cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6072
Views
71
Helpful
21
Replies

ISR 4321 webUI Not Loading after Upgrade to 17.03.04a

Zydain
Level 1
Level 1

It seems the webUI is no longer loading for me after I upgraded the software to 17.03.04a.  Have I misconfigured something?

 

I am trying to access it from a laptop connected to G0/1/1 with IP 10.10.10.11 MASK255.0.0.0 GW10.10.10.254

 

Current Config:
!
! Last configuration change at 09:51:16 CST Tue Nov 16 2021 by admin
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot system flash isr4300-universalk9.17.03.04a.SPA.bin
boot system flash isr4300-universalk9.16.06.05.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 9 "removed"
enable password 7 "removed"
!
no aaa new-model
clock timezone CST -6 0
!
!
!
!
!
!
!
ip name-server 206.166.1.109 206.166.1.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server 206.166.1.110 206.166.1.109
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3425543225
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
!
no license feature hseck9
license udi pid ISR4321/K9 sn FLM25160AU8
memory free low-watermark processor 69075
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 $14$GqDt$u7MCizhFiHToPk$T7fPD2jI70F4HgqjobUBhLHGjKc2yi2IcYB5fH03jQ6
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description Services loopback for ICN Monitoring RTC9-ROE20_Harrisburg
ip address 66.99.159.232 255.255.255.255
!
interface GigabitEthernet0/0/0
description Primary WAN
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
no negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
zone-member security DMZ
!
interface GigabitEthernet0/0/0.4
encapsulation dot1Q 4
zone-member security HBugLAN
!
interface GigabitEthernet0/0/1
description Test WAN
no ip address
ip nat inside
shutdown
media-type rj45
speed 100
no negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE VLAN2
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
zone-member security ROELAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
description HBug VLAN4
switchport access vlan 4
switchport mode access
zone-member security HBugLAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/2
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ VLAN3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ VLAN3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface Vlan4
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/1/1
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
!
ip access-list extended Barracuda_acl
10 permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
10 permit ip any any
ip access-list extended HBugLANtoDMZ_acl
10 permit ip any any
ip access-list extended HBugLANtoROELAN_acl
10 permit ip any any
ip access-list extended HBugLANtoWAN_acl
10 permit ip any any
ip access-list extended ROELANtoDMZ_acl
10 permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
10 permit ip any any
ip access-list extended ROELANtoWAN_acl
10 permit ip any any
ip access-list extended WANtoChildFindWS_acl
10 permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
10 permit ip any object-group WANtoHBugWS_dst_net
ip access-list extended WANtoMailServer_acl
10 permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net
ip access-list extended WANtoVPNHBug_acl
10 permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net
ip access-list extended WANtoVPNROE_acl
10 permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net
!
ip access-list standard 1
10 permit 66.99.142.0 0.0.0.255
20 permit 206.166.67.0 0.0.0.127
ip access-list standard 10
10 permit 10.0.0.0 0.255.255.255
20 permit 192.168.2.0 0.0.0.255
30 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login CNo unauthorized access is allowed.
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 "removed"
login local
length 0
transport input ssh
line vty 5 15
password 7 "removed"
login local
transport input ssh
line vty 16 30
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end
2 Accepted Solutions

Accepted Solutions

Zydain
Level 1
Level 1

Guys, I figured it out… both secure-server and regular http server were both enabled.  I just need http for now.

I had to disable the https (no ip http secure-server) leaving only http...

Can’t believe it took me this long to realize haha

View solution in original post

Received help from TAC

 

It looks like there may be a trustpoint issue for the HTTPS client:

 

*Nov 19 18:50:58.998: %WSMAN-3-INVALID_TRUSTPOINT: Trustpoint associated with HTTP is either invalid or does not exist

 

We will probably need to manually generate it. You can use the following configuration:

 

Router(config)#crypto key generate rsa modulus 2048 label WebGUI

The name for the keys will be: WebGUI




% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 2 seconds)




Router(config)#crypto pki trustpoint WebGUI

Router(ca-trustpoint)#enrollment self

Router(ca-trustpoint)#subject-name CN=[SW_IP]

Router(ca-trustpoint)#rsakeypair WebGUI




Router(config)#crypto pki enroll WebGUI

The router has already generated a Self Signed Certificate for

trustpoint TP-self-signed-4127652830.

If you continue the existing trustpoint and Self Signed Certificate

will be deleted.




Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes




Router Self Signed Certificate successfully created




Router(config)#ip http secure-trustpoint WebGUI

View solution in original post

21 Replies 21

marce1000
VIP
VIP

 

 - What fault do you get in the browser ?

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

I get an invalid response in both Chrome and Edge.

 

           - Post screenshot of observed result.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

 

Screenshot attached

Hello,

 

turn the http/http server off and delete the username and password (obviously make sure you have configured another one first in order to not get locked out), then re-enable both and re-enter the username:

 

--> no ip http server
--> no ip http secure-server
--> no username admin privilege 15 secret 9

 

--> ip http server
--> ip http secure-server
--> username admin privilege 15 secret

I performed these tasks, but am still unable to access the webui.  I also cleared cache and cookies in Chrome but still got the attached screenshot.

 

- Could you try simple http connection instead of https or els regenerate the RSA keys.

 M:



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

I have tried http and https.  I also tried to zeroize the rsa keys and then generate new ones.  Unfortunately, I am still unable to access the webgui.

 

 - What error do you get on 'simple http' , post screenshot too. Also check the logs for both types when tried.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

http just redirects me to https with the same error as before. I'm not sure
how to get the logs your looking for, can you point me in the right
direction?

 

 - I mean logon trough the CLI and issue the (exec) command show logging  , just after an attempt was made with an https connection in the browser.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Hello,

 

it could be related to the TLS version being used. Check if there is a global command:

 

ip http tls-version

 

and toggle the different available version options...

I tried every option, but no luck.



ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-

ciscoisr(config)#ip http tls-version ?

TLSv1.0 Set TLSv1.0 version Only

TLSv1.1 Set TLSv1.1 version Only

TLSv1.2 Set TLSv1.2 version Only



ciscoisr(config)#ip http tls-version tlsv1.2 ?





ciscoisr(config)#ip http tls-version tlsv1.2

ciscoisr(config)#exit

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-version tlsv1.1

ciscoisr(config)#exit

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-version tlsv1.0

ciscoisr(config)#exit

ciscoisr#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ciscoisr(config)#ip http tls-version tlsv1.2 ?





ciscoisr(config)#ip http tls-version tlsv1.2

ciscoisr(config)#exit

ciscoisr#

Hello,

 

what is the output of:

 

show http server status

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco