Re: SG300-28P Web interface not working with hostname, only with IP, after latest firmware update

LabMix · ‎10-31-2019

I just updated my SG300-28P to the latest firmware, 1.4.11.2, after previously running 1.4.10.6.

Previous to the update, I could access the Web interface with the hostname I'd specified in System Settings (as part of the FQDN I use for my LAN), i.e. https://switch1.domain.com (where switch1 is the hostname set in System Settings, and the rest is the search domain I use on my LAN).

Following the update, any attempt to access it by hostname results in a long pause whilst it is "waiting for switch1.domain.com", before finally going to a blank page with only the opening <html> tag of the page loading as content if I view the source. Nothing else loads. I can view certificate information so it is obviously getting a response, but grinding to a halt before it gets any further. If I access the Web interface using IP address, it connects fast and without any problem.

Worth mentioning, I can still ping / SSH to the switch using the hostname / FQDN, so I don't think it's a networking issue, just that the Web interface has stopped loading for hostname requests. I've also tried clearing the browser cache and using different browsers on different machines, but it's the same for all.

The switch's logs do not show any connection attempts at all when using hostname but do show successful connects when I use the IP.

Has anyone got any ideas? Thanks!

balaji.bandi · ‎10-31-2019

I believe one of the posts mentioned some time back, after upgrade they are not able to access with FQDN

but they could able to access using IP address, have you tried https://ip-adress?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

LabMix · ‎10-31-2019

Thank you for your reply.

My original post was not written as clearly as I liked, now that I re-read it. Yes, accessing via IP, e.g. https://ip-adress, works just fine and is what I've been using since the update. It's just the FQDN access that doesn't work since the update, and I'm a bit stumped as to why.

Would you happen to have a link to the previous post you saw? I've tried searching but not turning up anything yet.

Cheers!

balaji.bandi · ‎10-31-2019

bug id for reference CSCvp23218

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎10-31-2019

Hello,

this could be related to the open redirect vulnerability mentioned in the link below (and bug ID CSCvp23218), which was fixed in the 1.4.11.2 release. No workaround yet.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect

LabMix · ‎10-31-2019

Thank you for your reply.

It does seem likely this issue is linked to the vulnerability you link to. Although it states, "There are no workarounds that address this vulnerability", the Bug ID page linked to from the vulnerability page does say in the details section that it has been fixed. I'm a bit confused as to whether the latest firmware (1.4.11.2) does indeed fix this, or not. Either way, it looks like I may have to wait for a future update to fix the FQDN access.

LabMix · ‎10-31-2019

Just had another look at the Cisco email notification I received regarding the vulnerability. It says:-

At the time of publication, Cisco fixed this vulnerability in the following firmware releases:
Cisco 200/300/500 Series Smart and Managed Switches Firmware releases 1.4.11 and later

So it looks like the latest firmware has fixed that vulnerability but probably introduced a new bug that stops the FQDN from working with web access, or at least on my switch.

I'll do some more research in the morning and will post a bug report if I don't find any solution.

balaji.bandi · ‎11-01-2019

As of now, the status is no fix available, but if you can contact SMB TAC, they may quick for you to resolve or login to box make some changes as per the requirement.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rpc · ‎11-01-2019

Hello,

I do have the same problem.

Owning a SG300-28P and a SF302-08P, and updated both to version 1.4.11.2.

Webconfig loads in browser only if accessed by IP, not by hostname.

LabMix · ‎11-01-2019

Sorry to hear you're having the same issue, although I must admit, it's nice to know I'm not alone!

I plan to do some further digging over the weekend. If I find out anything further, I'll make sure to post here.

Georg Pauwen · ‎11-01-2019

Hello,

since two of you now report the same problem, it could indeed be a bug. I guess the way to actually prove that it is a bug is to downgrade to the previous version, can any of you two try that ?

LabMix · ‎11-01-2019

Thanks for the reply, Georg.

Yes, I can certainly do that this weekend, no problem. I will report back here as soon as I can.

Do you know, will I need to reset to factory defaults when downgrading? Or should I be able to keep the same config? I will make a backup of the configuration just in case.

rpc · ‎11-02-2019

If I change the active image back to the old firmware image (administration -> file management -> active image ... that feature on these switches is actually nice), it is working again to access the webconfig by using the hostname. So I think it must be a bug (or a new feature?)

It is keeping all settings, no need to reset.

LabMix · ‎11-02-2019

To add to rpc's reply, I can also confirm hostname access works again after rolling back to 1.4.10.6.

With 1.4.11.2, everything works fine by IP but I get a HTTP 400 Bad request when using hostname.

kljis · ‎11-09-2019

Can confirm this bug. Experience it with a SG300-10. Going back to 1.4.10.6 resolves the issue. Strange that such an obvious bug was not detected during QA by Cisco.