SCG ↔ Scout Communication Issues – Troubleshooting Guide

book

Article ID: CTX696647

calendar_today

Updated On:

Description

Symptoms

  • eLux devices successfully connect to SCG and receive a VPN IP address
  • Device onboarding fails with errors such as “Unable to connect” or “Server not available”
  • SCG appears reachable, but Scout communication is inconsistent or fails

Root Cause

In most cases, the issue is related to network communication between SCG and Scout, typically caused by:

  • Missing or incorrect routing
  • Firewall or network restrictions
  • Incorrect subnet configuration
  • Port communication issues
  • Token/OU misconfiguration

 

Cause

In most cases, the issue is related to network communication between SCG and Scout, typically caused by:

  • Missing or incorrect routing
  • Firewall or network restrictions
  • Incorrect subnet configuration
  • Port communication issues
  • Token/OU misconfiguration

 

Resolution

 

1. Verify Routing (Scout → SCG VPN Subnet)

Ensure that the Scout server has a valid route to the SCG VPN subnet.

Example:

route add 10.0.1.0 MASK 255.255.255.0 192.168.1.100
  • 10.0.1.0 → VPN subnet
  • 255.255.255.0 → subnet mask
  • 192.168.1.100 → SCG internal NIC IP

2. Check Network Restrictions

Confirm that no network components are blocking the VPN subnet:

  • Firewalls
  • Routers
  • Security policies

The VPN network must be fully reachable across the entire infrastructure.

3. Validate Connectivity

Perform the following connectivity checks:

  • Ping the VPN broadcast address from the Scout server
  • Replace Scout hostname with IP in SCG configuration (test DNS issues)
  • Validate bidirectional communication using telnet:
SCG → Scout (port 22125)
Scout → SCG (port 22125)

Port 22125 must be open and reachable in both directions.

4. Check SCG Installation Type

  • .deb installation:
    Ensure IP forwarding is enabled:

    sysctl -w net.ipv4.ip_forward=1

  • .ova deployment:
    IP forwarding is enabled by default

5. Validate Subnet Mask

In some environments, only a /24 subnet (255.255.255.0) works correctly.

  • If using another subnet (e.g., /22), test with /24

6. Verify VPN Network Design

  • Ensure VPN IP range is:
    • Allowed across the entire network
    • Not overlapping with another subnet
    • Not reused elsewhere in the environment

7. Validate Token and OU Configuration

  • Confirm the token is assigned to the correct OU/IP scope
  • Avoid:
    • Multiple tokens assigned to the same OU
    • Incorrect OU mapping

 

Issue/Introduction

This article provides guidance for troubleshooting communication issues between Scout Cloud Gateway (SCG) and Scout Server, particularly when devices receive a VPN IP address but onboarding fails.

Additional Information

 

Important Note

SCG–Scout communication issues are highly dependent on the customer’s network design.

In the majority of cases, the root cause is related to:

  • Routing misconfiguration
  • Firewall restrictions
  • Incorrect subnet design

Recommendations

  • Always validate network communication first before deeper troubleshooting
  • Use simple configurations (e.g., /24 subnet) during testing
  • Perform bidirectional connectivity tests early in the process

 

Powered by Wolken Software