Hello. I have two Ruckus R320 APs running 22.214.171.124.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.
I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.
This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?
Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?
Solved! Go to Solution.
I appreciate the detail, but I'm still confused; I do understand that captive.apple.com is how a device can check to see if it's behind a captive portal. I'm not running a captive portal, and more importantly: my router doesn't report _all_ traffic that happens to be traversing the access point (like web requests from my devices on wifi). It's reporting that connections to "captive.apple.com" are _originating_ from the AP. In other words, it's not that some android or ios device is checking that URL, at least if I'm interpreting this correctly.
What am I looking for in the dump in Wireshark to discern the source? I've looked at TCP and HTTP traffic before, but I haven't been able to find anything that would help me identify this CNA traffic.
Even if the AP is not bradcasting a Captive portal enabled SSID, the apple client by default it will send a query to preconfigured URL captive.apple.com whenever it connects to the SSID.
Since the Firewall is pointing that the source is AP, we can take the capture on the AP to see the real source.
You can follow the steps mentioned to take the capture, or you can open a support case so that the TAC team can help you on this.
I understand that the CNA URL will be accessed. And it would make sense if my router was reporting that my mobile devices were accessing it, but the source of the connections are the master AP's MAC address. That's what is confusing me.
I did perform a capture per your instructions but I'm having trouble interpreting. I'll see if I can get help via support ticket, thanks for your time.