor

Hello. I have two Ruckus R320 APs running My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to, supposedly originating from the AP, and the endpoint being in China.

I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.

This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?

Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?


RUCKUS Team Member

"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.

View solution in original post


I see. I'm pretty sure that I did do a factory reset on both, since I was installing new firmware on both devices, I remember getting the initial setup flow and everything.

So there's no way that the AP had configuration pushed to it? This MSM would have had to be configured the whole time?

New Contributor

@sanjay_kumar Also, could you comment on the constant calls to I can't imagine that's an MSM feature.

RUCKUS Team Member

This is from the apple devices like iphones and MAC when connecting to SSID to determine if the captive portal is enabled or not.
This is by design.

I understand what it's normally for, but why is the traffic originating from the AP? I also occasionally see calls to, but Unleashed is set to use

RUCKUS Team Member

Hi @defect 

For the NTP, both the URL are actually same resolving to same IP address

For the, The URL <> is apple CNA (Captive Network Assistance) URL. It is different for Android and windows client devices.
When apple device connect to any captive portal enabled SSID, it auto pop-up the browser and try to access <> to redirect to the portal's splash page. After successful authentication the client will be redirected to redirect <> as the default start page configuration is "URL that the user intends to visit". 

If you need to understand where is the actual request is coming from, then you can take the packet from the AP.
From GUI:
1. Go to Admin & Services > Administration > Diagnostics > Packet Capture.
2. For Radio, select 2.4 GHz or 5 GHz.
3. Under Currently Managed APs, select APs from the list and click Add to Capture APs.
4. Select Local Mode or Streaming Mode as the capture mode.
• To capture a limited snapshot on each AP, select Local Mode.
a. Click Start to begin capturing packets.
b. Click Stop to end the capture.
c. Click Save to save the packet capture to a local file.
• To stream the captured packets to Wireshark, select Streaming Mode.
a. Click Start to launch Wireshark.
b. Select Capture Options. Under Capture: Interface, select Remote. A Remote Interface dialog box is displayed.
c. Under Host, enter the IP address of the AP you want to view. Leave the Port field empty and click OK.
The remote host interface list on the right side is updated.
d. Select wifi0 or wifi1 from the list, depending on whether you are streaming on the 2.4-GHz or 5-GHz radio.
5. Click on Start.