Firewall Ports, VM Requirements, and Troubleshooting
If your network is behind a firewall, you need to open ports to the external services before you install the On-Premise SCM virtual image.
This appendix lists the inbound ports (administrative and application/end user) and outbound ports that you may need to open.
Ports required for operation
Make sure that the following ports are open in your firewall for On-Premise SCM to function.
Port | Service | System |
22 | SSH | VM |
443 | HTTPS | SCM |
3898 | API | VM |
3899 | UI | VM |
3900 | NODE API | SCM |
3901 | TUNNEL | SCM |
3902 | HYDRA | SCM |
3903 | PROXY | SCM |
3904 | SteelConnect SDI-5030 gateway | SCM |
Inbound ports used by On-Premise SCM
This table lists the inbound administrative ports used by On-Premise SCM.
Port | Service | Description |
22 | SSH | VM instance shell access |
53 | DynDNS | Local or remote DNS server |
443 | HTTPS | SCM web application over HTTPS access (user access) Port 80 requests are not redirected to the HTTPS port. |
2200 | SSH | SCM instance shell access |
3898 | MGMT API | Management API |
3899 | WEB GUI | Web-based management console This port is required for basic installation and configuration. |
3900 | APPS | Apps |
3901 | NODE | Port node used to connect to the SCM |
3902 | NODE | Port node used to connect to the SCM |
3902 | SSH | SCM instance shell tunneling port used to support access |
3904 | NODE | SDI-5030 |
Outbound ports used by On-Premise SCM
This table lists the outbound ports used during operation of On-Premise SCM.
Port | Service | URL | Description |
21, 80, 443 | OS updates | us.archive.ubuntu.com/security.ubuntu.com | OS updates |
53, 443 | AppCtrl/Category server | appcs.x.riverbed.cc x.riverbed.cc | Application control |
80 | IP reflector | rfl.ocedo.com rfl.x.riverbed.cc | IP reflector |
443 | Core | core.ocedo.cc (ZTP services) core.riverbed.cc portalcheck.ocedo.com Quay.io (Docker container services for SCM updates, *.amazonaws.com | Used for zero touch provisioning (ZTP) services, messaging system (if configured), licensing, backing up and restoring, access to the Riverbed support site, data center gateway cluster service (if required), Docker container service, Dynamic DNS (DynDNS) service, AppCtrl/Category server, Portalcheck |
465 | AWS SES SMTP | email-smtp.us-east-1.amazonaws.com | Mail delivery and notifications |
Virtual machine requirements for On-Premise SCM
Adequate CPU and memory (RAM) space must be reserved in the VM. The VM size depends on the number of appliances (nodes) that are in your network. This table provides the definitions for small, medium, and large networks.
Network type | Small networks | Medium networks | Large networks |
Full-mesh | 50 nodes | 100 nodes | 250+ nodes |
Hub-and-spoke | 100 nodes | 200 nodes | 500+ nodes |
This table describes the required CPU, memory, and flow storage required by network size.
Network component | Small networks | Medium networks | Large networks |
CPU core (vCPU @ 2‑GHz | 2 | 4 | 16 |
Memory (in GB) | 8 | 16 | 64 |
Storage for flows (based on 15-day storage) (in GB) | 0.2 | 0.5 | 2 |
Amazon EC2 and Flow storage requirements for On-Premise SCM
Specify an adequate EC2 instance type and storage for network flows. Use these tables to determine the resources you need based on your network size.
Network type | Small networks | Medium networks | Large networks |
Full-mesh | 50 nodes | 100 nodes | 250+ nodes |
Hub-and-spoke | 100 nodes | 200 nodes | 500+ nodes |
This table describes the required EC2 and EBS required by network size.
Network component | Small networks | Medium networks | Large networks |
EC2 instance type | t2.large | t2.xlarge | m4.4xlarge |
Storage for flows (based on 15 storage) (in GB) | 0.2 | 0.5 | 2 |
Known issues with SCM 2.10.1
A gateway can fail to send statistics when connected to an unregistered modem. For details, see the Riverbed Knowledge Base article S32132 at
https://supportkb.riverbed.com/support/index?page=content&id=S32132.
Troubleshooting On-Premise SCM issues
Static IP address overwritten by DHCP address
A static IP address can be overwritten by a DHCP address when the static IP address lease expires. This condition is caused by the DHCP client not being terminated after the static IP address is set. To fix this issue, reboot the virtual machine after you set a static IP address.
System does not update
If the SCM does not update, check for connectivity issues to the internet. The current update process includes an Ubuntu system upgrade and security patches, and a connection to the ZTP services must be established, both of which require internet access.
On-Premise SCM versions do not currently require mandatory updates; you can choose when to update the SCM.
SteelConnect versions later than 2.7 are not supported.
SCM does not start
If your SCM does not start after being provisioned, check the following issues:
•Make sure that the FQDN matches in the following places:
–The certificate generated by the Certificate Authority or OpenSSL
–The name of the SCM
–The DNS A Record
•Make sure that DHCP is activated across all sites in your network where SCM and SteelConnect appliances are deployed. DHCP provides the IP address to SCM and the SteelConnect appliances at system startup.
•Make sure that DHCP is supplying a DNS value that can resolve public IP addresses and is able to connect to the ZTP services.
•If you use Dynamic DNS (DynDNS), make sure that a firewall does not block this service or On-Premise SCM can’t start. System logs indicate the problem.