Expressway-E Not Responding to HTTPS/SSH on Internal Interface

Mark Heimbigner (mheimbig) · ‎12-30-2021

I'm encountering an issue with an Expressway-E (X12.5.4) running dual NICs where I can't get it to respond to HTTPS/SSH on the internal interface. The LAN 1 is selected as the external LAN interface, and LAN 2 is set correctly to the internal IP address. I have had to compensate for CSCvw02700 (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw02700) by doing the workaround of multiple saves and restarts on the IP settings. The SSH service and web interface are set to On in Administration Settings with the web admin port set to default of 443. There are no firewall rules set on the Expressway and automated detection configuration shows no blocks or failures for SSH and web interface. Local inbound ports show administration SSH and HTTPS are listening on the internal IP. Another oddity is I can traceroute out to other IPs on the internal subnet from the internal interface (TTL comes back as 1 so single hop, internal and external networks can't route between each other), but I cannot ping or traceroute from those other machines to the Expressway-E internal IP. I've dug through Cisco documentation, tech notes, and bug database and have turned up nothing relevant. Has anyone seen this behavior before?

Nithin Eluvathingal · ‎12-30-2021

Are you able to reach your Expressway using External LAN IP. if yes then you might need to add a static route inside your Expressway.

Mark Heimbigner (mheimbig) · ‎12-30-2021

Sorry, I should've mentioned I've tried adding in the static route for the internal subnet, but I got the same results (restart was done as Expressway required). I can connect via the external IP via SSH and HTTPS. I was able to use the external to check the config, ports, and connectivity.

In other environments with X12.6 and X12.7 (haven't tried X14 yet), I've never seen this issue; once the dual NIC is set and Expressway restarted, the external IP stops responding to admin requests and the internal IP takes over.

Roger Kallberg · ‎12-30-2021

Sounds like you’re hitting some defect. If it works in newer versions my advice would be to use those instead of trying to get it to work in that rather old version. Do you have a specific reason for wanting to use this specific version?

Mark Heimbigner (mheimbig) · ‎12-31-2021

A defect is what I've been leaning towards unless a prior engineer royally screwed up something in the database or filesystem. While I would much prefer using X12.7.1 or X14.0, X12.5.4 is the version being mandated for this deployment, so I'm stuck trying to troubleshoot.

Roger Kallberg · ‎01-01-2022

For what reason are you mandated to stay on X12.5.4?

Mark Heimbigner (mheimbig) · ‎01-01-2022

I'm studying for the CCIE Collab v3 lab, and X12.5.4 is the version being used on the exam.

Roger Kallberg · ‎01-02-2022

Would you be able to share a screenshot of the IP configuration and the static route(s)?

Mark Heimbigner (mheimbig) · ‎01-02-2022

Here's the current setup. 192.168.12.0/24 is the internal subnet where the UC apps and client PCs are located. 192.168.15.0/24 is the external subnet to emulate internet connectivity for the purposes of MRA.