[NEBULA] New Setup - 2x NWA1123-ACv2 - Always Offline
Excuse me for probably a stupid question. I had created a Nebula account some months ago, and put the final configuraiton on hold for various reasons. Today I could continue adding the two APs (2x NWA1123-ACv2) but no matter what, the two APs remain offline in NCC. My Nebula account is "free" after all this time, but I did not find any reference I could not get the two APs registered in NCC at least with basic functionality.
I verified MACs and Serial Numbers fo APs to be correct in NCC
NCC communication on the APs is on (and I can actually see an open connection on my firewall from the AP towards d.nebula.zyxel.com TCP port 6667)
Both APs remain offline, they do not register and the APs do not get the configuration from NCC
Am I doing something wrong?
Is this an issue of licensing?
I'm attaching some screenshots of NCC which could help in understanding.
I have been referring to the following link on what I can do with the "free" version. Either I'm misunderstanding or something is wrong with my configuration.
https://support.zyxel.eu/hc/en-us/articles/360000685119-My-Organization-has-been-downgraded-to-Nebula-what-are-the-changes-made-
https://www.zyxel.com/library/assets/solutions/nebula/pdf/nebula-licensing-table.pdf
Many thanks in advance!
Stefan
Accepted Solution
-
Updates on this thread,
So the rootcause of this is that the gateway @sborgMT is using, a Kerio Control firewall, has by default IRC inspections on port 6666-6668. After disabling it allowed device to go online.
It is rather strange our protocol is not using IRC though on the same port, the firewall still manages to block them.
If anyone who has an Kerio Control remember to disable it if you are using Nebula devices.
7
All Replies
-
Hi @sborgMT ,
First of all, the connectivity has nothing to do with any license related. Only thing requires it to go online is the network connection.
If your firewall is not blocking the sessions for it to reach the server, you can try to switch the uplink to a different network to test if it is an ISP issue. To start with you can connect the AP to the uplink in front of your gateway to try if that is the cause.
Dean0 -
Thank you Dean for your message,The connection is unrestricted, and actually I can see it talking to the nebula site (destination 6667 and 443). I talked to Zyxel this morning on the phone, and they said that I should reset the APs to default config. I did that, and then they saw from the AP interface that the management mode was still "standalone" and that it should be "managed". They referred me to the CLI to change it manually using "hybrid-mode managed" but the CLI is only accepting "hybrid-mode cloud" or "hybrid-mode standalone". If I try "hybrid-mode managed" I get a parse error, and if I "hybrid-mode ?" I only get standalone and cloud as accepted options. I changed it to "cloud" and the interface of the AP changed, all the settings are gone and it's "waiting" for the configuration from NCC. The AP's interface is saying that it is connected to the Internet, but it's not connected to Nebula and that it's not registered with Nebula.I am 100% certain that the connection is unrestricted, and a PC on the same network as the AP can connect successfully to the same IPs and ports that the AP is opening towards nebula.What is worrying me is that the CLI PDF for these APs that Zyxel gave me over the phone (attached, section 9.3.1) is not consistent with the commands that the AP is accepting through SSH. The PDF they gave me is for the same firmware version as the version on the AP, and both are the latest firmware so something is very wrong on the APs. And I am now testing with 4x different APs, all the same NWA1123-ACv2. All with the same behavior and all with the same problem when using the CLI.I will try some more things and then I will have to call in again...Grrr... this is becoming a real head banger!
0 -
Hi @sborgMT ,
We normally don't use CLI to interfer with the state of the AP, potentially it might cause unsynced running configs for cloud devices.
Personally I think the issue lies beyond your network and probably has something to do with the ISP. We sometime have customer's ISP blocking 6660-6668 ports.
As we have noticed that our channel support asked us about your case, I've checked on the server side there was no records of established connection. So I think one thing to try now is take one device, connected it to network from a different ISP or 3G/LTE uplink.
0 -
Updates on this thread,
So the rootcause of this is that the gateway @sborgMT is using, a Kerio Control firewall, has by default IRC inspections on port 6666-6668. After disabling it allowed device to go online.
It is rather strange our protocol is not using IRC though on the same port, the firewall still manages to block them.
If anyone who has an Kerio Control remember to disable it if you are using Nebula devices.
7 -
Hi,
I'm writing to you because I had the same problem too, and I was able to solve it following the advice of @Nebula_Dean
I opened a ticket to GFI (Aurea SMB Solutions), when I will be able to solve the problem definitively without eliminating the protocol inspector for the IRC protocol, I will post the solution here.
Meanwhile you can find the official GFI help to disable the protocol inspector at this link:
0 -
Actually, it's able to allow TCP port 4335 or 6667 to connect with Nebula as the firewall information shown, so there should be no problem if your port 6667 is blocked by ISP because the AP will use port 4335 to connect.
Here's for your reference.
0 -
Edited on 23/03/2020
Playing with the firewall I was able to make a rule without having to change the default configurations
Configure a new rule without protocol inspector on traffic rules to allow switches to properly connect to the Nebula console:
Configuration --> Traffic Rules --> Add
Service configuration:
Configuration --> Services --> Add
---
Edited on 31/01/2020
the solution provided by GFI is not working properly, the only way to make zyxel nebula work with switches is to disable the protocol inspector for IRC as indicated above.
---
Hi @sborgMT and @Nebula_Dean,
here is the final solution to solve the problem from GFI Support.
The problem on my part has been found only with the switches and not with the access points, probably the switches use port 6667 and the access points use port 4335.
You must configure a service to allow traffic on port 6667 with the protocol inspector disabled,
as in the following image.
Configuration --> Services --> Add
For the IRC service you can leave the default configuration, as in the following image.
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 238 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight