Cannot Access GUI after upgrade

justinus.budi · ‎10-19-2020

Hello,

I have Cisco ESA 395. I have upgrade AsyncOS version from version 12. until version 13.5.1.

I try to upgrade again to version 13.5.2.

After i upgrade to 13.5.2 i cannot access the web GUI and SSH Access stuck.

Here i attach the SSH Screenshot

marc.luescherFRE · ‎10-19-2020

Hi there,

all your production interfaces which have been using the ESA demo certificates have been disabled. The same warning was given during the upgrade process.

So lets me help you get back on your mgmt interface with HTTP so you can configure via the GUI, disclaimer, this will only work if you can access your ESA with HTTP , otherwise all settings must done via CLI , which is harder.

No matter what you will need either a self signed or a public SSL certificate and creating this via the GUI is much easier.

So connect to SSH as you did.

type "interfaceconfig"

edit

select the one with the management interface assignment, normally 1, press enter

xxx> interfaceconfig

Currently configured interfaces:
1. Management (xxxxx on Management: xxxxxxxxxxx)

Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
[]> 1

Unknown option. Select one of the listed options, or press enter to exit the command.

[]> edit

Enter the number of the interface you wish to edit.
[]> 1

IP interface name (Ex: "InternalNet"):
[Management]>

Would you like to configure an IPv4 address for this interface (y/n)? [Y]>

IPv4 Address (Ex: 192.168.1.2
[10.xx.yy.zzz]>

Netmask (Ex: "24", "255.255.255.0" or "0xffffff00"):
[24]>

Would you like to configure an IPv6 address for this interface (y/n)? [N]>

Ethernet interface:
1. Data 1
2. Data 2
3. Management
[3]>

Hostname:
[xxxxx]>

Do you want to enable SSH on this interface? [Y]>

Which port do you want to use for SSH?
[22]>

Do you want to enable FTP on this interface? [Y]>

Which port do you want to use for FTP?
[21]>

Do you want to enable Cluster Communication Service on this interface? [N]>

Do you want to enable HTTP on this interface? [Y]>

Which port do you want to use for HTTP?
[80]>

Do you want to enable HTTPS on this interface? [Y]>

Which port do you want to use for HTTPS?
[443]>

Do you want to enable Spam Quarantine HTTP on this interface? [N]>

Do you want to enable Spam Quarantine HTTPS on this interface? [N]>

Do you want to enable AsyncOS API HTTP on this interface? [Y]>

Which port do you want to use for AsyncOS API HTTP?
[6080]>

Do you want to enable AsyncOS API HTTPS on this interface? [Y]>

Which port do you want to use for AsyncOS API HTTPS?
[6443]>

The "Cisco ESA Certificate" certificate is currently configured. You may use "Cisco ESA Certificate", but this will not be secure.

1. wildcard.xxxx.com
2. Cisco ESA Certificate
Please choose the certificate to apply:
[2]> 2

You may use "Cisco ESA Certificate", but this will not be secure.
Do you really wish to use the "Cisco ESA Certificate" certificate? [N]> y

Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [N]>

Currently configured interfaces:
1. Management (xxxx)

Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.

Press ENTER

Enter Commit

Now you should be able to access the ESA again using the demo certificate but should create a SSL cert now for all other services you need like Data 1, LDAP Profile, Outbound Controls, Listener Config.

Hope that helps

-Marc

justinus.budi · ‎10-20-2020

Thank you for your response. Suddenly i can access the web UI without replacing the Cisco ESA demo certificate.

Right now i have replace the Cisco ESA demo certificate