Firewall Ports, VM Requirements, and Troubleshooting
If your network is behind a firewall, you need to open ports to the external services before you install the On-Premise SCM virtual image.
This appendix lists the inbound ports (administrative and application/end user) and outbound ports that you may need to open.
Ports required for operation
Make sure that these ports are open in your firewall for On-Premise SCM to function.
Port | Service | System |
22 | SSH | VM |
443 | HTTPS | SCM |
3898 | API | VM |
3899 | UI | VM |
3900 | NODE API | SCM |
3901 | TUNNEL | SCM |
3902 | HYDRA | SCM |
3903 | PROXY | SCM |
3904 | SteelConnect SDI-5030 gateway | SCM |
Inbound ports used by On-Premise SCM
This table lists the inbound administrative ports used by On-Premise SCM.
Port | Service | Description |
22 | SSH | VM instance shell access. |
53 | DynDNS | Local or remote DNS server. |
443 | HTTPS | SCM web application over HTTPS access (user access). Port 80 requests are not redirected to the HTTPS port. |
2200 | SSH | SCM instance shell access. |
3898 | MGMT API | Management API. |
3899 | WEB GUI | Web-based management console. This port is required for basic installation and configuration. |
3900 | APPS | Appliances. |
3901 | NODE | Port node used to connect to the SCM. |
3902 | NODE | Port node used to connect to the SCM. |
3902 | SSH | SCM instance shell tunneling port used to support access. |
3904 | NODE | SDI-5030. |
Outbound ports used by On-Premise SCM
This table lists the outbound ports used during operation of On-Premise SCM.
Port | Service | URL | Description |
21, 80, 443 | OS updates | us.archive.ubuntu.com/security.ubuntu.com | OS updates |
53, 443 | AppCtrl/Category server | *.appcs.x.riverbed.cc *.x.riverbed.cc | Application control |
80 | IP reflector | rfl.ocedo.cc rfl.x.riverbed.cc | IP reflector |
443 | Core | core.ocedo.cc core.riverbed.cc | Used for zero touch provisioning (ZTP) services. |
443 | Docker download | quay.io *.cloudfront.com | Used for SCM provisioning and upgrades, as an alternative to whitelist *.cloudfront.com. CloudFront IP address range can be whitelisted. For details about locations and IP address ranges of CloudFront Edge Servers, go to https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html. |
443 | App definitions pattern download | s3.us-east-1.amazonaws.com | The SCM periodically downloads the application definition patterns from this host. |
443 | Messaging services | msg-sys.riverbed.cc | 2FA and e-mail notifications |
443 | Google Maps | maps.googleapis.com | Google Maps |
443 | Portal check | portalcheck.ocedo.com | Portal check for Wi-Fi |
Virtual machine limitations
The IP address of the VM must be outside the 172.17.0.1/16 range because this range is the default IP class used by Docker (docker0).
Virtual machine requirements for On-Premise SCM
Adequate CPU, memory (RAM) space, and disk storage must be reserved in the VM. The VM size depends on the number of organizations, appliances, and tunnels in your network.
This table provides the definitions for small, medium, and large networks.
SteelConnect components | Small networks | Medium networks | Large networks |
Number of organizations | Up to 10 | 10 to 50 | 50+ |
Number of appliances | Up to 20 | 20 to 70 | 70+ |
Number of tunnels | Up to 190 | 190 to 800 | 800+ |
Review the metrics specified in the table to determine the size of your network. The network size will be the highest size corresponding to any of the three metrics (number of organizations, appliances, and tunnels). For example, if a network contains one organization, 20 appliances, and 380 tunnels, the network is classified as a medium network.
This table describes the required CPU, memory, and flow storage required by network size.
Network component | Small networks | Medium networks | Large networks |
CPU core (vCPU @ 2‑GHz) | 6 | 12 | 16+ |
Memory (in GB) | 16 | 32 | 64+ |
Storage for flows (based on 15-day storage) (in GB) | 20 | 50 | 100+ |
The table specifies minimum system requirements for the On-Premise SCM VM. We recommend you reserve additional system resources for the VM to manage unexpected resource demands in your deployment.
Known issues with SCM 2.13
This section describes the known issues with On-Premise SCM.
Gateway fails to send statistics when connected to unregistered modem
A gateway can fail to send statistics when connected to an unregistered modem. For details, go to Knowledge Base article
S32132.
On-Premise SCM is not compatible with LTE uplinks and tethering
On-Premise SCM is not compatible with LTE uplinks and tethering because the LTE or mobile service providers give direct internet access to the appliances. An appliance might not be able to reach an On-Premise SCM through the internet because of these reasons:
•The public DNS server is unable to resolve the hostname of the On-Premise SCM hosted within a private network.
•The On-Premise SCM is assigned with a private IP address that is not accessible through the internet.
For details, go to Knowledge Base article
S32853.
Troubleshooting On-Premise SCM issues
This section describes how to troubleshoot the specified On-Premise SCM issues.
Static IP address overwritten by DHCP address
A static IP address can be overwritten by a DHCP address when the static IP address lease expires. This is because the DHCP client is not stopped after the static IP address is set. To fix this issue, reboot the virtual machine after you set a static IP address.
System does not update
If the SCM does not update, check for connectivity issues to the internet. The current update process includes an Ubuntu system upgrade and security patches, and a connection to the ZTP services must be established, both of which require internet access.
On-Premise SCM versions do not currently require mandatory updates; you can choose when to update the SCM.
SteelConnect versions later than 2.13 are not supported.
SCM does not start
If your SCM does not start after being provisioned, check the following issues:
•Make sure that the FQDN matches in the following places:
–The certificate generated by the Certificate Authority or OpenSSL
–The name of the SCM
–The DNS A Record
•Make sure that DHCP is activated across all sites in your network where SCM and SteelConnect appliances are deployed. DHCP provides the IP address to SCM and the SteelConnect appliances at system startup.
•Make sure that DHCP is supplying a DNS value that can resolve public IP addresses and is able to connect to the ZTP services.
•If you use Dynamic DNS (DynDNS), make sure that a firewall does not block this service or On-Premise SCM can’t start. System logs indicate the problem.