Introduction
In this document Cisco TAC engineer "Siddharth Vij" has explained about GUI of a 5508 controller running software version 7.3.101.0 became inaccessible via HTTPS using the Management Interface IP address. The GUI of the controller was still accessible via HTTP but not HTTPS.
Problem
After upgrading the license count on the 5508 controller from 25 to 50 AP's, the upgrade was completed and the controller rebooted and came up fine. The GUI of the controller was no longer accessible for management via HTTPS.
Solution
Tried manually starting the HTTPS service from CLI of the controller and rebooted the controller, however this did not resolved the issue.
Took NMAP port captures on the controller and found that the HTTPS page was closed.
sh-3.2# nmap -sS -vv -n 16x.1x2.x7.1xx
Starting Nmap 5.35DC1 ( http://nmap.org ) at 201x-06-x6 11:x6 CDT
Initiating Ping Scan at 11:56
Scanning 16x.1x2.x7.1xx [4 ports]
Completed Ping Scan at 11:56, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:56
Scanning 16x.1x2.x7.1xx [1000 ports]
Discovered open port 80/tcp on 16x.1x2.x7.1xx
Discovered open port 22/tcp on 16x.1x2.x7.1xx
Discovered open port 16113/tcp on 16x.1x2.x7.1xx
Completed SYN Stealth Scan at 11:56, 4.86s elapsed (1000 total ports)
Nmap scan report for 16x.1x2.x7.1xx
Host is up (0.00075s latency).
Scanned at 201x-06-x6 11:x6 CDT for 5s
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
443/tcp closed https
1000/tcp closed cadlock
16113/tcp open unknown
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.94 seconds
Raw packets sent: 1999 (87.932KB) | Rcvd: 8 (320B)
sh-3.2#
From console of the controller rebooted the controller and found the following message while the controller was booting up:
Starting Management Services:
Web Server: CLI: ok
Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface.
License Agent: ok
Checked the Virtual Interface of the controller and it was configured with an Ip address "172.16.x.x" (RFC 1918) instead of the 1.1.1.1 address, which the user informed me was configured on the controller earlier.
Changed the IP address of the Virtual Interface back to 1.1.1.1 and this resolved the issue.
More Information
Virtual Interface
The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.
Specifically, the virtual interface plays these two primary roles:
•Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.
•Serves as the redirect address for the web authentication login page.
Note See Chapter 5 for additional information on web authentication.
The virtual interface IP address is used only in communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out a distribution system port and onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface. Therefore, the virtual interface must be configured with an unassigned and unused gateway IP address, such as 1.1.1.1. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a backup port.
Related Information
Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)
Wireless LAN Controller (WLC) FAQ
Cisco Wireless LAN Controller Configuration Guide - Configuring Ports and Interfaces
External Web Authentication with Wireless LAN Controllers Configuration Example
