Firewall Ports, VM Requirements, and Troubleshooting
If your network is behind a firewall, you need to open ports to the external services before you install the On-Premise SCM virtual image.
This appendix lists the inbound ports (administrative and application/end user) and outbound ports that you may need to open.
Ports required for operation
Make sure that these ports are open in your firewall for On-Premise SCM to function.
Port
Service
System
22
SSH
VM
443
HTTPS
SCM
3898
API
VM
3899
UI
VM
3900
NODE API
SCM
3901
TUNNEL
SCM
3902
HYDRA
SCM
3903
PROXY
SCM
3904
SteelConnect SDI-5030 gateway
SCM
Inbound ports used by On-Premise SCM
This table lists the inbound administrative ports used by On-Premise SCM.
Port
Service
Description
22
SSH
VM instance shell access.
53
DynDNS
Local or remote DNS server.
443
HTTPS
SCM web application over HTTPS access (user access).
Port 80 requests are not redirected to the HTTPS port.
2200
SSH
SCM instance shell access.
3898
MGMT API
Management API.
3899
WEB GUI
Web-based management console.
This port is required for basic installation and configuration.
3900
APPS
Appliances.
3901
NODE
Port node used to connect to the SCM.
3902
NODE
Port node used to connect to the SCM.
3902
SSH
SCM instance shell tunneling port used to support access.
3904
NODE
SDI-5030.
Outbound ports used by On-Premise SCM
This table lists the outbound ports used during operation of On-Premise SCM.
Port
Service
URL
Description
21, 80, 443
OS updates
us.archive.ubuntu.com/security.ubuntu.com
OS updates
53, 443
AppCtrl/Category server
*.appcs.x.riverbed.cc
*.x.riverbed.cc
Application control
80
IP reflector
rfl.ocedo.cc
rfl.x.riverbed.cc
IP reflector
443
Core
core.ocedo.cc
core.riverbed.cc
Used for zero touch provisioning (ZTP) services.
443
Docker download
quay.io
*.cloudfront.com
Used for SCM provisioning and upgrades, as an alternative to whitelist *.cloudfront.com. CloudFront IP address range can be whitelisted. For details about locations and IP address ranges of CloudFront Edge Servers, go to https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html.
443
App definitions pattern download
s3.us-east-1.amazonaws.com
The SCM periodically downloads the application definition patterns from this host.
443
Messaging services
msg-sys.riverbed.cc
2FA and e-mail notifications
443
Google Maps
maps.googleapis.com
Google Maps
443
Portal check
portalcheck.ocedo.com
Portal check for Wi-Fi
Virtual machine limitations
The IP address of the VM must be outside the 172.17.0.1/16 range because this range is the default IP class used by Docker (docker0).
Virtual machine requirements for On-Premise SCM
Adequate CPU, memory (RAM) space, and disk storage must be reserved in the VM. The VM size depends on the number of organizations, appliances, and tunnels in your network.
This table provides the definitions for small, medium, and large networks.
SteelConnect components
Small networks
Medium networks
Large networks
Number of organizations
Up to 10
10 to 50
50+
Number of appliances
Up to 20
20 to 70
70+
Number of tunnels
Up to 190
190 to 800
800+
Review the metrics specified in the table to determine the size of your network. The network size will be the highest size corresponding to any of the three metrics (number of organizations, appliances, and tunnels). For example, if a network contains one organization, 20 appliances, and 380 tunnels, the network is classified as a medium network.
This table describes the required CPU, memory, and flow storage required by network size.
Network component
Small networks
Medium networks
Large networks
CPU core (vCPU @ 2‑GHz)
6
12
16+
Memory (in GB)
16
32
64+
Storage for flows (based on 15-day storage) (in GB)
20
50
100+
The table specifies minimum system requirements for the On-Premise SCM VM. We recommend you reserve additional system resources for the VM to manage unexpected resource demands in your deployment.
Known issues with SCM 2.13
This section describes the known issues with On-Premise SCM.
Gateway fails to send statistics when connected to unregistered modem
A gateway can fail to send statistics when connected to an unregistered modem. For details, go to Knowledge Base article S32132.
On-Premise SCM is not compatible with LTE uplinks and tethering
On-Premise SCM is not compatible with LTE uplinks and tethering because the LTE or mobile service providers give direct internet access to the appliances. An appliance might not be able to reach an On-Premise SCM through the internet because of these reasons:
The public DNS server is unable to resolve the hostname of the On-Premise SCM hosted within a private network.
The On-Premise SCM is assigned with a private IP address that is not accessible through the internet.
For details, go to Knowledge Base article S32853.
Troubleshooting On-Premise SCM issues
This section describes how to troubleshoot the specified On-Premise SCM issues.
Static IP address overwritten by DHCP address
A static IP address can be overwritten by a DHCP address when the static IP address lease expires. This is because the DHCP client is not stopped after the static IP address is set. To fix this issue, reboot the virtual machine after you set a static IP address.
System does not update
If the SCM does not update, check for connectivity issues to the internet. The current update process includes an Ubuntu system upgrade and security patches, and a connection to the ZTP services must be established, both of which require internet access.
On-Premise SCM versions do not currently require mandatory updates; you can choose when to update the SCM.
SteelConnect versions later than 2.13 are not supported.
SCM does not start
If your SCM does not start after being provisioned, check the following issues:
Make sure that the FQDN matches in the following places:
The certificate generated by the Certificate Authority or OpenSSL
The name of the SCM
The DNS A Record
Make sure that DHCP is activated across all sites in your network where SCM and SteelConnect appliances are deployed. DHCP provides the IP address to SCM and the SteelConnect appliances at system startup.
Make sure that DHCP is supplying a DNS value that can resolve public IP addresses and is able to connect to the ZTP services.
If you use Dynamic DNS (DynDNS), make sure that a firewall does not block this service or On-Premise SCM can’t start. System logs indicate the problem.
Make sure the IP address of the VM is outside the 172.17.0.1/16 range. See Virtual machine limitations.