AP121 behind Watchguard firewall with HiveManager Online

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hi all,
I have an AP121 behind a Watchguard Firewall which should connect with HiveManager online. I opened outgoing UDP 12222 as described in some manuals.
The AP has issues connecting to the CAPWAP.
Does anyone know of specific incoming ports I should open (which I don't like to do)?
Photo of Jan Willems

Jan Willems

  • 2 Posts
  • 0 Reply Likes

Posted 6 years ago

  • 1
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
Something else is happening - all connections are initiated from the AP so you do not need to open any inbound ports through your firewall. The release notes describe the process, and if the troubleshooting steps in there don't help you should call in to support.

Release Notes:
Photo of Deven Ducommun

Deven Ducommun, Beta Program Manager

  • 53 Posts
  • 5 Reply Likes
Also I am not familiar with WatchGuard firewalls but you want to make sure it is not altering the source port for the CAPWAP connection because this will cause a break in the CAPWAP connection. We have seen other firewall companies not use Persistent NAT and have issues with CAPWAP through them.

Also if you can SSH into the AP and do a:

capwap ping "hostname of hivemanager server"

to make sure we are not having either a DNS problem or something else is blocking the CAPWAP traffic.
Photo of Jan Willems

Jan Willems

  • 2 Posts
  • 0 Reply Likes
This morning, with only the outgoing port 12222 opened (as far as Aerohive setup concerned), the AP connected to the online manager just fine. As soon as I started with updates, the AP was no longer able to connect to the online manager, however it provided network access just fine.
Using the Watchguard traffic monitor, I noticed extensive DNS requests from the AP to the internet. When logging on to the AP directly, I noticed the DNS server is set by default to which explains the external dns requests.
I changed the default dns setting for all AP's to our own internal DNS server and now connection to the online hive manager are persistent.

I also had to open the outgoing SSH port to allow an update of the AP.
During an update I would notice outgoing SSH requests. If not allowed, the update would "Abort". Once allowed, the update was a success.
Is this also a known issue?
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hello Jan,

It would be expected that if only UDP 12222 were allowed outbound through the firewall, the AP would be able to form a CAPWAP client but would be unable reach the HiveManager to successfully push configuration updates. By default, a HiveAP will use UDP 12222 to establish CAPWAP and TCP 22 to form a secure connection to the HiveManager to push complete configuration updates. The HiveAP can fail over to use TCP 80 for CAPWAP and TCP 443 for configuration updates, but if a successful CAPWAP connection is formed over UDP 12222 the AP will continue to look to open an SCP connection over TCP 22. I have excerpted the following from our Help documentation for more detail; should you need more information on this subject I would recommend calling our ATAC team at (866) 365-9918 and someone on our Support team will be able to assist you further.

Services and Firewall Policies (from Help System):

It is likely that the policy set on most firewalls already permits outbound traffic on TCP port 80 for HTTP, but it is less likely that they permit outbound traffic on UDP port 12222 for CAPWAP. To avoid having to reconfigure the firewall, you can configure devices behind the firewall to communicate with HiveManager Online using HTTP on TCP port 80 instead of CAPWAP UDP port 12222. Furthermore, if outbound traffic must pass through an HTTP proxy server, you can configure devices to send CAPWAP over HTTP to the proxy server. Note that HiveManager Online uses HTTP only for monitoring devices and pushing delta config updates. When downloading files such as HiveOS image files, full configurations, captive web portal pages, and certificates from HiveManager Online to devices, devices use HTTPS. (With a physical HiveManager appliance, the devices use SSH for these file downloads.) In addition, for uploading packet captures to either HiveManager or HiveManager Online, devices use HTTPS. Therefore, if there is a firewall in front of the devices, it must allow the following types of outbound services:

To HiveManager: CAPWAP (UDP port 12222), SSH (TCP 22), and HTTPS (TCP 443)

To HiveManager Online: CAPWAP (UDP 12222), SSH (TCP 22), and HTTPS (TCP 443); or

HTTP (TCP 80) and HTTPS (TCP 443)