CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR - Page 2

Shrikant Gaikwad · ‎11-23-2019

Hello Team,

i am trying to deploy the two C9800-40-K9 controller in the network

1- Before connecting the both controller to the network

i had given one ip adress 10.91.225.80 ip to the Gi0 of WLC1 and connected the cable between SP port and laptop with static ip address 10.91.225.82

2.from laptop i am able to take the https acess of the WLC1 , i upgraded the IOS for WLC1 to the 16.11.01

3.same thing i did for the WLC2 upgraded the IOS and 10.91.225.81

4.during the configuration of WLC1 and WLC2 i used Gi0 as the wireless Managment interface

5. Then we connected the both the WLC1 and WLC2 to the network but during this time i didnt check the connectivity of the WLC from coreswitch

6. Both WLC RP Port is in L2 vlan 498

7.after rackmounting Both WLC by connecting to the SP to the laptop from the browser i configured the HA between two WLC , HA form properly , i did the failover test it was working properly

8. but when i try to connect from the different vlan2 or Vlan 50 from other switch ports i am not able to take the https access of both controller , i am getting ERR_SSL_PROTOCOL_ERROR in the browser

9. can i help me what may go worng ?

10.i have license file but i didnt uploaded them on any WLC?

11. as Gi0 is not pinging from other network i changed Gi0 ip to the interface vlan 50 and wireless mgmt to int vlan 50 but still i am not able to ping the int vlan 50 ip

can somebody help did we are doing something wrong

Now we are not able to ping the int vlan 50 from outside network

we have given another int vlan 2 ip in WLC1 and this ip we are able to ping but when we try to take the browser with the interface vlan 2 of WLC i am getting the ERR_SSL_PROTOCOL_ERROR

attached is the diagram and attached is the error screenshot

Thanks all

Shrikant Gaikwad

Scott Fella · ‎12-17-2020

Have you tried to issue the following again with the ip http authentication local? I have done this multiple times in my lab with various equipment with no issues. You can also try a reboot.

A-INT-XXXX(config)#no ip http server
A-INT-XXXX(config)#no ip http secure-server
A-INT-XXXX(config)#ip http server
A-INT-XXXX(config)#ip http secure-server
A-INT-XXXX(config)#exit

-Scott
*** Please rate helpful posts ***

m-avramidis · ‎12-17-2020

Thanks for your answer, yes have tried it a number of times. Since it is in production we have not done a reboot (just a force switchover). Does your setup includes DNA-C? The logs - WLC - indicates a missmatch with the DNA trustpoint. I will upload the logs to this ”case” tomorrow morning.

Scott Fella · ‎12-17-2020

I do have DNAc but that trust point is separate from the UI. You can always point to a different trustpoint also. A force failover is the same as a reload, because it power cycles the unit you run it against.

-Scott
*** Please rate helpful posts ***

m-avramidis · ‎12-18-2020

I solve the problem by removing:

A-INT-WLC02#sh run | incl http

enrollment url http://10.3.99.31:80/ejbca/publicweb/apply/scep/sdnscep

no ip http server

ip http authentication local

no ip http secure-server

ip http secure-trustpoint TP-self-signed-2753238167

ip http client source-interface Vlan99

destination transport-method http

http-tlv-caching

So after removing ip http secure-trustpoint.... and reapplying ip http server and ip http secure-server it worked. But, and here is the kicker, the crypto look like this now:

A-INT-XXXXX#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint DNAC-CA
crypto pki trustpoint sdn-network-infra-iwan
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain DNAC-CA

So no self-signed certificates... no new certificate was - at least not visiable - created after running the ip http secure-server command.

I will be glad if someone can reproduce this fix using:

9800 WLC - HA - running XE 17.3.1

DNA-C running 1.3.3.9

or with DNA-C 2.X (our customer will upgrade their DNA installation to 2.X mid January.

Scott Fella · ‎12-18-2020

Have you looked at show run | in trustpoint

-Scott
*** Please rate helpful posts ***

jfumeron78 · ‎01-06-2021

Hello,

I was running in the same kind of issue after breaking HA made in lab environment for an installation on client environment and breaking it again to put it on a different subnet.

Long story short, i suspect it to be in my case due to a corporate management of my firefox that made part of the problem because i was unable to access it no matter what after installation (i think i may have switch the 2 9800 between what they was supposed to be (primary and secondary)

anyway, i tried the workaround you wrote and now i can access them as a cluster in https.

I do have the following with my new certificate visible

do sh run | i crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint TP-self-signed-454043421
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain TP-self-signed-454043421

By the way i'm in 17.3.1, HA

Thank you

denneht · ‎08-29-2023

I am running an 9800-l on the bench, just setting it up. Basically copy/pasting a config from a working controller into this one and I came across the same thing. Thank you for this post, since the "no secure-trustpoint TP-self-signed-2916286330" and then entering ip http server and ip http secure-server fixed the controller's webpage and now it comes up. I wish I could get these three hours back. Thanks for the help, m-avramidis!!!

support1@lima.co.uk · ‎01-07-2021

Hi Guys. I have a pair of 9800 WLCs in HA and they have recently reloaded due to a bug. Since then, the original backup is now active and we are unable to access the GUI (CLI is fine). If I remove the self-signed trustpoint, will it affect the APs that are currently joined with the HA pair. There are around 1000 APs joined at the moment. Thanks

jegan_rajappa · ‎01-07-2021

I would recommend to execute below command

execute show crypto pki trustpoint, get sudi trustpoint name and execute below command, then gui access will work

Ip http secure-trustpoint sudi

support1@lima.co.uk · ‎01-07-2021

Thank you

annah1 · ‎10-04-2023

how can we have sudi trustpoint name please ?

Colin Mans · ‎02-15-2022

Hi Guys,

Running into the exact same issue, WLC HA pair reloaded, after reload HTTPS server is not working anymore.

if I disable http secure-server, I can log into GUI using HTTP.

Removing http server and http secure-server and re-applying did not solve the issue, so want to try removing the certificate next.

Is there any impact for APs or clients connected to wireless if I remove the certificate?

The environment is 24/7 active, so I cannot risk disabling wireless without a proper maintenance window.

Thank you for any reply given!

Scott Fella · ‎02-15-2022

Should not impact anything as long as that trustpoint is not being used for your wireless management. Typically it is not, but you can view that yourself prior to making the change.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-15-2022

Here are the commands to run so you can review:

show wireless management trustpoint

show run | se ip http

show wireless management trustpoint

-Scott
*** Please rate helpful posts ***

Colin Mans · ‎02-15-2022

Thank you for the quick and clear reply Scott, I will check this next time onsite at customer and reply if this solved my issues.

Regards,

Colin