2911 HTTPS access problem

Marcel Tempelman · ‎12-14-2012

Hi,

I have a 2911 which works perfectly except I cannot access it via HTTPS. HTTP and SSH both work. I've regenerated the RSA-key several times but to no avail.

The box has a host- and domain-name configured. Any ideas ?

regards,

Marcel Tempelman

cadet alain · ‎12-14-2012

Hi,

Could you post output from sh ip http server all | i secure

Have you got any ACL applied on interface or linked to an access-class ?

Have you tried disabling https and reenabling it ?

Regards.

Alain

Don't forget to rate helpful posts.

Marcel Tempelman · ‎12-14-2012

Hi,

thx for the replay:

Here's the sh ip http server all | i secure output:

HTTP secure server capability: Present

HTTP secure server status: Enabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha

HTTP secure server client authentication: Disabled

HTTP secure server trustpoint:

HTTP secure server active session modules: ALL

It uses an access-class and it works for http.

I've tried enabling and disabling secure-server.

regards,

Marcel

cadet alain · ‎12-14-2012

Hi,

could you post sh run | s access-list|line vty

Also is the device trying to https into the router synced with the router time ?

Regards.

Alain

Don't forget to rate helpful posts.

Marcel Tempelman · ‎12-14-2012

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.2.0 0.0.0.255

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 1 permit 10.10.0.0 0.0.0.15

access-list 1 permit 10.10.0.252 0.0.0.3

access-list 2 permit {external address}

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.10.0.252 0.0.0.3

access-list 2 permit 10.10.0.0 0.0.0.15

access-list 2 permit 10.10.0.0 0.0.255.255

access-list 2 deny any

access-list 23 permit 10.10.0.0 0.0.255.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.0.0 0.0.255.255 172.16.248.0 0.0.7.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.10.0.0 0.0.255.255 172.16.248.0 0.0.7.255

access-list 101 permit ip 10.10.0.252 0.0.0.3 any

access-list 101 permit ip 10.10.0.0 0.0.0.15 any

access-list 101 permit ip 10.10.1.0 0.0.0.255 any

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

line vty 0 4

authorization exec local_author

login authentication local_authen

transport input ssh

line vty 5 15

authorization exec local_author

login authentication local_authen

transport input ssh

I'm trying to connect with my own laptop and this error also occurred when I was at the location.

TIA

regards,

Marcel.

adnane dakna · ‎12-14-2012

you can launch wireshark at the time you'r trying to connect with your laptop to see at which level https fail.

Marcel Tempelman · ‎12-17-2012

Thanks for the suggestions. I'll get back on it when I get some time for it.

Regards,

Marcel.

Richard Burts · ‎12-17-2012

I am interested in this line from one of the posts

HTTP secure server client authentication: Disabled

If authentication is disabled that would explain why access does not work. so can we figure why authentication is disabled? Perhaps the original poster can post the parts of the config that deal with secure server?

HTH

Rick

HTH

Rick

Marcel Tempelman · ‎03-17-2013

Sorry for the delay but haven't any time to tackle this problem but I do have something to add:

Last week another router showed the same behaviour. The fix was deleting all the crypto sections, reload and let the router regenerate the keys and CA part. I'm guessing it has something to do with the fact that the router did not have the correct time when treating the CA and or key part.

Regards,

Marcel.

Sent from Cisco Technical Support Android App