CISCO 9800 wreless controller not getting the http or https access giving ERR_SSL_PROTOCOL_ERROR

Shrikant Gaikwad · ‎11-23-2019

Hello Team,

i am trying to deploy the two C9800-40-K9 controller in the network

1- Before connecting the both controller to the network

i had given one ip adress 10.91.225.80 ip to the Gi0 of WLC1 and connected the cable between SP port and laptop with static ip address 10.91.225.82

2.from laptop i am able to take the https acess of the WLC1 , i upgraded the IOS for WLC1 to the 16.11.01

3.same thing i did for the WLC2 upgraded the IOS and 10.91.225.81

4.during the configuration of WLC1 and WLC2 i used Gi0 as the wireless Managment interface

5. Then we connected the both the WLC1 and WLC2 to the network but during this time i didnt check the connectivity of the WLC from coreswitch

6. Both WLC RP Port is in L2 vlan 498

7.after rackmounting Both WLC by connecting to the SP to the laptop from the browser i configured the HA between two WLC , HA form properly , i did the failover test it was working properly

8. but when i try to connect from the different vlan2 or Vlan 50 from other switch ports i am not able to take the https access of both controller , i am getting ERR_SSL_PROTOCOL_ERROR in the browser

9. can i help me what may go worng ?

10.i have license file but i didnt uploaded them on any WLC?

11. as Gi0 is not pinging from other network i changed Gi0 ip to the interface vlan 50 and wireless mgmt to int vlan 50 but still i am not able to ping the int vlan 50 ip

can somebody help did we are doing something wrong

Now we are not able to ping the int vlan 50 from outside network

we have given another int vlan 2 ip in WLC1 and this ip we are able to ping but when we try to take the browser with the interface vlan 2 of WLC i am getting the ERR_SSL_PROTOCOL_ERROR

attached is the diagram and attached is the error screenshot

Thanks all

Shrikant Gaikwad

marce1000 · ‎11-24-2019

- I can only presume that your Intranet and or inter-vlan networking setup isn't consistent and does not allow full ssl access to the wireless controller. Please check and verify.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

fburn7931 · ‎12-04-2019

I have the same issue accessing a Cisco 9800 via HTTPS. I can reach several AirOS and on other 9800 controller on the same subnet.

patoberli · ‎12-04-2019

Can you access it after a reboot? Sounds like the https daemon crashed on the WLC, if it works again after the reboot.

Shrikant Gaikwad · ‎12-08-2019

Thanks

Scott Fella · ‎12-05-2019

Try the following:

show run | inc crypto
>>> Find trustpoint named TP-Self-Signed-xxxxx
conf t
no crypto pki trustpoint TP-Self-Signed-xxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication

********************************************************************

WA-RED-9800-L-01#show run | inc crypto
crypto pki trustpoint TP-self-signed-774234387
crypto pki trustpoint SLA-TrustPoint
crypto pki certificate chain TP-self-signed-774234387
crypto pki certificate chain SLA-TrustPoint

WA-RED-9800-L-01(config)#no crypto pki trustpoint TP-self-signed-774234387
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

WA-RED-9800-L-01(config)#no ip http server
WA-RED-9800-L-01(config)#no ip http secure-server
WA-RED-9800-L-01(config)#ip http server
WA-RED-9800-L-01(config)#ip http secure-server
WA-RED-9800-L-01(config)#
Oct 30 03:52:37.652: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration
WA-RED-9800-L-01(config)#ip http authentication local

-Scott
*** Please rate helpful posts ***

JuanFlores68156 · ‎12-06-2019

Thanks, this worked for me.

Scott Fella · ‎12-08-2019

Glad that helped.

-Scott
*** Please rate helpful posts ***

Shrikant Gaikwad · ‎12-08-2019

Thank you so much for all your time and solution and sorry for the late reply

Last week we disable https access and only permitted http access to get the browser,

we got the http access of primary WLC and showing HA is not working properly so we break the HA between two WLC and factory reset both the WLC and try to do basic setup like before(with the day 0 setup) but now both the WLC is giving the internal error during day 0 setup as we try add the country FR to complete the basic setup.

we discover we faced issue CSCvq01830

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq01830

as per the above link we disable both radios from CLI and we able to finish the day 0 setup.

we upgraded the controller now in Bundle mode to 16.12.1s and everything is working properly

Many thanks @Scott Fella

jegan_rajappa · ‎02-07-2020

Thanks Scott. this worked for me.

Is this known issue/bug ? do we have any permanent solution ?

I am also going ask TAC guys.

netops500 · ‎03-04-2020

this worked for me also!

rubenmartinez · ‎03-09-2020

This procedure also worked for me, thank you very much.

Wi-Fi_Rambler · ‎01-29-2021

This worked for me. Thank you.

royce.varughese.1984 · ‎04-04-2022

hi Scott,

My scenario is C9800-L-F-K9 * 2

Current Active is Unit 2

IOS - 17.3.2a

Unable to access GUI for management from most of the servers and internal network.
Noticed able to access this from one management server alone. But another server in the same range returns error.

Site is connected over VSAT and has like 800+ms latency. Please let me know if you need more details. Can i follow still same process?

Cheers

Royce

m-avramidis · ‎12-17-2020

Has this worked for anyone running 17.3.1? See below:

A-INT-XXXXXX#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint DNAC-CA
crypto pki trustpoint sdn-network-infra-iwan
crypto pki trustpoint TP-self-signed-2753238167
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain DNAC-CA
crypto pki certificate chain sdn-network-infra-iwan
crypto pki certificate chain TP-self-signed-2753238167
A-INT-XXXX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
A-INT-XXXX(config)#no crypto pki trustpoint TP-self-signed-2753238167
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

A-INT-XXXX(config)#no ip http server
A-INT-XXXX(config)#no ip http secure-server
A-INT-XXXX(config)#ip http server
A-INT-XXXX(config)#ip http secure-server
A-INT-XXXX(config)#exit

A-INT-XXXX#write mem

!!!!
A-INT-XXXX#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint DNAC-CA
crypto pki trustpoint sdn-network-infra-iwan
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain DNAC-CA
crypto pki certificate chain sdn-network-infra-iwan
A-INT-XXXXXX#

Or is this something for TAC to fix?