cancel
Showing results for 
Search instead for 
Did you mean: 

R320 started making requests to international endpoint

defect
New Contributor

Hello. I have two Ruckus R320 APs running 200.12.10.105.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.

I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.

This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?

Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?

1 ACCEPTED SOLUTION

sanjay_kumar
RUCKUS Team Member

@defect 
"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.

View solution in original post

15 REPLIES 15

sanjay_kumar
RUCKUS Team Member

Hi @defect 
I believe you are not from the exands. Could you please confirm if there is any special configuration done for the AP or with regards to the UMM settings?
Also, is this the first time the router reported this?
Any changes done before this issue triggerred?
Please confirm the AP location (Country)

sanjay_kumar
RUCKUS Team Member

@defect 
BTW, you can disable this feature if you are not using the UMM or any special settings. Go to Unleashed WEB GUI -- Admin&Service --Administration--NetworkManagement--Unleashed MultiSite Manager. 

defect
New Contributor

@sanjay_kumar Thanks for your response. I see now looking at the MSM settings that  it was enabled and set to "https://umm1.exands.com/intune/server". I have disabled it now.

Is this - "exands.com" - specific to a particular client? Can it be "pushed" to the AP? Or would my AP have had this configured the whole time? I never checked this setting before.

Could you please confirm if there is any special configuration done for the AP or with regards to the UMM settings?

No. I bought both of these APs second-hand and installed the Unleashed firmware fresh. This is for home use, just the two APs.

Also, is this the first time the router reported this?

This is the first time to my knowledge. I suppose it's possible it happened before, I only have 24 hours of history and it started up suddenly looking at the timeline.

> Any changes done before this issue triggerred?

Not that I can think of. I haven't touched the Unleashed configuration in months.

> Please confirm the AP location (Country)

United States.

sanjay_kumar
RUCKUS Team Member

@defect 
"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.