Cisco Unity Express 10.2 Web GUI not initialized

DarkStormEd · ‎12-15-2023

Hi, we have an ISR 4331 running CCME and CUE 10.2 as a virtual service. The system is configured and operating, but we would like to be able to access the CUE web GUI for administration. When we enter the IP address for CUE the website loads, cisco logo, Cisco Unity Express - Administration and asks for a User Name and Password. It also displays an info / error message "System is not initialized. only Administrator logins are allowed." When I try to log in with my CUE username and password. It returns "Invalid Username or Password". I can successfully log into CUE via the CLI with my credentials and if I run a "show group detail groupname Administrators" command it lists my username under User Members so I seem to be in the Administrator group. I have searched and searched trying to figure out what missing to no avail. I also tried to create a new user, set the password and added them to the Administrator group successfully but those credentials do not work either. The only redflag possibly is that the Privilege's for the Administrators group say SuperUser. I checked in the user guide and it says that grants unrestricted system access so should be correct. Hoping someone can help. Thanks.

Maren Mahoney · ‎12-18-2023

I saw this last week and have been looking at my archives (unsuccessfully) because I remember running into this very problem. The thing that comes to mind is: Did you correctly set the call agent to CUCME? Also, do you have a webadmin username and password set for CUCME (even if it is not to be used....although it will depend on your IOS/IOSXE)?

I also recall that DNS and NTP references had to be set and working (as part of the initialization wizard) before the CUE GUI would come up. But it's been a bunch of years, so I could be misremembering.

Finally, as I recall it was important to completely finish the initialization wizard and then reboot.

I hope one of these suggestions helps. In the meantime, I'll dig around for which log file to look at to understand what CUE is complaining about.

Maren

DarkStormEd · ‎12-18-2023

Thank you for the response. Honestly it was set up years ago and I don't recall if the initial configuration went smoothly or not. I am thinking maybe not as everything seems to lead back to there. The only thing I can find in the documentation on setting the call agent to CCM is in the initial setup. Same as where the web administrator passwords get entered. I have not found anyway to change that yet. I guess I could delete it and do a fresh install they reload the config but that would also likely mean users having to record new messages, new pins, etc. so trying to avoid that.

Carlo Poggiarelli · ‎12-18-2023

Hi,

In that version I remembered that both ip http server and ip http secure-server must be enabled on Router.

Please verify if both command are in place

HTH

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

Maren Mahoney · ‎12-18-2023

@Carlo Poggiarelli YES!

@DarkStormEd If you do a show run on the CUE CLI for the CUE system (not the application) that will show you the DNS and NTP entries.

Also: Your initial post referenced CCME, but the tag is CUCM and you reference CCM later. Can you confirm that you are using CUCM Express or CUCM as the call agent?

Maren

DarkStormEd · ‎12-19-2023

@Maren Mahoney sh run on CUE has the correct entries for NTP and ip name-server. Sorry, I never liked how Cisco handled all the naming of these. This seems to be what we have...

ISR4331 running IOS XE 17.02.01r with Cisco Unified Communications Manager Express 12.6 and Unity Express 10.2 running as a virtual service

DarkStormEd · ‎12-19-2023

@Carlo Poggiarelli both commands are enabled on the router. The CUE GUI does load, the problem is accessing it with credentials. The username and password of a user in the administrators group in CUE does not work.

Carlo Poggiarelli · ‎12-19-2023

@DarkStormEd

we need a show run to dig more.

Also a debug ip http all while you try to authenticate would be useful.

Can you please post here?

Thanks a lot

Carlo

Please rate all helpful posts "The more you help the more you learn"

DarkStormEd · ‎12-19-2023

Sh Run, I redacted the names and emails...

clock timezone America/New_York

hostname dsi-4331-cue

ip domain-name XXXXXX.local

system language preferred "en_US"

interface FastEthernet 0
ip address 192.168.1.6 255.255.255.0
end interface

ip default-gateway 192.168.1.1
ip name-server 192.168.1.250 192.168.1.251

ntp server 192.168.1.1 prefer

software download server url "ftp://127.0.0.1/ftp" credentials hidden "6u/dKTN/hsEuSAEfw40XlF2eFHnZfyUTSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP"
site name local
end site

privilege local-broadcast create
privilege ViewPrivateList create
privilege ManagePrompts create
privilege ViewHistoricalReports create
privilege ManagePublicList create
privilege manage-passwords create
privilege broadcast create
privilege vm-imap create
privilege manage-users create
privilege ViewRealTimeReports create

groupname Broadcasters create

username XXXXXXX create
username XXXXXXX create
username XXXXXXX create
username XXXXXXX create
username XXXXXXX create
username XXXXXXX create
username XXXXXXX create
username XXXXXXX create

privilege local-broadcast description "Privilege to send local broadcast messages"
privilege ViewPrivateList description "Privilege to view private list"
privilege ManagePrompts description "Privilege to create, modify, or delete system prompts"
privilege ViewHistoricalReports description "Privilege to view historical reports"
privilege ManagePublicList description "Privilege to manage public lists"
privilege manage-passwords description "Privilege to reset user passwords"
privilege broadcast description "Privilege to send local or remote broadcast messages"
privilege vm-imap description "Privilege to manage personal voicemail via IMAP client"
privilege manage-users description "Privilege to create, modify, and delete users and groups"
privilege ViewRealTimeReports description "Privilege to view realtime reports"
privilege local-broadcast operation broadcast.local
privilege local-broadcast operation system.debug
privilege ViewPrivateList operation voicemail.lists.private.view
privilege ManagePrompts operation prompt.modify
privilege ManagePrompts operation system.debug
privilege ViewHistoricalReports operation report.historical.view
privilege ManagePublicList operation voicemail.lists.public
privilege ManagePublicList operation system.debug
privilege manage-passwords operation user.password
privilege manage-passwords operation user.pin
privilege manage-passwords operation system.debug
privilege broadcast operation broadcast.remote
privilege broadcast operation broadcast.local
privilege broadcast operation system.debug
privilege vm-imap operation voicemail.imap.user
privilege manage-users operation user.notification
privilege manage-users operation group.configuration
privilege manage-users operation user.remote
privilege manage-users operation user.configuration
privilege manage-users operation user.password
privilege manage-users operation user.mailbox
privilege manage-users operation user.pin
privilege manage-users operation system.debug
privilege ViewRealTimeReports operation report.realtime

groupname Administrators member XXXXXXX
groupname Administrators member XXXXXXX
groupname Broadcasters privilege broadcast

username XXXXXXX phonenumber "118"
username XXXXXXX phonenumber "120"
username XXXXXXX phonenumber "101"
username XXXXXXX phonenumber "119"
username XXXXXXX phonenumber "123"
username XXXXXXX phonenumber "100"
username XXXXXXX email XXXXXXX@dark-storm.com
username XXXXXXX email XXXXXXX@dark-storm.com
username XXXXXXX email XXXXXXX@dark-storm.com
username XXXXXXX email XXXXXXX@dark-storm.com
username XXXXXXX email XXXXXXX@dark-storm.com
username XXXXXXX email XXXXXXX@dark-storm.com

web session security keyLabel cisco

restriction msg-notification create
restriction msg-notification min-digits 1
restriction msg-notification max-digits 30
restriction msg-notification dial-string preference 1 pattern * allowed

smtp server address XXXXXXXXXXXXXXXX.outlook.com port 25 authentication none

backup server url "ftp://127.0.0.1/ftp" credentials hidden "EWlTygcMhYmjazXhE/VNXHCkplVV4KjescbDaLa4fl4WLSPFvv1rWUnfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP"

calendar biz-schedule dsi_store_hours
open day 1 from 00:00 to 24:00
open day 2 from 00:00 to 24:00
open day 3 from 00:00 to 24:00
open day 4 from 00:00 to 24:00
open day 5 from 00:00 to 24:00
open day 6 from 00:00 to 24:00
open day 7 from 00:00 to 24:00
end schedule

calendar biz-schedule systemschedule
open day 1 from 00:00 to 24:00
open day 2 from 00:00 to 24:00
open day 3 from 00:00 to 24:00
open day 4 from 00:00 to 24:00
open day 5 from 00:00 to 24:00
open day 6 from 00:00 to 24:00
open day 7 from 00:00 to 24:00
end schedule

ccn application autoattendant aa
description "autoattendant"
enabled
maxsessions 20
script "dsi_aa.aef"
end application

ccn application ciscomwiapplication aa
description "ciscomwiapplication"
enabled
maxsessions 20
script "setmwi.aef"
parameter "strMWI_OFF_DN" "8001"
parameter "strMWI_ON_DN" "8000"
parameter "CallControlGroupID" "0"
end application

ccn application msgnotification aa
description "msgnotification"
enabled
maxsessions 20
script "msgnotify.aef"
parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp"
parameter "DelayBeforeSendDTMF" "1"
end application

ccn application promptmgmt aa
description "promptmgmt"
enabled
maxsessions 1
script "promptmgmt.aef"
parameter "appManagementScript" ""
end application

ccn application voicemail aa
description "voicemail"
enabled
maxsessions 20
script "voicebrowser.aef"
parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp"
parameter "uri" "http://localhost/voicemail/vxmlscripts/login.vxml"
end application

ccn engine
end engine

ccn reporting historical
database local
description "dsi-4331-cue"
end reporting

ccn subsystem sip
gateway address "192.168.1.1"
mwi sip sub-notify
mwi envelope-info
transfer-timeout 35
end subsystem

ccn trigger http urlname msgnotifytrg
application "msgnotification"
enabled
maxsessions 2
end trigger

ccn trigger http urlname mwiapp
application "ciscomwiapplication"
enabled
maxsessions 1
end trigger

ccn trigger sip phonenumber 771
application "autoattendant"
enabled
maxsessions 6
end trigger

ccn trigger sip phonenumber 777
application "voicemail"
enabled
locale "en_US"
maxsessions 6
end trigger

ccn trigger sip phonenumber 779
application "promptmgmt"
enabled
locale "en_US"
maxsessions 1
end trigger

service phone-authentication
end phone-authentication

service voiceview
enable
end voiceview

voicemail notification enable
voicemail notification preference all
voicemail notification email attach

voicemail configuration outgoing-email from-address @XXXXX@dark-storm.com
voicemail default mailboxsize 1200
voicemail broadcast recording time 300
voicemail default messagesize 240
voicemail notification restriction msg-notification
voicemail operator telephone 170
voicemail mailbox owner "XXXXXX" size 1200
description "XXXXXX mailbox"
no fax enable
end mailbox

voicemail mailbox owner "XXXXXX" size 1200
description "XXXXXX mailbox"
no fax enable
end mailbox

voicemail notification owner XXXXXX enable
voicemail notification owner XXXXXX enable
voicemail notification owner XXXXXX enable
voicemail notification owner XXXXXX enable
voicemail notification owner XXXXXX enable
voicemail notification owner XXXXXX enable

end

DarkStormEd · ‎12-19-2023

CUE does not seem to let me enable any debugs.

Carlo Poggiarelli · ‎12-19-2023

I meant on router ‘:)’

Thanks

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

DarkStormEd · ‎12-19-2023

!
! Last configuration change at 00:00:11 newyork Fri Dec 15 2023
!
version 17.2
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname DSI-4331
!
boot-start-marker
boot system bootflash:isr4300-universalk9.17.02.01r.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 10000000
no logging console
no logging monitor
enable secret 9 $14$t20.$4suu7ewMQOlxxU$T81j6.KVbm4PzSt7nD8.Vf8M5M3o7szItWHVRMkoq2g
enable password 7 09695619150A0517195D5D
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network vpn local
aaa authorization network groupauthor local
!
!
!
!
!
!
aaa session-id common
no process cpu autoprofile hog
clock timezone newyork -5 0
clock summer-time EDT recurring
no ip gratuitous-arps
!
ip name-server 192.168.1.250 192.168.1.251
ip domain lookup source-interface GigabitEthernet0/0/1.1
ip domain name darkstorm.local
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint TP-self-signed-2084937479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2084937479
revocation-check none
rsakeypair TP-self-signed-2084937479
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-2084937479
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303834 39333734 3739301E 170D3230 30383133 31353337
35365A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30383439
33373437 39308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 01009671 79F750AD 590F6D81 209F0D04 DA94B3A0 CA5EE4BB A03577EF
774871F2 5FF868A0 9E0E96C6 82682044 6BB350F8 829D6FB8 1D9EAEF3 88286C06
821B9AAB 9A14AF2D D8EF9675 C558133E BA992E4E 2C50FEE9 CDB84C5E BCD2093F
3845036A ED39F744 D4C92ACC 026A379A 71E3A89F 7F30CF73 1F90B099 F97032E2
AEFD9F68 1F437ED1 ADB8F703 F17AC390 27A41057 7D55FE8D E55AE3AB 341A870C
52216397 285381FF 95CA49BB DDFB7056 A057D648 EEA798E8 B07131CE 20F7789D
AD463F2C 0FEF00BD D51FD290 62539909 7A0013FD 08181C90 62CDAAA8 533DAA2C
B58DB342 F96890BF 5D709C3E 109C6FA2 941F334A 4ECEEAC7 A58C4562 4E5206E4
25AC9D7A CC930203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14D49F9C BBC43B44 1DE32EE8 CF631BC3 C2DC5C5B
F7301D06 03551D0E 04160414 D49F9CBB C43B441D E32EE8CF 631BC3C2 DC5C5BF7
300D0609 2A864886 F70D0101 05050003 82010100 0BC4E298 B4F78983 39173AA2
70C4E012 7098F826 ACA93B9F 6CF5B7F4 908F610D 01AEC943 EA75E8EF B83F9943
89C67397 C54D2962 DD4BECC1 EA67F48E 815A5EE9 8F04C74A A12F557C 938FFB31
45BE69A3 F10F4821 35400C00 CF3E06B4 1129047C 54F3D59D 345A9417 6239B9F8
CF665D27 3AEB97F3 D5A6BFF3 B6D35B99 2CBBD0C3 7458BE3B A4955B80 7BB8BAEC
687C99C7 B5E29B63 8E7A9EF2 BB2B7020 751E2132 A5005D4A 69582ECA 53BBC35C
75ADD7B6 97C58FF2 0F49DEE5 14CF89D5 4EBD6F1B 2B8A04A4 496692FD AA97CE80
5A04B910 F2017843 881D0105 56C3E1CD 0F6075A9 ED989D6D EF643BD5 781FC6DD
AEB7BE95 7564BB50 793C73FB D94B2CEF 2CDA883F
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
!
!
voice service voip
ip address trusted list
ipv4 208.73.144.0 255.255.248.0
ipv4 208.89.108.0 255.255.252.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
supplementary-service media-renegotiate
fax protocol pass-through g711ulaw
h323
sip
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
midcall-signaling passthru media-change
sip-profiles 100
no call service stop
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
voice class sip-profiles 200
request INVITE sip-header SIP-Req-URI modify "bt.voipdnsservers.com" "bt.voipdnsservers.com"
request INVITE sip-header Diversion remove
!
voice class sip-profiles 100
response ANY sdp-header Audio-Attribute modify "sendonly" "sendrecv"
response ANY sdp-header Audio-Attribute modify "sendonly" "sendrecv"
request ANY sdp-header Audio-Attribute modify "sendonly" "sendrecv"
!
!
!
!
voice iec syslog
!
voice hunt-group 1 parallel
list 112,113
timeout 60
pilot 201
!
!
voice hunt-group 2 parallel
list 111,112,113
timeout 60
pilot 202
!
!
voice hunt-group 3 parallel
list 100,101,102
timeout 60
pilot 203
description Accounting
!
!
!
voice translation-rule 1
rule 1 /3215933000/ /200/
rule 2 /.*/ /771/
!
voice translation-rule 20
rule 1 /^9/ //
!
voice translation-rule 45
rule 1 /^1..$/ /6319673170/
rule 2 /^2..$/ /3215933000/
rule 3 /.*/ /6319673170/
!
!
voice translation-profile IncomingSIP
translate called 1
!
voice translation-profile outbound
translate calling 45
translate called 20
!
!
!
!
voice-card 0/4
no watchdog
!
no license feature hseck9
license udi pid ISR4331/K9 sn FDO22221BYL
license accept end user agreement
license boot level uck9
license boot level securityk9
memory free low-watermark processor 69596
!
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
username XXXXXX privilege 15 password 7 04690A161B2E5E1C59
username XXXXXX privilege 15 password 7 1316181C0C030F3F
!
redundancy
mode none
!
crypto ikev2 authorization policy ikev2-auth-policy
pool AC_VPN_POOL
dns 192.168.1.250 192.168.1.251
route set access-list VPN_split_tunnel
!
!
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
!
no cdp run
!
!
translation-rule 1
!
!
!
!
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
!
!
!
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
crypto isakmp key Typhoon address 71.167.109.74
crypto isakmp key Typhoon address 10.10.10.10
crypto isakmp key Typhoon address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
!
!
crypto dynamic-map outside_vpn 10
set security-association lifetime seconds 28800
set transform-set ESP-AES-SHA
match address 129
reverse-route
!
!
crypto map VPN 1 ipsec-isakmp dynamic outside_vpn
!
!
!
!
!
!
!
!
interface Loopback100
ip address 10.0.0.1 255.255.255.255
!
interface VirtualPortGroup1
ip unnumbered GigabitEthernet0/0/1.1
ip nat inside
!
interface VirtualPortGroup2
no ip address
!
interface GigabitEthernet0/0/0
description Verizon Fios
ip address XXX.XXX.XXX.XXX 255.255.255.0
no ip unreachables
ip nat outside
ip verify unicast source reachable-via rx 101
ip access-group 100 in
ip tcp adjust-mss 1200
negotiation auto
crypto map VPN
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description Link to DSI-4506 Switch
no ip address
no ip unreachables
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1.1
description PC Network
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
no ip unreachables
ip nat inside
no cdp enable
no ip virtual-reassembly
!
interface GigabitEthernet0/0/1.2
description IP Phones
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
media-type sfp
negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
no cdp enable
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
!
virtual-service cue
vnic gateway VirtualPortGroup1
guest ip address 192.168.1.6
vnic gateway VirtualPortGroup2
activate
!
virtual-service connect
description exit
!
iox
ip local pool AC_VPN_POOL 192.168.99.100 192.168.99.200
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 180 requests 25
ip tftp source-interface GigabitEthernet0/0/1.1
ip nat inside source static udp 192.168.1.110 1194 71.167.109.74 1194 extendable
ip nat inside source static tcp 192.168.1.251 20 71.167.109.75 20 extendable
ip nat inside source static tcp 192.168.1.251 21 71.167.109.75 21 extendable
ip nat inside source static tcp 192.168.1.251 22 71.167.109.75 22 extendable
ip nat inside source static tcp 192.168.1.251 80 71.167.109.75 80 route-map BlockNATForRemoteSite-RM extendable
ip nat inside source static tcp 192.168.1.251 443 71.167.109.75 443 route-map BlockNATForRemoteSite-RM extendable
ip nat inside source static tcp 192.168.1.251 5000 71.167.109.75 5000 extendable
ip nat inside source static tcp 192.168.1.251 5001 71.167.109.75 5001 extendable
ip nat inside source static tcp 192.168.1.252 20 71.167.109.76 20 extendable
ip nat inside source static tcp 192.168.1.252 21 71.167.109.76 21 extendable
ip nat inside source static tcp 192.168.1.252 80 71.167.109.76 80 extendable
ip nat inside source static tcp 192.168.1.252 443 71.167.109.76 443 extendable
ip nat inside source static tcp 192.168.1.252 5000 71.167.109.76 5000 extendable
ip nat inside source static tcp 192.168.1.252 5001 71.167.109.76 5001 extendable
ip nat inside source list 130 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
ip route 192.168.1.6 255.255.255.255 VirtualPortGroup1
ip route 192.168.1.7 255.255.255.255 VirtualPortGroup2
ip ssh version 2
!
!
ip access-list standard VPN_split_tunnel
10 permit 192.0.0.0 0.255.255.255
!
ip access-list extended BlockNATForRemoteSite
10 deny ip host 192.168.1.251 192.168.10.0 0.0.0.255
20 deny ip host 192.168.1.251 192.168.11.0 0.0.0.255
30 permit ip host 192.168.1.251 any
!
ip access-list extended 100
9 permit esp any host XXX.XXX.XXX.XXX
10 remark ------------------------------------------
10 remark --Access Control for Inbound on Internet--
10 remark -----------------------------------------
10 remark --Allow PING functions--
10 permit icmp any any echo
20 permit icmp any any echo-reply
30 permit icmp any any time-exceeded
40 permit icmp any any unreachable
50 remark --Allow NTP Access--
50 permit udp any eq ntp any eq ntp
100 remark --Allow www to DSWEB--
100 permit tcp any host XXX.XXX.XXX.XXX eq www
101 permit tcp any host XXX.XXX.XXX.XXX eq www
102 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
103 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
104 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
110 remark --Allow SSL to DSWEB--
110 permit tcp any host XXX.XXX.XXX.XXX eq 443
111 permit tcp any host XXX.XXX.XXX.XXX eq 443
120 remark --Allow FTP to DSWEB--
120 permit tcp any host XXX.XXX.XXX.XXX eq ftp
121 permit tcp any host XXX.XXX.XXX.XXX eq ftp
122 permit tcp any host XXX.XXX.XXX.XXX range 5000 5100
123 permit tcp any host XXX.XXX.XXX.XXX range 5000 5100
124 permit tcp any host XXX.XXX.XXX.XXX eq ftp-data
125 permit tcp any host XXX.XXX.XXX.XXX eq ftp-data
126 permit tcp any host XXX.XXX.XXX.XXX eq 22
200 remark --Allow DNS Updates--
200 permit tcp any eq domain any
210 permit udp any eq domain any
310 permit tcp any host XXX.XXX.XXX.XXX eq 500
311 permit udp any host XXX.XXX.XXX.XXX eq isakmp
312 permit udp any host XXX.XXX.XXX.XXX eq non500-isakmp
801 permit ip XXX.XXX.XXX.XXX 0.0.7.255 any
802 permit ip XXX.XXX.XXX.XXX 0.0.3.255 any
804 permit udp host XXX.XXX.XXX.XXX host 192.168.1.110 eq 1194
900 remark --Outbound Traffic Return--
900 permit tcp any any established
901 permit udp any any eq 1194
999 deny ip any any
800 remark --VOIP SIP Trunks--
ip access-list extended 111
10 permit ip host 192.168.1.6 host 8.8.8.8
20 permit ip any host 8.8.8.8
ip access-list extended 129
20 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
30 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
40 permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
50 permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
10 remark ---Allow HQ LAN traffic to Remote via VPN---
ip access-list extended 130
9 deny ip host 192.168.1.251 host 192.168.11.101
10 remark -----------------------------------------------
10 remark --NAT Access Traffic Keep VPN Internal-------
10 remark ----------------------------------------------
10 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
11 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
12 deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
13 deny ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
14 deny ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended 150
20 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
30 permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
10 remark ----------------------------
10 remark --VPN Traffic to Firepower--
10 remark -----------------------------
ip access-list extended 151
!
!
route-map BlockNATForRemoteSite-RM permit 10
match ip address BlockNATForRemoteSite
!
route-map NoNAT permit 20
match ip address 151
!
!
tftp-server bootflash:Desktops/320x212x16/List.xml
tftp-server bootflash:Desktops/320x212x16/DSI-Logo-TN.png
tftp-server bootflash:Desktops/320x212x16/DSI-Logo.png
tftp-server bootflash:/phones/7965-9.4.2SR3/jar45sccp.9-4-2ES26.sbn alias jar45sccp.9-4-2ES26.sbn
tftp-server bootflash:/phones/7965-9.4.2SR3/dsp45.9-4-2ES26.sbn alias dsp45.9-4-2ES26.sbn
tftp-server bootflash:/phones/7965-9.4.2SR3/cvm45sccp.9-4-2ES26.sbn alias cvm45sccp.9-4-2ES26.sbn
tftp-server bootflash:/phones/7965-9.4.2SR3/cnu45.9-4-2ES26.sbn alias cnu45.9-4-2ES26.sbn
tftp-server bootflash:/phones/7965-9.4.2SR3/apps45.9-4-2ES26.sbn alias apps45.9-4-2ES26.sbn
tftp-server bootflash:/phones/7965-9.4.2SR3/SCCP45.9-4-2SR3-1S.loads alias SCCP45.9-4-2SR3-1S.loads
tftp-server bootflash:/phones/7965-9.4.2SR3/term45.default.loads alias term45.default.loads
tftp-server bootflash:/phones/7965-9.4.2SR3/term65.default.loads alias term65.default.loads
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
sccp local GigabitEthernet0/0/1.2
!
!
!
telephony-service
no auto-reg-ephone
max-ephones 52
max-dn 192
ip source-address 192.168.5.1 port 2000
system message Dark Storm Ind
load 7965 SCCP45.9-4-2SR3-1S.loads
time-zone 12
voicemail 777
max-conferences 8 gain -6
moh enable-g711 "moh.wav"
transfer-system full-consult
transfer-pattern 91631.......
transfer-pattern 91516.......
transfer-pattern 91321.......
create cnf-files version-stamp 7960 Jun 24 2022 13:34:36
!
!
dial-peer voice 200 voip
description Incoming_Calls_From Nextiva
translation-profile incoming IncomingSIP
session protocol sipv2
incoming called-number XXXXXXXXXXX
voice-class codec 1
dtmf-relay rtp-nte sip-notify
no vad
!
dial-peer voice 201 voip
description Outbound_Calls_To_Nextiva
translation-profile outgoing outbound
destination-pattern 91..........
session protocol sipv2
session target dns:bt.voipdnsservers.com
voice-class codec 1
voice-class sip profiles 200
dtmf-relay rtp-nte sip-notify
no vad
!
dial-peer voice 700 voip
description Transfer to CUE
destination-pattern 77.
session protocol sipv2
session target ipv4:192.168.1.6
incoming called-number 800[01]...
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 202 voip
description Incoming Calls From Nextiva for Florida
translation-profile incoming IncomingSIP
destination-pattern 200
session protocol sipv2
session target ipv4:192.168.1.6
incoming called-number XXXXXXXXXXX
voice-class codec 1
dtmf-relay rtp-nte sip-notify
no vad
supplementary-service h450.12
!
dial-peer voice 771 voip
description Outgoing calls to 771 AA
destination-pattern 771
session protocol sipv2
session target ipv4:192.168.1.6
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0/1.2
voice-class sip bind media source-interface GigabitEthernet0/0/1.2
dtmf-relay rtp-nte sip-notify
no vad
!
!
sip-ua
credentials number XXXXXXXXXXX username XXXXXXXXXXX password 6 gRUbahQQTBc^bLBZ_SUNd^WIHKaLMaZ]UUEI realm nextiva.com
credentials number XXXXXXXXXXX username XXXXXXXXXXX password 6 ciTeAeHUFGAE]VbJMRVEhFGK\AUI^LQF_WWE realm nextiva.com
authentication username XXXXXXXXXXX password 6 QEMcSBMYgZWd_I^PecFZg[PFHBd_[dTWKFaL realm nextiva.com
no remote-party-id
retry invite 2
retry response 3
retry bye 3
retry prack 6
retry register 10
mwi-server ipv4:192.168.1.6 expires 3600 port 5060 transport udp
registrar dns:bt.voipdnsservers.com expires 3600
sip-server dns:bt.voipdnsservers.com
!
!
ephone-template 1
softkeys hold Resume Newcall
softkeys idle Redial Newcall
softkeys connected Hold Park Trnsfer Endcall
softkeys ringing Answer
!
!
ephone-template 2
softkeys hold Resume Newcall
softkeys idle Redial Newcall Cfwdall
softkeys connected Hold Park Trnsfer Endcall
softkeys ringing Answer
!
!
ephone-template 3
softkeys hold Resume Newcall
softkeys idle Redial Newcall Cfwdall Dnd
softkeys connected Hold Park Trnsfer Endcall
softkeys ringing Answer Dnd
!
!
ephone-dn 1
number 170
label DSI
no huntstop
!
!
ephone-dn 2
number 170
label DSI
preference 1
no huntstop
!
!
ephone-dn 3
number 170
label DSI
no huntstop
!
!
ephone-dn 4
number 170
label DSI
no huntstop
!
!
ephone-dn 10
number 198
name Page Retail
paging ip 239.1.1.10 port 2000
!
!
ephone-dn 11
number 199
name Page Mnfg
paging ip 239.1.1.11 port 2000
!
!
ephone-dn 70
number 8000...
mwi on
!
!
ephone-dn 71
number 8001...
mwi off
!
!
ephone-dn 91
number 901
park-slot timeout 30 limit 10
label Park 901
!
!
ephone-dn 92
number 902
park-slot timeout 30 limit 10
label Park 902
!
!
ephone-dn 93
number 903
park-slot timeout 30 limit 10
label Park 903
!
!
ephone-dn 94
number 904
park-slot timeout 30 limit 10
label Park 904
!
!
ephone-dn 100
number 100
label Ed Newman
call-forward busy 777
call-forward noan 777 timeout 30
mwi sip
!
!
ephone-dn 101
number 101
label Peter
call-forward busy 777
call-forward noan 777 timeout 30
mwi sip
!
!
ephone-dn 102
number 102
label Mike
!
!
ephone-dn 104
number 104
label Donald
call-forward busy 170
call-forward noan 170 timeout 30
mwi sip
!
!
ephone-dn 109
number 109
label IT
call-forward busy 777
call-forward noan 777 timeout 30
mwi sip
!
!
ephone-dn 110
number 110
label Range
call-forward busy 170
call-forward noan 170 timeout 30
!
!
ephone-dn 111
number 111
label Pistol Register
call-forward busy 170
call-forward noan 170 timeout 30
!
!
ephone-dn 112
number 112
label Rifle Wall
call-forward busy 170
call-forward noan 170 timeout 30
!
!
ephone-dn 113
number 113
label Rifle Register
call-forward busy 170
call-forward noan 170 timeout 30
!
!
ephone-dn 114
number 114
label Sales
call-forward all 120
mwi sip
!
!
ephone-dn 115
number 115
label Liz
!
!
ephone-dn 116
number 116
label Gunsmithing
!
!
ephone-dn 117
number 117
label Shipping
!
!
ephone-dn 118
number 118
label ToniAnne
call-forward busy 777
call-forward noan 777 timeout 30
mwi sip
!
!
ephone-dn 119
number 119
label Joe
call-forward busy 777
call-forward noan 777 timeout 30
mwi sip
!
!
ephone-dn 120
number 120
label Kevin
call-forward all 916316640307
call-forward busy 777
call-forward noan 777 timeout 20
mwi sip
!
!
ephone-dn 121
number 121
label Build 1
!
!
ephone-dn 122
number 122
label Build 2
!
!
ephone-dn 123
number 123
label Tom
call-forward busy 777
call-forward noan 777 timeout 30
!
!
ephone-dn 124
number 124
label Ammo 1
!
!
ephone-dn 125
number 125
label Ammo 2
!
!
ephone-dn 130
number 200
label Florida Shop
!
!
ephone 100
device-security-mode none
mac-address 10BD.1800.ED7A
ephone-template 3
paging-dn 11
type 7965
button 1:100 2s101 3s114 4s118
button 5:130
!
!
!
ephone 101
device-security-mode none
mac-address 64D9.8969.592E
ephone-template 3
paging-dn 10
type 7965
button 1:101 2c1,2,3,4 3s110 4s111
button 5s112 6s113
!
!
!
ephone 102
device-security-mode none
mac-address 5006.0473.E91C
ephone-template 1
paging-dn 10
type 7965
button 1:102 2c1,2,3,4 3s110 4s111
button 5s112 6s113
!
!
!
ephone 104
device-security-mode none
mac-address 64AE.0C5F.D219
type 7965
button 1:104 2:130
!
!
!
ephone 110
device-security-mode none
mac-address 04DA.D2BE.E778
ephone-template 1
paging-dn 10
type 7965
button 1:110 2c1,2,3,4
!
!
!
ephone 111
device-security-mode none
mac-address 20BB.C093.20C9
ephone-template 1
paging-dn 10
type 7965
button 1:111 2c1,2,3,4
!
!
!
ephone 112
device-security-mode none
mac-address 64D9.8969.5F82
ephone-template 1
paging-dn 10
type 7965
button 1:112 2c1,2,3,4
!
!
!
ephone 113
device-security-mode none
mac-address 001D.70FC.D460
ephone-template 1
paging-dn 10
type 7965
button 1:113 2c1,2,3,4
!
!
!
ephone 114
device-security-mode none
mac-address 24B6.5745.7492
ephone-template 2
paging-dn 11
button 1:114
!
!
!
ephone 115
device-security-mode none
mac-address FCFB.FBCA.FF16
ephone-template 1
paging-dn 10
type 7965
button 1:113 2:114 3c1,2,3,4
!
!
!
ephone 116
device-security-mode none
mac-address 001A.A1B4.8348
ephone-template 1
paging-dn 10
type 7941
button 1:116
!
!
!
ephone 117
device-security-mode none
mac-address 001D.70FC.D303
ephone-template 1
paging-dn 10
type 7965
button 1:117
!
!
!
ephone 118
device-security-mode none
mac-address D4D7.4841.B589
ephone-template 1
paging-dn 10
type 7965
button 1:118
!
!
!
ephone 119
device-security-mode none
mac-address 0024.C445.4324
ephone-template 1
paging-dn 11
type 7965
button 1:119 2s121 3s122
!
!
!
ephone 120
device-security-mode none
mac-address D4D7.4841.D001
ephone-template 3
paging-dn 10
type 7965
button 1:120 2:114
!
!
!
ephone 121
device-security-mode none
mac-address 001A.A1B4.831A
ephone-template 1
paging-dn 11
type 7941
button 1:121 2:119
!
!
!
ephone 122
device-security-mode none
mac-address 001A.A1B4.8C63
ephone-template 1
paging-dn 11
type 7941
button 1:122 2:119
!
!
!
ephone 123
device-security-mode none
mac-address 001D.70FC.CD8C
ephone-template 1
paging-dn 10
type 7965
button 1:112 2c1,2,3,4
!
!
!
ephone 124
device-security-mode none
mac-address 001D.70FC.D54E
ephone-template 1
paging-dn 11
type 7965
button 1:123
!
!
!
ephone 125
device-security-mode none
mac-address D4D7.48FE.E8B0
ephone-template 1
paging-dn 11
type 7965
button 1:109
!
!
!
ephone 126
device-security-mode none
mac-address D824.BDBA.AB40
ephone-template 1
paging-dn 10
type 7965
button 1:115 2:130
!
!
!
ephone 127
device-security-mode none
mac-address 001D.70FC.CD7E
ephone-template 1
paging-dn 10
type 7965
button 1:111 2c1,2,3,4
!
!
!
ephone 128
device-security-mode none
mac-address BCF1.F2E9.1CAF
ephone-template 1
paging-dn 10
type 7965
button 1:124 2c1,2,3,4
!
!
!
ephone 129
device-security-mode none
mac-address BCF1.F2E9.1B36
ephone-template 1
paging-dn 10
type 7965
button 1:125 2c1,2,3,4
!
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 9999
exec-timeout 120 0
password 7 0807495C1B18171E415D5C
length 0
transport input ssh
line vty 5 15
session-timeout 9999
exec-timeout 120 0
password 7 0729245E5C080B0C44445B
logging synchronous
transport input ssh
transport output ssh
!
monitor event-trace packet
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 1.north-america.pool.ntp.org minpoll 10
ntp server 2.north-america.pool.ntp.org
ntp server 0.north-america.pool.ntp.org minpoll 10
!
!
!
!
!
end

DarkStormEd · ‎12-19-2023

I do not seem to get any debug data on the router from an attempted log on to the CUE GUI. That falls in line with what I would expect as the web GUI is run by the virtual CUE and not the IOS on the router.

Carlo Poggiarelli · ‎12-20-2023

Hi

I noticed that on router you have "no logging monitor" which prevents to display a debug message on terminal session .

Please activate it by issuing a logging monitor and logging monitor debug on configuration mode.

Please reactivate a debug and post.

Also , on CUE cli , activate a "trace webinterface" and "show trace buffer tail" and try to login, than post also this output.

Thanks

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

DarkStormEd · ‎12-20-2023

Added "logging monitor" and "logging console" on the router

Added "trace webinterface all" and "show trace buffer tail" on CUE

Run "debug ip http all" on router

Nothing showing on either during GUI log on attempt.

Results from show debug on router

IOSXE Conditional Debug Configs:

Conditional Debug Global State: Stop

IOSXE Packet Tracing Configs:

MACSec:
MACsec errors debugging is on

Packet Infra debugs:

Ip Address Port
------------------------------------------------------|----------

HTTP Server:
HTTP Server transaction debugging is on
HTTP Server tokens debugging is on
HTTP Server EZSetup debugging is on
HTTP Server URL debugging is on
HTTP Server Authentication debugging is on
HTTP Server Side Includes debugging is on
HTTP Application Inout debugging is on
HTTP Application Detail debugging is on
HTTP Server Error debugging is on
HTTP SSL Error debugging is on
HTTP CTC trace debug debugging is on
HTTP CTC error debug debugging is on
HTTP SESSION debugging is on
HTTP TPS Trace debugging is on
HTTP TPS Error debugging is on
HTTP WSMAN debugging is on

Results from show trace on CUE

MODULE ENTITY SETTING
ntp ntp ffffffff
webInterface voiceview ffffffff
webInterface user ffffffff
webInterface trigger ffffffff
webInterface syslogdaemon ffffffff
webInterface sysdb ffffffff
webInterface synchronize ffffffff
webInterface supervisor ffffffff
webInterface streaming ffffffff
webInterface sibg ffffffff
webInterface session ffffffff
webInterface restrictiontablesffffffff
webInterface reporting ffffffff
webInterface proxyAgent ffffffff
webInterface prompt ffffffff
webInterface privileges ffffffff
webInterface notifications ffffffff
webInterface mailbox ffffffff
webInterface locations ffffffff
webInterface ivr ffffffff
webInterface initwizard ffffffff
webInterface holidays ffffffff
webInterface group ffffffff
webInterface fax ffffffff
webInterface editor ffffffff
webInterface dlist ffffffff
webInterface database ffffffff
webInterface controller ffffffff
webInterface cmexml ffffffff
webInterface ccnapps ffffffff
webInterface callcontrolgroupffffffff
webInterface businessHours ffffffff
webInterface backupRestore ffffffff
webInterface axl ffffffff
webInterface autoAttendant ffffffff
webInterface aaa ffffffff

LOG NAME STATUS
no such attribute

Any other ideas?