topic Re: CISCO 9800 wreless controller not getting the http or https access in Wireless

CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Shrikant Gaikwad — Mon, 05 Jul 2021 18:20:48 GMT

Hello Team,

i am trying to deploy the two C9800-40-K9 controller in the network

1- Before connecting the both controller to the network

i had given one ip adress 10.91.225.80 ip to the Gi0 of WLC1 and connected the cable between SP port and laptop with static ip address 10.91.225.82

2.from laptop i am able to take the https acess of the WLC1 , i upgraded the IOS for WLC1 to the 16.11.01

3.same thing i did for the WLC2 upgraded the IOS and 10.91.225.81

4.during the configuration of WLC1 and WLC2 i used Gi0 as the wireless Managment interface

5. Then we connected the both the WLC1 and WLC2 to the network but during this time i didnt check the connectivity of the WLC from coreswitch

6. Both WLC RP Port is in L2 vlan 498

7.after rackmounting Both WLC by connecting to the SP to the laptop from the browser i configured the HA between two WLC , HA form properly , i did the failover test it was working properly

8. but when i try to connect from the different vlan2 or Vlan 50 from other switch ports i am not able to take the https access of both controller , i am getting ERR_SSL_PROTOCOL_ERROR in the browser

9. can i help me what may go worng ?

10.i have license file but i didnt uploaded them on any WLC?

11. as Gi0 is not pinging from other network i changed Gi0 ip to the interface vlan 50 and wireless mgmt to int vlan 50 but still i am not able to ping the int vlan 50 ip

can somebody help did we are doing something wrong

Now we are not able to ping the int vlan 50 from outside network

we have given another int vlan 2 ip in WLC1 and this ip we are able to ping but when we try to take the browser with the interface vlan 2 of WLC i am getting the ERR_SSL_PROTOCOL_ERROR

attached is the diagram and attached is the error screenshot

Thanks all

Shrikant Gaikwad

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Mark Elsen — Sun, 24 Nov 2019 10:37:32 GMT

- I can only presume that your Intranet and or inter-vlan networking setup isn't consistent and does not allow full ssl access to the wireless controller. Please check and verify.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

fburn7931 — Wed, 04 Dec 2019 21:01:55 GMT

I have the same issue accessing a Cisco 9800 via HTTPS. I can reach several AirOS and on other 9800 controller on the same subnet.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

patoberli — Thu, 05 Dec 2019 07:54:27 GMT

Can you access it after a reboot? Sounds like the https daemon crashed on the WLC, if it works again after the reboot.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Scott Fella — Thu, 05 Dec 2019 17:13:08 GMT

Try the following:

show run | inc crypto
>>> Find trustpoint named TP-Self-Signed-xxxxx
conf t
no crypto pki trustpoint TP-Self-Signed-xxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication

********************************************************************

WA-RED-9800-L-01#show run | inc crypto
crypto pki trustpoint TP-self-signed-774234387
crypto pki trustpoint SLA-TrustPoint
crypto pki certificate chain TP-self-signed-774234387
crypto pki certificate chain SLA-TrustPoint

WA-RED-9800-L-01(config)#no crypto pki trustpoint TP-self-signed-774234387
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

WA-RED-9800-L-01(config)#no ip http server
WA-RED-9800-L-01(config)#no ip http secure-server
WA-RED-9800-L-01(config)#ip http server
WA-RED-9800-L-01(config)#ip http secure-server
WA-RED-9800-L-01(config)#
Oct 30 03:52:37.652: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration
WA-RED-9800-L-01(config)#ip http authentication local

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

JuanFlores68156 — Fri, 06 Dec 2019 20:32:12 GMT

Thanks, this worked for me.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Scott Fella — Sun, 08 Dec 2019 10:00:09 GMT

Glad that helped.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Shrikant Gaikwad — Sun, 08 Dec 2019 12:15:09 GMT

Thanks

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Shrikant Gaikwad — Sun, 08 Dec 2019 12:31:33 GMT

Thank you so much for all your time and solution and sorry for the late reply

Last week we disable https access and only permitted http access to get the browser,

we got the http access of primary WLC and showing HA is not working properly so we break the HA between two WLC and factory reset both the WLC and try to do basic setup like before(with the day 0 setup) but now both the WLC is giving the internal error during day 0 setup as we try add the country FR to complete the basic setup.

we discover we faced issue CSCvq01830

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq01830

as per the above link we disable both radios from CLI and we able to finish the day 0 setup.

we upgraded the controller now in Bundle mode to 16.12.1s and everything is working properly

Many thanks @Scott Fella

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

jegan_rajappa — Fri, 07 Feb 2020 16:54:00 GMT

Thanks Scott. this worked for me.

Is this known issue/bug ? do we have any permanent solution ?

I am also going ask TAC guys.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

netops500 — Wed, 04 Mar 2020 18:11:59 GMT

this worked for me also!

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

rubenmartinez — Mon, 09 Mar 2020 18:47:26 GMT

This procedure also worked for me, thank you very much.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

m-avramidis — Thu, 17 Dec 2020 20:33:39 GMT

Has this worked for anyone running 17.3.1? See below:

A-INT-XXXXXX#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint DNAC-CA
crypto pki trustpoint sdn-network-infra-iwan
crypto pki trustpoint TP-self-signed-2753238167
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain DNAC-CA
crypto pki certificate chain sdn-network-infra-iwan
crypto pki certificate chain TP-self-signed-2753238167
A-INT-XXXX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
A-INT-XXXX(config)#no crypto pki trustpoint TP-self-signed-2753238167
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

A-INT-XXXX(config)#no ip http server
A-INT-XXXX(config)#no ip http secure-server
A-INT-XXXX(config)#ip http server
A-INT-XXXX(config)#ip http secure-server
A-INT-XXXX(config)#exit

A-INT-XXXX#write mem

!!!!
A-INT-XXXX#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint DNAC-CA
crypto pki trustpoint sdn-network-infra-iwan
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain DNAC-CA
crypto pki certificate chain sdn-network-infra-iwan
A-INT-XXXXXX#

Or is this something for TAC to fix?

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Scott Fella — Thu, 17 Dec 2020 21:03:54 GMT

Have you tried to issue the following again with the ip http authentication local? I have done this multiple times in my lab with various equipment with no issues. You can also try a reboot.

A-INT-XXXX(config)#no ip http server
A-INT-XXXX(config)#no ip http secure-server
A-INT-XXXX(config)#ip http server
A-INT-XXXX(config)#ip http secure-server
A-INT-XXXX(config)#exit

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

m-avramidis — Thu, 17 Dec 2020 21:11:21 GMT

Thanks for your answer, yes have tried it a number of times. Since it is in production we have not done a reboot (just a force switchover). Does your setup includes DNA-C? The logs - WLC - indicates a missmatch with the DNA trustpoint. I will upload the logs to this ”case” tomorrow morning.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Scott Fella — Fri, 18 Dec 2020 02:20:21 GMT

I do have DNAc but that trust point is separate from the UI. You can always point to a different trustpoint also. A force failover is the same as a reload, because it power cycles the unit you run it against.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

m-avramidis — Fri, 18 Dec 2020 12:17:24 GMT

I solve the problem by removing:

A-INT-WLC02#sh run | incl http

enrollment url http://10.3.99.31:80/ejbca/publicweb/apply/scep/sdnscep

no ip http server

ip http authentication local

no ip http secure-server

ip http secure-trustpoint TP-self-signed-2753238167

ip http client source-interface Vlan99

destination transport-method http

http-tlv-caching

So after removing ip http secure-trustpoint.... and reapplying ip http server and ip http secure-server it worked. But, and here is the kicker, the crypto look like this now:

A-INT-XXXXX#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint DNAC-CA
crypto pki trustpoint sdn-network-infra-iwan
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain DNAC-CA

So no self-signed certificates... no new certificate was - at least not visiable - created after running the ip http secure-server command.

I will be glad if someone can reproduce this fix using:

9800 WLC - HA - running XE 17.3.1

DNA-C running 1.3.3.9

or with DNA-C 2.X (our customer will upgrade their DNA installation to 2.X mid January.

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Scott Fella — Fri, 18 Dec 2020 16:22:21 GMT

Have you looked at show run | in trustpoint

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

jfumeron78 — Wed, 06 Jan 2021 09:47:35 GMT

Hello,

I was running in the same kind of issue after breaking HA made in lab environment for an installation on client environment and breaking it again to put it on a different subnet.

Long story short, i suspect it to be in my case due to a corporate management of my firefox that made part of the problem because i was unable to access it no matter what after installation (i think i may have switch the 2 9800 between what they was supposed to be (primary and secondary)

anyway, i tried the workaround you wrote and now i can access them as a cluster in https.

I do have the following with my new certificate visible

do sh run | i crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint TP-self-signed-454043421
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain TP-self-signed-454043421

By the way i'm in 17.3.1, HA

Thank you

Re: CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

support1@lima.co.uk — Thu, 07 Jan 2021 17:44:35 GMT

Hi Guys. I have a pair of 9800 WLCs in HA and they have recently reloaded due to a bug. Since then, the original backup is now active and we are unable to access the GUI (CLI is fine). If I remove the self-signed trustpoint, will it affect the APs that are currently joined with the HA pair. There are around 1000 APs joined at the moment. Thanks