Country/Region

Cloud AP cannot be managed by Cloudnet

2024-04-08 17:21:07 Published
  • 0 Followed
  • 0Collected ,340Browsed
Wangzhiyu

Network Topology

Cloud AP - Third-party switch device - Third-party router - Public network:

Problem Description

The cloud AP cannot be managed by Cloudnet, the cloud AP has been correctly configured, the DNS set on the cloud AP can correctly resolve the address of the international cloud, and can ping the address. Note: Overseas AC and AP cannot directly ping the domain name of the public cloud (ping is prohibited), but are allowed to ping the IP address of the public cloud. On-site feedback indicates that there is no FW or device blocking the Cloudnet address or port 19443/443 between the cloud AP and the public network.

Process Analysis

1. On AC, use the command "display dns host" to check if the cloud AP has correctly resolved the IP address of the international cloud and has relevant records.

2. Use "display cloud-management state" and "dis sys int cloud-management state" to check the status of the AP and cloud connection.

display system internal cloud-management state

Device module name                          : PROBE                           

Cloud module name                           : probeclient

Connection state                            : Disconnected

Module URL                                  : N/A

Connected at                                : N/A

Duration                                    : 00d 00h 00m 00s

Process state                               : N/A

Failure reason                              : N/A

Last down reason                            : N/A

Last down at                                : N/A

Last report failure reason                  : N/A

Last report failure at                      : N/A

Dropped packets after reaching buffer limit : 0

Total dropped packets                       : 0

Last report incomplete reason               : N/A

Last report incomplete at                   : N/A

Buffer full count                           : 0

3.Debug cloud-management all, view the process of establishing cloud tunnels for cloud AP and cloudnet.

<FLEC-KYUSYUGB-AP14>*Jan 11 18:11:22:208 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: Successfully sent an asynchronous query request to DNS, domain name is cloudnet.h3c.com.

*Jan 11 18:11:22:243 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: DNS parsed domain name successfully in Idle state: IP address=52.163.242.100.

*Jan 11 18:11:22:244 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: CM tunnel state changed from Idle to Connecting.

*Jan 11 18:11:22:341 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: TCP connected.

*Jan 11 18:11:22:342 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: Initialized SSL.

*Jan 11 18:11:22:342 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL connection result: 2.

*Jan 11 18:11:22:342 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL connection: error:00000000:lib(0):func(0):reason(0).

*Jan 11 18:11:22:343 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL connection (read) was not completed.

*Jan 11 18:11:22:343 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL state changed from Init to Connecting.

*Jan 11 18:11:22:343 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/TIMER: Created ssl reconnect timer 0, which will expire in 30 seconds.

*Jan 11 18:11:22:361 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/ERROR: Socket connection error: error code=104, error message=Connection reset by peer.

*Jan 11 18:11:22:361 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: TCP connection closed because TCP callback process failed.

*Jan 11 18:11:22:363 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/TIMER: Deleted ssl reconnect timer 0.

*Jan 11 18:11:22:364 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/TIMER: Deleted request Get Version info timer test.

*Jan 11 18:11:22:364 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/TIMER: Created global connection timer 0, which will expire in 10 seconds.

*Jan 11 18:11:32:408 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: Successfully sent an asynchronous query request to DNS, domain name is cloudnet.h3c.com.

*Jan 11 18:11:32:432 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: DNS parsed domain name successfully in Idle state: IP address=52.163.242.100.

*Jan 11 18:11:32:433 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: CM tunnel state changed from Idle to Connecting.

*Jan 11 18:11:32:530 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: TCP connected.

*Jan 11 18:11:32:531 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: Initialized SSL.

*Jan 11 18:11:32:532 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL connection result: 2.

*Jan 11 18:11:32:532 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL connection: error:00000000:lib(0):func(0):reason(0).

*Jan 11 18:11:32:532 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL connection (read) was not completed.

*Jan 11 18:11:32:532 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/EVENT: SSL state changed from Init to Connecting.

*Jan 11 18:11:32:532 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/TIMER: Created ssl reconnect timer 0, which will expire in 30 seconds.

*Jan 11 18:11:32:552 2024 FLEC-KYUSYUGB-AP14 CMTNLMGR/7/ERROR: Socket connection error: error code=104, error message=Connection reset by peer.

After debugging, it was found that the AP attempted to establish a TCP connection with the cloud, but the connection was ultimately reset by the peer (connection reset by peer). It is suspected that the server on the cloud side reset the connection.

4.Immediately contact cloudnet for assistance in troubleshooting: However, cloudnet team found through querying the AP's SN that there was no request from the device to establish a connection with Yunjian. At the same time, on the AP, when attempting to establish a cloud tunnel between the AP and Yunjian, use "dis tcp" to check if there is a TCP session established. It was found that there was no TCP connection established between the AP and Yunjian. However, the AP's debug display showed that the AP did send the request, but the peer device reset the request. However, the Yunjian server did not receive the AP's TCP packet. So, who is this peer device?

5.After attempting to change the AP from port 19443 to port 443, the AP initiated a request to establish a cloud pipeline. At this time, the cloud side detected a TCP establishment request from an AP reaching the international cloud server, but no subsequent TCP was received. Upon inspecting the AP, it was found that there was a brief process of establishing a TCP connection with the cloud server using port 443, but it was not sustained. This indicates that it is possible that an intermediate device or overseas operator has blocked port 443 or 19443. After switching to port 443, since it was the first time the AP established a session with the server, it was not intercepted, but the session was intercepted by an intermediate device after being monitored.

6.Allow the cloud AP to bypass the on-site device and connect directly to the public network. The successful discovery of the cloud tunnel established with the cloud server indicates that there is an intermediate device intercepting the conversation between the cloud AP and the cloud server on ports 19443 and 443, causing the cloud tunnel to fail to establish.


Solution

Check and unblock ports 443 and 19443 on the intermediate devices.

Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted