Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5827
Views
4
Helpful
22
Replies

Cisco 9115AXI EWC cannot access to WebUI remotely

JohnAJ
Level 1
Level 1

‎04-19-2021 03:26 PM - edited ‎07-05-2021 01:11 PM

Hi all, 

 

I have an issue with my Cisco 9115AXI EWC where I can't access via WebUI. I have enable the http and http-secure server as well but failed.

I have saw the traffic that pass through the firewall (Palo Alto), it shows that the application incomplete and status is aged-out. There is no blocking in the firewall since all the traffic is allow for this IP management segment for the EWC.

 

Anyone facing this issue before and give suggestion, if any? 

1 person had this problem
0 Helpful
22 Replies 22

Rich R
VIP
VIP
In response to Marcel B

‎06-12-2023 02:54 AM

i can see the certificate in the packets and many, many retransmissions, after a while the connection is resetted.

That definitely sounds like a problem with MTU and fragmentation so I guess you'll have to work it out with the firewall vendor.  If you can set TCP MSS closer to the remote source that's also an option (as long as the firewall doesn't override it with something else).  For example is there a router at the other end where you could set it?

Changes to TCP MSS do not require reload.  Any new TCP connections after the config has changed will pick up the change.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Marcel B
Level 1
Level 1
In response to Rich R

‎06-15-2023 01:57 AM

Hello Rich R,
many thanks for this informations, I will work this out further with Sophos Support.

best regards/beste Grüße
M. Baltruschat

0 Helpful

khempkins
Level 1
Level 1

‎11-10-2023 05:58 PM

So, years old topic but.... I have the exact same problem. Did anyone ever find out what the problem is?

I have a Palo fw and it's not possible to access the management gui through the firewall. I have tried to create a test-network with an svi and access the gui from another network using the switch as a router - works fine.

But as soon as I route through the Palo firewall it just times out. Accessing a switch gui on the same network (as the EWC/AP) works.

So there is something with the ewc webserver that doesn't like traversing firewalls...

Any luck with solving this one?

0 Helpful

Rich R
VIP
VIP
In response to khempkins

‎11-11-2023 05:26 AM

Have you used debugs and packet captures on the firewall to confirm:
- The replies from the EWC reach the firewall?
- why the firewall is dropping them?  Is it filtering the TLS version or ciphers or hashes being used?

Presuming you've covered all the basics mentioned previously?
Confirm you can ping the EWC which proves the routing is correct for a start?
If there's no VPN in the path then MTU/fragmentation should not be a problem but if there is (or any other MTU/MSS restriction) then try setting "ip tcp mss 1300" on the EWC.
And of course make sure you're using up to date software - for EWC refer to TAC recommended for 9800 (link below) and make sure the firewall is up to date too.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

LiWenbin2008
Level 1
Level 1
In response to khempkins

‎05-05-2024 04:02 AM

Hi khempkins, I have same problems. Have you fixed it ? thanks 

0 Helpful

LiWenbin2008
Level 1
Level 1
In response to LiWenbin2008

‎05-14-2024 08:48 AM

Dear All, I have solved the problems by change the client MTU.

1.Check the mtu for current client, for windows , the comment is "netsh interface ipv4 show subinterfaces";

2.Change the mtu to the right size, such as "netsh interface ipv4 set subinterface WLAN mtu=1300";

 

3.You could find the right size by the comment " ping -l 1272 -f 10.1.1.1" ; the 1272+28 is the right mtu size(because of IP header) ; 10.1.1.1 is the target IP address.

the the problems was solved now.

 

LiWenbin2008
Level 1
Level 1
In response to LiWenbin2008

‎05-14-2024 08:52 AM

When I use wireshark to check the communication, I found there's ICMP error information.

It shows "Destination unreachable (Fragmentation needed)" and it's show to me , the MTU of next hop is 1300. 

RVTim
Level 1
Level 1

‎06-17-2024 05:08 PM

I just stumbled into this topic after fighting with a new install of a 9120 EWC all day long.  I would do a factory reset, get it upgraded, and try to deploy it as a new EWC, and all of my connections were from a local lan or via direct wifi to the unit.  When using wifi, I could log in to the management interface.  From wired, I could ssh, but could not use https to log in.  I spent all day trying wireshark, seeing the tls connection not complete, and never get a login prompt.  I used to always set all of my PCs to 1300 MTU, but it currently was not on the PC I was using.  Once I changed the PC's MTU to 1300, I could connect successfully. 

LiWenbin2008, you were very helpful. Thanks for posting what you did.   It seems that every single time I spend more than an hour trying to figure a problem out, it always comes back to MTU, so I don't know why it took me so long to figure this out.

Thanks again.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card