10-07-2020 09:57 AM - edited 10-07-2020 10:20 AM
Hi, because of security advisory CVE-2020-3382 I decided to upgrade my DCNM installation to 11.4(1)
I was running 11.1(1) ova version on esxi server standalone install (no ha)
I followed this guide , and performed the "Inline Upgrade for DCNM Virtual Appliance in Standalone Mode
"procedure , everything went ok without any errors , but the web interface doesn't start , https://dncm_ip doesn't respond .
After scanning open ports , port 443 doesn't appear to be open on the server.
Any idea what could be the problem? Thanks
[root@cisco-dcnm ~]# appmgr status all DCNM v11 will only use HTTPS. Insecure access via HTTP is disabled. Please use the url https://<DCNM-IP-ADDRESS> or https://<HOSTNAME> to launch the DCNM UI. DCNM Status PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND === ==== == == ======= ====== ===== = ==== ==== ======= ======= 2899 fmserver 20 0 12.2g 3.4g 15572 S 0.0 14.4 964:52.71 java Telemetry Infra Status PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND === ==== == == ======= ====== ===== = ==== ==== ======= ======= 738 root 20 0 796716 5240 3452 S 0.0 0.0 5:35.89 telemetry-infra TFTP Status PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND === ==== == == ======= ====== ===== = ==== ==== ======= ======= 1374 root 20 0 27168 1060 808 S 0.0 0.0 0:00.00 xinetd DHCP Status PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND === ==== == == ======= ====== ===== = ==== ==== ======= ======= 1401 dhcpd 20 0 103636 5780 3488 S 0.0 0.0 0:19.65 dhcpd AMQP Status PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND === ==== == == ======= ====== ===== = ==== ==== ======= ======= 1376 rabbitmq 20 0 6000172 81168 4220 S 0.0 0.3 90:03.01 beam.smp
[root@cisco-dcnm ~]# appmgr show version Cisco Data Center Network Manager Version: 11.4(1) Install mode: LAN Fabric Standalone node. HA not enabled.
10-20-2020 01:03 PM
Hi, I found more insteresting informartion after some troubleshooting.
I connected via ssh to the dncm vm and can see the container running with the correct port redirection :
[root@cisco-dcnm ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1449b8c16895 127.0.0.1:5001/afwapiproxy:2.2 "/bin/entry.sh" 8 days ago Up 8 days 0.0.0.0:443->443/tcp, 0.0.0.0:9200->9200/tcp AfwApiProxy
So the app is listening on 0.0.0.0:443 , but I can't connect to it .
Its seems theres some kind of firewall running blocking the connection to 443 in the dcnm virtual machine, not the redhat/centos one but some cisco process (vendor preset: enabled):
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
To confirm this , I configured ssh port tunneling ( localhost:443 ---> localhost:443) with my ssh client and it works !, I can connect to dcnm web gui perfectly.
Its seems the inline upgrade script, didnt setup correctly the firewall allowing the connection to the dcnm web gui .
Anyone has an idea on where to configure this?
Thanks
09-23-2021 12:11 PM
I upgraded the same install to 11.5.1 , same problem still persist , can't access web gui via lan ip
I can access the web gui doing a ssh port tunneling ( localhost:443 ---> localhost:443)
Anyone knows how to fix this ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: