10-10-2024 12:47 AM
Hi,
We have a cisco 4221 router. When I try accessing its GUI page on https://192.168.10.1 its not letting me access that.
What all I have tried and not working is as follows:
Please help me with that.
PS: I am not a network expert. I am amateur at it. But I can manage configuration through GUI.
10-10-2024 08:07 AM
check below link and let me know if tht help you :
if still issue post below output ;
show version
show logging
show run
show ip ssh
10-10-2024 12:02 PM - edited 10-10-2024 12:12 PM
SHOW VERSION
Router>show version
Cisco IOS XE Software, Version 16.08.01
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), V ersion 16.8.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 27-Mar-18 13:43 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Router uptime is 20 minutes
Uptime for this control processor is 22 minutes
System returned to ROM by PowerOn
System image file is "bootflash:isr4200-universalk9_ias.16.08.01.SPA.bin"
Last reload reason: PowerOn
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
securityk9 securityk9 Permanent securityk9
ipbase ipbasek9 Permanent ipbasek9
cisco ISR4221/K9 (1RU) processor with 1788426K/6147K bytes of memory.
Processor board ID FGL2421LVK4
1 Virtual Ethernet interface
6 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7081983K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
SHOW IP SSH
Router>show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1236578148
%SSH: Failed to encode IOS ASN.1 to SECSH format
Router>
10-10-2024 12:10 PM
Also at ip http secure-server command I am getting the following error:
Router(config)#ip http secure-server
CRYPTO_PKI: setting trustpoint policy for TP-self-signed-1236578148 to specify TP-self-signed-1236578148 keypair usageFailed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
10-13-2024 07:50 AM
@balaji.bandi @Flavio Miranda @azolfi78
Please help me further. I truly appreciate your response.
10-13-2024 08:29 AM
enable the debug on the router and access the Page from PC and post the debug logs here.
I never had so much difficulty to access GUI for testing :
I also suggest to - zero the keys and configures ip ssh version 2
crypto key generate rsa usage-keys modulus 2048
Another thing, you are not getting any prompt at all, or you getting prompt and username and password input later you getting error ?
10-13-2024 08:56 AM
How to enable debug on router and how will I be able to access the logs?
I performed the steps mentioned in the link but still the same problem persists.
Crypto command says "Please define a hostname other than Router."
I am not getting any prompt at all.
Is it easier if there is a way I could reset everything on router and GUI shows up normally like the other small routers?
10-13-2024 09:59 AM
If this is not production router, then write erase and reload and start from bootstrap.
below standard base config i use it works as expected :
config t
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$jtK0$yyHFcVM7xyelts1csVwrV/
!
username cisco privilege 15 secret 5 $1$0qFD$ZEMDi.7z1QTtF4EuPdlSY.
aaa new-model
!
aaa authorization config-commands
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ip domain-lookup
ip domain-name bb.com
ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.0
no shutdow
!
!
ip http server
ip http secure-server
!
ip ssh version 2
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
stopbits 1
line aux 0
line vty 0
privilege level 15
password cisco
transport input ssh
line vty 1
privilege level 15
password cisco
length 0
transport input ssh
line vty 2 4
privilege level 15
password cisco
transport input ssh
!
!
end
######### Generate SSH keys :
crypto key generate rsa
10-13-2024 10:25 AM
Yes, that's not production router and I need its GUI so that I can configure it to use on my existing internet. I am getting various errors with the commands you mentioned. Please see the screenshots attached.
10-13-2024 10:43 AM - edited 10-13-2024 10:45 AM
Make sure you read the config and understand, Do not blindly paste, that is suggested configuration - the errors giving because of some features not supported (may be different) - Most of them your ignorance.
x.x.x.x (any where you see the IP like this)
May be you can read the errors and correct (or you looking some one to do for you ?) this is community to help each other to solve the issue, not doing some one else work.
Note : As i mentioned i used base template does not mean you copy and paste there- i would expect as engineer to read the suggested config.
And Last - there is not must you need to have GUI for the router work to get yourself or user to get into internet, you can also do the same configuration on cli - if you understand the commands, if you coming from GUI world then different question/.
10-13-2024 09:18 AM - edited 10-13-2024 09:20 AM
Add this config an test
enable
conf t
aaa new-model
ip http secure-server
ip http authentication local
ip http authentication enable
ip http authentication aaa
username admin privilege 15 secret cisco@123
end
wr
Try
username: admin
password: cisco@123
10-13-2024 09:40 AM
Thanks for the response. I tried as you mentioned and still facing the same issue. Please find the screenshot attached for the commands that I ran.
10-13-2024 09:53 AM
With HTTP only?
10-13-2024 09:54 AM
With HTTPS only its redirecting to HTTPS.
10-13-2024 09:56 AM
Try to run this commands
crypto pki trustpoint TP-self-signed-12345678148
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-12345678148
revocation-check none
rsakeypair TP-self-signed-12345678148
10-13-2024 10:17 AM
Now ip http secure-server didn't give the error it was giving before. But issue is still the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide