cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10711
Views
10
Helpful
12
Replies

can't access to cisco 5508 web management on service port

Hello, i have dual 5508 installation in HA mode. I configured ip on management and service interfaces and connect them to the switch. RP port on controllers connected to each together. HA status is ok, i can access to the ssh but not to the web GUI on service port nor management. Please help what could be wrong?

1 Accepted Solution

Accepted Solutions

Can you clarify this response:

+ No, i`m using gateway

The service port can only be accessed on the same subnet. It has no concept of a default gateway therefore any traffic you are trying to send to it from an outside subnet will never make it back.

I don't know the reasoning behind this and it's annoying to be sure, but that is definitely the case for that particular interface.

View solution in original post

12 Replies 12

tfleisher1
Level 1
Level 1

From https://supportforums.cisco.com/discussion/11859111/web-access-wlc-management

Are you able to access the WLC from wired network? Ar e you trying to access the WLC through telnet/SSH or GUI? In order to access the WLC you should use the managment interface of WLC.If you are trying to access this via GUI ensure that you have enabled the http server using "config network webmode enable" from the command prompt. Also you should be able to see the status of webmode and managment by wireless interface is enabled using "show network summary" command.

Hello! I`ve read this topic already but it`s not my case, cause i would like to manage via service port not wireless.

- Are you able to access the WLC from wired network?

+ Yes, only ssh

Ar e you trying to access the WLC through telnet/SSH or GUI?

+ all of them, but works only ssh

In order to access the WLC you should use the managment interface of WLC.If you are trying to access this via GUI ensure that you have enabled the http server using "config network webmode enable" from the command prompt.

+ did it already

- Also you should be able to see the status of webmode and managment by wireless interface is enabled using "show network summary" command.


RF-Network Name............................. RFBronka
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds

--More-- or (q)uit
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Web Auth Captive-Bypass .................. Disable
Web Auth Secure Web ....................... Enable
Fast SSID Change ........................... Disabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes

What exactly happens when you try to reach the WLC via the web GUI? Timeout? Connection refused?

Are you specifying https://<IP>; ?

Are you trying to ssh/http into the WLC on the same subnet as the service port? If not, I'd recommend tracing packets to see why the ssh connections are making it through but the http/https attempts are not.

Hello! I`m trying to acces service port IP http://X.X.X.X but it says connection time out. And in the same time i can access by ssh to this address

Specify https://<IP> instead of http://<IP>

Hello! Thanks for your advice with https but it didn`t get access. Now i see the message:

Unable to connect

Firefox can't establish a connection to the server at X.X.X.X

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Are you on the same network segment as the management or service port?

Do you have a CPU ACL setup on the WLC that would be restricting connections to it?

Do you have other ACL's or firewalls that could be blocking the traffic?

Assuming you are not on the same network segment and you can get in with ssh but not http/https I would recommend tracing the packets as you try to connect via http/https to see where the breakdown is.

- Are you on the same network segment as the management or service port?

+ No, i`m using gateway

Do you have a CPU ACL setup on the WLC that would be restricting connections to it?

- Do you have other ACL's or firewalls that could be blocking the traffic?

+ No, No

Assuming you are not on the same network segment and you can get in with ssh but not http/https I would recommend tracing the packets as you try to connect via http/https to see where the breakdown is.

+ Tracing is ok, there are no firewalls. I`m sure the problem is on the controller side. Are there some debugging methods?

Can you clarify this response:

+ No, i`m using gateway

The service port can only be accessed on the same subnet. It has no concept of a default gateway therefore any traffic you are trying to send to it from an outside subnet will never make it back.

I don't know the reasoning behind this and it's annoying to be sure, but that is definitely the case for that particular interface.

the service port is ONLY accessible from the same subnet

I wonder where Javier moved this thread to... WLCCA?
Anyway Eric, the service port is a 'mother-board down' interface that supports telnet/ssh interface almost as soon as the hardware wakes up. before the app is alive. Yes one can GUI into it whenever the unit is online in a non-redundancy mode. However you and I have no purpose in the Standby unit.. other than curiosity. All tweaks are the responsibility of the Active device of a pair. So only the Active device GUI is alive. besides the IP's of both units are the same. Only the RP, RM and SVC ip's remain 'different' all other ip's are identical on both unit.
"the service port is ONLY accessible from the same subnet" if the host switch knows the default gateway for the segment your service port is on, it will work. Mine does. but the usually only the switch management segment has a default gateway so packets get lost.

Javier Contreras
Cisco Employee
Cisco Employee

This is not the correct forum for this question, moving the thread

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: