Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Activated, Offline

My network agent is activated but shows offline on the portal what could be the issue?  Firewall?

Everyone's tags (1)
17 REPLIES
Cisco Employee

Activated, Offline

Here's the list of ports that need to be open (from the inside network hosting the ON100 connecting outwards towards the internet), from the OnPlus documentation:

  • Port 53 UDP (DNS)
  • Port 80 TCP (HTTP)
  • Port 123 UDP (NTP)
  • Port 443 TCP (HTTPS)
  • Port 11300 TCP (OnPlus heartbeat)

For enhanced OnPlus functionality, the following outbound ports will also need to be opened:

  • Port 14931 UDP (WAN Network Performance monitoring via the OnPlus Network Agent)
  • 11400 TCP (Remote device connections)

Working DNS and port 11300 TCP are the most critical to the device showing online at the portal.

-mike

New Member

Activated, Offline

Michael

From Subsytem Status everythig is a go... would it give me an error if could not access those ports?

Account Status       OK
PKI Subsystem Status       OK
Settings Monitor       Running
Service Announcement       Running
Zeroconf Management       Running
Discovery       Running
Time Service       Running
Monitoring       Running

Account Status       OK
PKI Subsystem Status       OK
Settings Monitor       Running
Service Announcement       Running
Zeroconf Management       Running
Discovery       Running
Time Service       Running
Monitoring       Running

New Member

Activated, Offline

Michael

Thanks for your reponse, port 11300 seems to be blocked.  Is the address 1-dfw.cisco-onplus.com where the agent is trying to get out to, ip address 216.227.195.156?

I beleive it would be a good thing sto see in the status if the agent is able to get out the required ports.

Thanks!
JP

New Member

Activated, Offline

Hi JP,

The 'Status 2' led, once the device is activated, indicates the status of the heartbeat. In general, that's your first, best, check on the state of the connection. I can see that it might also be good to present that on the status page too, but as Mike noted, there's not too much there and it gets very little use in practice.

As for the IP address for 1-dfw.cisco-onplus.com, while that might be correct, our service has the ability to reconsitute with a different IP address during extreme service situations (never happened yet, but we're prepared). If you were thinking about doing an ACL to permit 11300 and 216.227.195.156, it might be better to target permitting the ON100 to use port 11300 without destination restriction, just for safety?

Robert

Cisco Employee

Re: Activated, Offline

That's one of several possible addresses that the agent might be trying to connect to. Unfortunately, there isn't a definitive list of IP addresses that need to be permitted traffic towards - the portal IP address to which the agent attempts to connect can change at any time. Instead, you'll need to make sure that the firewall permits connections on port 11300 TCP to the entire internet (0.0.0.0/0), at least for the IP address of the ON100 agent, which you can set to a static IP address if needed via the agent's 'Configuration' page (after logging into the device).

But testing against that address (1-dfw.cisco-onplus.com) should work to at least determine if the network is blocking outbound connections on that port to arbitrary internet hosts.

-mike

Cisco Employee

Re: Activated, Offline

Drats, Robert beat me to it. Now who will JP award the stars to?? 

-mike

New Member

Activated, Offline

Wow!! You guys rock with your information, very detailed!  I'm attempting to open the port, I'll let you guys know my status upon finishing.

JP

New Member

Activated, Offline

I'm having a simillar problem in the portal is shows Actiated/offline. But the device itself will not move past the activate screens. Despite going through the activate process a few times, it never brings me to a logon page.

I'm stuck at this point. (Firewall isn't blocking any traffic, ssl certs have been whitelisted)

Bronze

Activated, Offline

Hi William,

I have a few questions for you.

Have you registered at www.cisco-onplus.com? When you say it doesn't bring you to the 'logon' page, which page are you referring to?

Has the device been activated previously? If so, you'll need to do a factory reset. To do this, hold down the reset button on the back panel for more than 10 seconds.

What is the LED status?

When you click 'Activate', what happens? Are you on the LAN with the ON100?

Could you tell us the error message you are seeing? Or take a screenshot?

Thanks,

The OnPlus Team

Cisco Employee

Activated, Offline

Hi William,

Which SSL certs were whitelisted?

Depending on your geographic location, your device may try to talk to one of many servers in the cloud to activate itself. Another option rather than whitelisting specific certificates might be to assign the ON100 a static IP address prior to activation, and configure the firewall to permit *all* 80/443 traffic to and from this IP, in addition to the ports listed above.

-mike

New Member

Activated, Offline

cisco.com and cisco-onplus.com are whitelisted (though I disabled ssl filtering already)

I can't have this device respond on 80/443 as I have RWW running on those ports. However our sonicwall doesn't block outgoing on those ports.

Cisco Employee

Activated, Offline

Ok, I see. Only outbound-initiated connections to 80/443 ports on the internet are needed. Aqib has some additional questions above that might shed light on the problem.

-mike

New Member

Activated, Offline

Phone support helped me out. Firmware update got stuck.

Bronze

Activated, Offline

Glad to hear, thanks for the update!

New Member

Activated, Offline

I have read all the post pertaining to this issue, and understand the "activation, offline" problem can be related to the following:

1.) Physical disconnection

2.) Setting of the firewall timeout value for TCP port 11300

3.) The physical LAN port connected to

4.) Required port and protocol configurations on the outbound interface

5.) Flapping carrier circuit

6.) RMA ON100

I will test for these on the next business day and post results. Any suggestions before/after testing are much appreciated. Here is what I'm seeing in the devices event view:

2012-07-13 14:53

Warning

OnPlus: Connection statusSite Comms down: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:50

Warning

OnPlus: Connection statusSite Comms up: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:50

Critical

Monitor: WAN network performanceWAN Network Performance on host ON100-K9 (10.1.1.128) at 2012-07-13 14:42:26 -0700 - Could not connect to responder64:00:F1:20:F6:EC
2012-07-13 14:50

Critical

Monitor: DNS serviceDNS  2 on host ON100-K9 (10.1.1.128) at 2012-07-13 14:34:55 -0700 - Unable  to contact 65.106.7.196 while trying to resolve www.cisco.com64:00:F1:20:F6:EC
2012-07-13 14:50

Critical

Monitor: DNS serviceDNS  on host ON100-K9 (10.1.1.128) at 2012-07-13 14:34:18 -0700 - Unable to  contact 65.106.1.196 while trying to resolve www.cisco.com64:00:F1:20:F6:EC
2012-07-13 14:50

Critical

Monitor: DHCP serviceDHCP on host ON100-K9 (10.1.1.128) at 2012-07-13 14:33:37 -0700 - No responses to DHCP broadcast64:00:F1:20:F6:EC
2012-07-13 14:35

Warning

OnPlus: Connection statusSite Comms down: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:30

Warning

OnPlus: Connection statusSite Comms up: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:30

Critical

Monitor: DHCP serviceDHCP on host ON100-K9 (10.1.1.128) at 2012-07-13 14:28:19 -0700 - No responses to DHCP broadcast64:00:F1:20:F6:EC
2012-07-13 14:30

Critical

Monitor: WAN network performanceWAN Network Performance on host ON100-K9 (10.1.1.128) at 2012-07-13 14:27:02 -0700 - Could not connect to responder64:00:F1:20:F6:EC
2012-07-13 14:28

Warning

OnPlus: Connection statusSite Comms down: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:25

Notice

Discovery: Initial posting of device discovery informationThe initial device discovery information has arrived
2012-07-13 14:22

Warning

OnPlus: Connection statusSite Comms up: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:14

Warning

OnPlus: Connection statusSite Comms down: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:12

Notice

Discovery: Initial posting of device discovery informationThe initial device discovery information has arrived
2012-07-13 14:11

Notice

OnPlus: Connection statusSite Comms up: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:11

Notice

OnPlus: Connection statusSite Comms down: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:09

Notice

OnPlus: Connection statusSite Comms up: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:09

Notice

OnPlus: Connection statusSite Comms down: 67.90.239.16264:00:F1:20:F6:EC
2012-07-13 14:08

Notice

OnPlus: Connection statusSite Comms up: 67.90.239.162
New Member

Activated, Offline

Hi Joe,

I see this device has run discovery and posted results, and, of course, has posted some events.

So, assuming the site connection is not actually down, these events don't reflect a firewall issue.  The presence of the DNS events means that the ON100 was not able to resolve www.cisco.com via either of the configured DNS servers.  The connection came back up just long enough to report that.  As you are unlikely to be blocking port 53, I'd be inclined to look elsewhere.

That said, the device definitely is having trouble communicating.  This makes me wonder if there might be a bad cable or switch port.  When you can get to the device, I'd definitely check the LAN link/active LEDs.  Also check that the box is not rebooting over and over.  It doesn't look like it is but it has been connected so little that it's hard to say for sure.

Andy

Cisco Employee

Activated, Offline

Hi Joe,

Based on the events that did make it through to the portal, I also suspect cabling or extreme packet-loss problems within the local network. This doesn't appear to be NAT/firewall related or due to the WAN. One hint is that some local network DHCP broadcasts are going unanswered. Try changing the switch port that the ON100 is plugged into. If that fails to resolve the problem, take a look at the network path between the ON100 and the local DHCP server, starting at the switch closest to the ON100. I think you might find a switch port racking up a large number of layer 1/2 errors, or possibly a router along the way running high CPU and dropping packets. With the network ruled out as the source of the problem, this could always be due to a faulty NIC in the ON100 in which case you can get it RMA'd.

-mike

1006
Views
0
Helpful
17
Replies