12-14-2012 04:38 AM - edited 03-04-2019 06:24 PM
Hi,
I have a 2911 which works perfectly except I cannot access it via HTTPS. HTTP and SSH both work. I've regenerated the RSA-key several times but to no avail.
The box has a host- and domain-name configured. Any ideas ?
regards,
Marcel Tempelman
12-14-2012 04:58 AM
Hi,
Could you post output from sh ip http server all | i secure
Have you got any ACL applied on interface or linked to an access-class ?
Have you tried disabling https and reenabling it ?
Regards.
Alain
Don't forget to rate helpful posts.
12-14-2012 05:03 AM
Hi,
thx for the replay:
Here's the sh ip http server all | i secure output:
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
It uses an access-class and it works for http.
I've tried enabling and disabling secure-server.
regards,
Marcel
12-14-2012 05:25 AM
Hi,
could you post sh run | s access-list|line vty
Also is the device trying to https into the router synced with the router time ?
Regards.
Alain
Don't forget to rate helpful posts.
12-14-2012 05:31 AM
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.2.0 0.0.0.255
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 10.10.0.0 0.0.0.15
access-list 1 permit 10.10.0.252 0.0.0.3
access-list 2 permit {external address}
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.0.252 0.0.0.3
access-list 2 permit 10.10.0.0 0.0.0.15
access-list 2 permit 10.10.0.0 0.0.255.255
access-list 2 deny any
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.0.0 0.0.255.255 172.16.248.0 0.0.7.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.10.0.0 0.0.255.255 172.16.248.0 0.0.7.255
access-list 101 permit ip 10.10.0.252 0.0.0.3 any
access-list 101 permit ip 10.10.0.0 0.0.0.15 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.2.0 0.0.0.255 any
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input ssh
I'm trying to connect with my own laptop and this error also occurred when I was at the location.
TIA
regards,
Marcel.
12-14-2012 05:54 AM
you can launch wireshark at the time you'r trying to connect with your laptop to see at which level https fail.
12-17-2012 04:39 AM
Thanks for the suggestions. I'll get back on it when I get some time for it.
Regards,
Marcel.
12-17-2012 05:18 AM
I am interested in this line from one of the posts
HTTP secure server client authentication: Disabled
If authentication is disabled that would explain why access does not work. so can we figure why authentication is disabled? Perhaps the original poster can post the parts of the config that deal with secure server?
HTH
Rick
03-17-2013 02:00 AM
Sorry for the delay but haven't any time to tackle this problem but I do have something to add:
Last week another router showed the same behaviour. The fix was deleting all the crypto sections, reload and let the router regenerate the keys and CA part. I'm guessing it has something to do with the fact that the router did not have the correct time when treating the CA and or key part.
Regards,
Marcel.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide