Solucionado: ISR 4321 webUI no se carga después de la actualización a 17.03.04a

Translator · ‎11-22-2021

Parece que la interfaz de usuario web ya no se carga para mí después de actualizar el software a 17.03.04a. ¿He configurado algo mal?

Estoy intentando acceder desde un portátil conectado a G0/1/1 con IP 10.10.10.11 MASK255.0.0.0 GW10.10.10.254

Current Config:
!
! Last configuration change at 09:51:16 CST Tue Nov 16 2021 by admin
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot system flash isr4300-universalk9.17.03.04a.SPA.bin
boot system flash isr4300-universalk9.16.06.05.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 9 "removed"
enable password 7 "removed"
!
no aaa new-model
clock timezone CST -6 0
!
!
!
!
!
!
!
ip name-server 206.166.1.109 206.166.1.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server 206.166.1.110 206.166.1.109
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3425543225
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
!
no license feature hseck9
license udi pid ISR4321/K9 sn FLM25160AU8
memory free low-watermark processor 69075
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 $14$GqDt$u7MCizhFiHToPk$T7fPD2jI70F4HgqjobUBhLHGjKc2yi2IcYB5fH03jQ6
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description Services loopback for ICN Monitoring RTC9-ROE20_Harrisburg
ip address 66.99.159.232 255.255.255.255
!
interface GigabitEthernet0/0/0
description Primary WAN
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
no negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
zone-member security DMZ
!
interface GigabitEthernet0/0/0.4
encapsulation dot1Q 4
zone-member security HBugLAN
!
interface GigabitEthernet0/0/1
description Test WAN
no ip address
ip nat inside
shutdown
media-type rj45
speed 100
no negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE VLAN2
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
zone-member security ROELAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
description HBug VLAN4
switchport access vlan 4
switchport mode access
zone-member security HBugLAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/2
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ VLAN3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ VLAN3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface Vlan4
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/1/1
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
!
ip access-list extended Barracuda_acl
10 permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
10 permit ip any any
ip access-list extended HBugLANtoDMZ_acl
10 permit ip any any
ip access-list extended HBugLANtoROELAN_acl
10 permit ip any any
ip access-list extended HBugLANtoWAN_acl
10 permit ip any any
ip access-list extended ROELANtoDMZ_acl
10 permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
10 permit ip any any
ip access-list extended ROELANtoWAN_acl
10 permit ip any any
ip access-list extended WANtoChildFindWS_acl
10 permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
10 permit ip any object-group WANtoHBugWS_dst_net
ip access-list extended WANtoMailServer_acl
10 permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net
ip access-list extended WANtoVPNHBug_acl
10 permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net
ip access-list extended WANtoVPNROE_acl
10 permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net
!
ip access-list standard 1
10 permit 66.99.142.0 0.0.0.255
20 permit 206.166.67.0 0.0.0.127
ip access-list standard 10
10 permit 10.0.0.0 0.255.255.255
20 permit 192.168.2.0 0.0.0.255
30 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login CNo unauthorized access is allowed.
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 "removed"
login local
length 0
transport input ssh
line vty 5 15
password 7 "removed"
login local
transport input ssh
line vty 16 30
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

Translator · ‎11-22-2021

Chicos, finalmente encontre las causas... tanto el secure-server como el servidor http normal estaban habilitados. Solo necesito http por ahora.

Tuve que inhabilitar los https (no ip http secure-server) dejando solamente http...

No puedo creer que me tomara tanto tiempo darme cuenta jajaja

Ver la solución en mensaje original publicado

Translator · ‎11-22-2021

Ayuda recibida del TAC

Parece que puede haber un problema de punto de confianza para el cliente HTTPS:

*Nov 19 18:50:58.998: %WSMAN-3-INVALID_TRUSTPOINT: Trustpoint associated with HTTP is either invalid or does not exist

Muy probablemente debamos generarlo manualmente. Puede usar la siguiente configuración:

Router(config)#crypto key generate rsa modulus 2048 label WebGUI

The name for the keys will be: WebGUI




% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 2 seconds)




Router(config)#crypto pki trustpoint WebGUI

Router(ca-trustpoint)#enrollment self

Router(ca-trustpoint)#subject-name CN=[SW_IP]

Router(ca-trustpoint)#rsakeypair WebGUI




Router(config)#crypto pki enroll WebGUI

The router has already generated a Self Signed Certificate for

trustpoint TP-self-signed-4127652830.

If you continue the existing trustpoint and Self Signed Certificate

will be deleted.




Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes




Router Self Signed Certificate successfully created




Router(config)#ip http secure-trustpoint WebGUI

Ver la solución en mensaje original publicado

Translator · ‎11-22-2021

- ¿Qué error obtiene en el navegador?

M.

Translator · ‎11-22-2021

Recibo una respuesta no válida tanto en Chrome como en Edge.

Translator · ‎11-22-2021

-Comparta la captura de pantalla del resultado observado.

M.

Translator · ‎11-22-2021

Captura de pantalla adjunta

Translator · ‎11-22-2021

Hello,

desactive el servidor http/http y elimine el nombre de usuario y la contraseña (obviamente asegúrese de haber configurado otro primero para no quedar bloqueado), luego vuelva a habilitar ambos y vuelva a ingresar el nombre de usuario:

—> no ip http server
—> no ip http secure-server
—> no username admin privilege 15 secret 9

—> ip http server
—> ip http secure-server
—> nombre de usuario admin privilege 15 secret

Translator · ‎11-22-2021

Realicé estas tareas, pero todavía no puedo acceder al sitio web. También borré la caché y las cookies en Chrome, pero aún así recibí la captura de pantalla adjunta.

Translator · ‎11-22-2021

- Podría probar una conexión http simple en lugar de https o los els regenerar las claves RSA.

M:

Translator · ‎11-22-2021

He probado http y https. También traté de reducir al máximo las claves rsa y luego generar otras nuevas. Desafortunadamente, todavía no puedo acceder a la web.

Translator · ‎11-22-2021

- ¿Qué error obtiene en 'simple http' , publicar captura de pantalla también. También verifique los logs para ambos tipos cuando se intente.

M.

Translator · ‎11-22-2021

http me redirige a https con el mismo error que antes. No estoy seguro
cómo conseguir los registros que busca, ¿me puede indicar los pasos a seguir para lograrlo?

Translator · ‎11-22-2021

- Me refiero a iniciar sesión a través de la CLI y ejecutar el comando (exec) show logging , justo después de realizar un intento con una conexión https en el navegador.

M.

Translator · ‎11-22-2021

Hello,

podría estar relacionado con la versión de TLS que se está utilizando. Verifique si hay un comando global:

ip http tls-version

y cambiar las diferentes opciones de versión disponibles...

Translator · ‎11-22-2021

Intenté todas las opciones, pero no tuve suerte.

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-

ciscoisr(config)#ip http tls-version ?

TLSv1.0 Set TLSv1.0 version Only

TLSv1.1 Set TLSv1.1 version Only

TLSv1.2 Set TLSv1.2 version Only



ciscoisr(config)#ip http tls-version tlsv1.2 ?





ciscoisr(config)#ip http tls-version tlsv1.2

ciscoisr(config)#exit

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-version tlsv1.1

ciscoisr(config)#exit

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-version tlsv1.0

ciscoisr(config)#exit

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-version tlsv1.2 ?





ciscoisr(config)#ip http tls-version tlsv1.2

ciscoisr(config)#exit

ciscoisr#

Translator · ‎11-22-2021

Hello,

cuál es el resultado de:

show http server status