This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

R320 started making requests to international endpoint

Go to solution
defect
New Contributor

‎03-07-2023 02:15 PM - edited ‎03-07-2023 03:22 PM

Hello. I have two Ruckus R320 APs running 200.12.10.105.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.

I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.

This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?

Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
sanjay_kumar
RUCKUS Team Member
In response to defect

‎03-07-2023 08:16 PM

@defect 
"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.

View solution in original post

15 REPLIES 15
Copyright © 2024 Khoros, LLC