Re: Mobility Express don't open GUI

jmonsalve15 · ‎05-18-2025

Hi all, I am new in this forum , and I am having same issue. I have installed ME on a second hand AP2802i, exactly: AIR-AP2800-K9-ME-8-10-196-0.tar, after installation finish I have configured it. I am able to ping the management interface IP from my laptop, I am also able to see the SSI network and connect to it, even internet is fully functional.

I have run "config network secureweb enable" and "config network webmode enable" saved the new configuration and reboot it. Here is my configuration status:

(Cisco Controller) >show network summary

RF-Network Name............................. Cisco
DNS Server IP1.............................. 208.67.222.222
DNS Server IP2.............................. 208.67.220.220
Web Mode.................................... Enable
Secure Web Mode............................. Enable
HSTS Mode................................... Disable
Secure Web Mode Cipher-Option High.......... Enable
Secure Web Mode SSL Protocol................ Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Network 2-factor-authentcation.............. Disable
2FA Username field ..................... Common Name
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
IPv4 AP Multicast/Broadcast Mode............ Multicast Address : 0.0.0.0
IPv6 AP Multicast/Broadcast Mode............ Multicast Address : ::
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds

--More-- or (q)uit
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
Mesh Backhaul RRM........................... Disable
AP Fallback ................................ Enable
AP EasyAdmin ............................... Disable
AP Virtual IP .............................. 10.1.0.6
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Web Auth Captive-Bypass .................. Disable
Web Auth Secure Web ....................... Enable
Web Auth Secure Web Cipher Option ......... Disable

--More-- or (q)uit
Web Auth Secure Web Sslv3 ................. Disable
Web Auth Secure Redirection ............... Enable
Web Auth AP Ethernet MAC in Redirection .... Disable
Fast SSID Change ........................... Enabled
Max WLAN Supported ......................... 512
IP/MAC Addr Binding Check .................. Enabled
Link Local Bridging Status ................. Disabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap local-network ......................... Enable
oeap-600 Split Tunneling (Printers)......... Disable
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes
Web Color Theme............................. Default
Capwap Prefer Mode.......................... IPv4
Network Profile............................. High Density Deployment with Data traffic
Client ip conflict detection (DHCP) ........ Disabled
Mesh BH RRM ................................ Disable
Mesh Aggressive DCA......................... Disable
Mesh Auto RF................................ Disable
HTTP Profiling Port......................... 80
HTTP-Proxy Ip Address....................... 0.0.0.0
HTTP-Proxy Port............................. 80

--More-- or (q)uit
WGB Client Forced L2 Roam................... Disabled
DHCP Timeout (seconds)...................... 120

What I am missing? I can;t open the GUI and have tried multiple browser with windows firewall disable for both https:// and http://

hope anyone can suggest what else can I do.

Thanks .

Mark Elsen · ‎05-18-2025

@jmonsalve15 - What error do you get in the browser ?
+ Check the logs on the mobility express AP (CLI) when trying to use the GUI.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

jmonsalve15 · ‎05-18-2025

@Mark Elsen, I am noob using the CLI, Could you guide me which commands should I use please.

Looking more information from other forums here, someone else was getting same issue, here is more details of my configuration:

(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 00:00:5e:00:01:01
IP Address....................................... 192.168.18.101
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.18.2
IP Address Type.................................. Static
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::3a0e:4dff:febf:5d40/64
STATE ........................................... NONE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... CREATING
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Physical Port.................................... 1
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured

--More-- or (q)uit
DHCP Option 82................................... Disabled
DHCP Option 82 bridge mode insertion............. Disabled
DHCP Option 6 Opendns Override................... Disabled
IPv4 ACL......................................... Unconfigured
IPv6 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. N/A
L2 Multicast..................................... Enabled

(Cisco Controller) >apciscoshell
!!Warning!!: You are entering ap shell. This will stop you from establishing new telnet/SSH/Web sessions to controller.
Also the exsisting sessions will be suspended till you exit the ap shell.
To exit the ap shell, use 'logout'

User Access Verification
Username: AP2800
Password:
AP380E.4DBF.5D48>apciscoshell
^
% Invalid input detected at '^' marker.
AP380E.4DBF.5D48>sh ip int brief
Interface IP-Address Method Status Protocol Speed Duplex
wired0 192.168.18.100 static up up 1000 full
wired1 unassigned unset down down n/a unknown
auxiliary-client unassigned unset up up n/a n/a
wifi0 n/a n/a up up n/a n/a
wifi1 n/a n/a up up n/a n/a
AP380E.4DBF.5D48>

jmonsalve15 · ‎05-18-2025

Hi @Mark Elsen, I have done a factory reset one more time and I have configure it as below:

Country AU
NTP yes
NTP server yes
Timezone 28
Management IP dhcp
Management scope no
SSID
psk psk
RF yes
Density typical
Voice no
Flex+Bridge no

(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 00:00:5e:00:01:01
IP Address....................................... 192.168.18.33
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.18.1
IP Address Type.................................. Dynamic
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::b6de:31ff:fe1e:c200/64
STATE ........................................... NONE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... CREATING
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Physical Port.................................... 1
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured

--More-- or (q)uit
DHCP Option 82................................... Disabled
DHCP Option 82 bridge mode insertion............. Disabled
DHCP Option 6 Opendns Override................... Disabled
IPv4 ACL......................................... Unconfigured
IPv6 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. N/A
L2 Multicast..................................... Enabled

Now I am able to connect to the GUI from management IP, for some reason when I set it as static it did not work.

Is there a guide of how to use the web GUI to set a static management IP?

Thanks

Mark Elsen · ‎05-18-2025

@jmonsalve15 >...Now I am able to connect to the GUI from management IP,
for some reason when I set it as static it did not work.
Is there a guide of how to use the web GUI to set a static management IP?

- I can't see any reason why it should not work. For starters when changing to static ip address try to ping
the ME controller first, to check that the intended IP address is correct.
For the rest the same argument applies, when access to the GUI is not working; check the logs
You don't need the apciscoshell command, just :
show logging
show msglog
show traplog

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Saikat Nandy · ‎05-18-2025

I can see where things gone wrong. Following is the output when you did static config -

IP Address....................................... 192.168.18.101
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.18.2
IP Address Type.................................. Static

and this is the output when you put it under dhcp -

IP Address....................................... 192.168.18.33
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.18.1
IP Address Type.................................. Dynamic

So GW

jmonsalve15 · ‎05-20-2025

Thanks guys for your time. I want to fully understand even though I already have it working.

PC Network configuration
Physical port: Static
192.168.18.100
255.255.255.0

WIFI: DHCP
192.168.18.6
255.255.255.0
192.168.18.1

Connection:
PC to POE, POE to AP2800
PC wifi to router

I have changed manually the managmenet configuration to Static from WEB GUI as below:
PC to POE, POE to AP2800
POE powered up:

(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 00:00:5e:00:01:01
IP Address....................................... 192.168.18.100
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.18.2
IP Address Type.................................. Static
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::3a0e:4dff:febf:5d40/64
STATE ........................................... NONE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... CREATING
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Physical Port.................................... 1
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured

--More-- or (q)uit
DHCP Option 82................................... Disabled
DHCP Option 82 bridge mode insertion............. Disabled
DHCP Option 6 Opendns Override................... Disabled
IPv4 ACL......................................... Unconfigured
IPv6 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. N/A
L2 Multicast..................................... Enabled

(Cisco Controller) >
(Cisco Controller) >apciscoshell
!!Warning!!: You are entering ap shell. This will stop you from establishing new telnet/SSH/Web sessions to controller.
Also the exsisting sessions will be suspended till you exit the ap shell.
To exit the ap shell, use 'logout'

User Access Verification
Username: AP2800
Password:
AP380E.4DBF.5D48>sh ip int brief
Interface IP-Address Method Status Protocol Speed Duplex
wired0 unassigned unset up up 1000 full
wired1 unassigned unset down down n/a unknown
auxiliary-client unassigned unset up up n/a n/a
wifi0 n/a n/a up up n/a n/a
wifi1 n/a n/a up up n/a n/a
AP380E.4DBF.5D48>

AP380E.4DBF.5D48>
AP380E.4DBF.5D48>[05/20/2025 06:49:14.8000] wired0 emac 2: link down

PC ethernet cable unplugged:

[05/20/2025 06:49:14.8600] wired0: link down

Cable plugged it back in:

[05/20/2025 06:49:22.4600] wired0 emac 2: link up
[05/20/2025 06:49:22.5200] wired0: link up

Changed connection:
Router to POE, POE to AP2800
Until this point I was unable to get ping reply from 198.168.18.100 and could not find the WIFI network.

[05/20/2025 06:49:36.2900] wired0 emac 2: link down
[05/20/2025 06:49:36.3600] wired0: link down
[05/20/2025 06:49:41.6200] wired0 emac 2: link up
[05/20/2025 06:49:41.6800] wired0: link up
[*05/20/2025 06:49:55.8483] ethernet_port wired0, ip 192.168.18.36, netmask 255.255.255.0, gw 192.168.18.1, mtu 1500, bcast 192.168.18.255, dns1 192.168.18.1, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*05/20/2025 06:49:55.8502] Controller ip address changed to [192.168.18.100].<30>systemd[1]: Starting dnsmasq watcher...
[*05/20/2025 06:49:57.4600] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: Noop(0).
[*05/20/2025 06:49:57.9050] AP IPv4 Address updated from 0.0.0.0 to 192.168.18.36
[*05/20/2025 06:50:04.8782] dtls_init: Use SUDI certificate
[*05/20/2025 06:50:05.0796]
[*05/20/2025 06:50:05.0796] CAPWAP State: Init
[*05/20/2025 06:50:05.0818]
[*05/20/2025 06:50:05.0818] CAPWAP State: Discovery
[*05/20/2025 06:50:05.0833] Discovery Request sent to FlexME 192.168.18.100
[*05/20/2025 06:50:05.0855] Discovery Request sent to 192.168.18.100, discovery type STATIC_CONFIG(1)
[*05/20/2025 06:50:05.0855] Discovery Request sent to FlexME ::
[*05/20/2025 06:50:05.0860]
[*05/20/2025 06:50:05.0860] CAPWAP State: Discovery
[*05/20/2025 06:50:05.0892] Start: RPC thread 1950690288 created.
[*05/20/2025 06:50:05.0892] Discovery Response from 192.168.18.100
[*05/20/2025 06:50:14.4266]
[*05/20/2025 06:50:14.4266] CAPWAP State: DTLS Setup
[*05/20/2025 06:50:14.7791]
[*05/20/2025 06:50:14.7791] CAPWAP State: Join
[*05/20/2025 06:50:14.8770] shared_setenv PART_BOOTCNT 0 &> /dev/null
[*05/20/2025 06:50:15.5732] Sending Join request to 192.168.18.100 through port 5272
[*05/20/2025 06:50:15.5771] Join Response from 192.168.18.100
[*05/20/2025 06:50:15.5771] AC accepted join request with result code: 0
[*05/20/2025 06:50:15.5772] Received wlcType 1, timer 120
[*05/20/2025 06:50:15.6640]
[*05/20/2025 06:50:15.6640] CAPWAP State: Image Data
[*05/20/2025 06:50:15.6644] AP image version 8.10.196.0 backup 0.0.0.0, Controller 8.10.196.0
[*05/20/2025 06:50:15.6645] Version is the same, do not need update.
[*05/20/2025 06:50:15.7023] Script called with args:[NO_UPGRADE]
[*05/20/2025 06:50:15.7617] do NO_UPGRADE, part2 is active part
[*05/20/2025 06:50:15.7723]
[*05/20/2025 06:50:15.7723] CAPWAP State: Configure
[*05/20/2025 06:50:16.8636] Radio [0] Admininstrative state DISABLED change to ENABLED
[*05/20/2025 06:50:16.8648] Radio [1] Admininstrative state DISABLED change to ENABLED
[*05/20/2025 06:50:16.8652] Radio [2] Admininstrative state DISABLED change to ENABLED
[*05/20/2025 06:50:19.2801] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: Configure(8).
[*05/20/2025 06:50:19.2836] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: Configure(8).
[*05/20/2025 06:50:19.2838] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: Configure(8).
[*05/20/2025 06:50:20.4330] Null cert id for TLV_AP_CACERTS_CONFIG_PAYLOAD
[*05/20/2025 06:50:21.5657]
[*05/20/2025 06:50:21.5657] CAPWAP State: Run
[*05/20/2025 06:50:21.6299] AP has joined controller Cisco-b4de.311e.c220
[*05/20/2025 06:50:21.7164] Flexconnect Switching to Connected Mode!
[*05/20/2025 06:50:21.7664] Current session mode: ssh, Configured: Telnet-No, SSH-Yes, Console-Yes
[*05/20/2025 06:50:21.7664]
[*05/20/2025 06:50:22.0329] chatter: wl0: Beacon rate info: Previous: 252183808 Current: 253625088
[*05/20/2025 06:50:22.0329] chatter: wl0: Beacon PID : Previous: 8 Current: 30
[*05/20/2025 06:50:22.2570] chatter: wl1: Beacon rate info: Previous: 252183808 Current: 252708096
[*05/20/2025 06:50:22.2571] chatter: wl1: Beacon PID : Previous: 8 Current: 16
[*05/20/2025 06:50:22.3335] Current session mode: telnet, Configured: Telnet-No, SSH-Yes, Console-Yes
[*05/20/2025 06:50:22.3335]
[*05/20/2025 06:50:22.4196] Current session mode: console, Configured: Telnet-No, SSH-Yes, Console-Yes
[*05/20/2025 06:50:22.4196]
[*05/20/2025 06:50:22.4711] CLSM[00:00:00:00:00:00]: U3 Client RSSI Stats feature is deprecated; can no longer be enabled
[*05/20/2025 06:50:22.5117] chpasswd: password for user changed
[*05/20/2025 06:50:22.5301] apphost feature is not supported
[*05/20/2025 06:50:22.6500] Setting efficientUpgradeState 1
[*05/20/2025 06:50:22.7581] Got WSA Server config TLVs
[*05/20/2025 06:50:23.1279]
[*05/20/2025 06:50:23.1279] Same LSC mode, no action needed
[*05/20/2025 06:50:47.0858] set cleanair [slot0][band0] enabled
[*05/20/2025 06:50:47.0875] set cleanair [slot0][band1] enabled
[*05/20/2025 06:50:47.0891] set cleanair [slot1][band1] enabled

AP380E.4DBF.5D48>

Half way I started to get ping reply and the WIFI was available to join.
WEB GUI unavailable

Why does it need router connection to reply ping?

Message from WEB browser:
This site can’t be reached
192.168.18.100 took too long to respond.
Try:

Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_TIMED_OUT

Changed connection:
PC to POE, POE to AP2800

AP380E.4DBF.5D48>[05/20/2025 06:53:36.3900] wired0 emac 2: link down
[05/20/2025 06:53:36.4500] wired0: link down
[*05/20/2025 06:53:37.7842] ethernet_port wired0, ip 192.168.18.36, netmask 255.255.255.0, gw 192.168.18.1, mtu 1500, bcast 192.168.18.255, dns1 192.168.18.1, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*05/20/2025 06:53:37.7863] Controller ip address changed to [192.168.18.100].<30>systemd[1]: Starting ntp watcher...
[05/20/2025 06:53:44.5600] wired0 emac 2: link up
[05/20/2025 06:53:44.6100] wired0: link up

Changed connection:
Router to POE, POE to AP2800

AP380E.4DBF.5D48>[05/20/2025 06:59:07.8400] wired0 emac 2: link down
[05/20/2025 06:59:07.9000] wired0: link down
[05/20/2025 06:59:12.2900] wired0 emac 2: link up
[05/20/2025 06:59:12.3400] wired0: link up
[*05/20/2025 06:59:21.6256] Controller ip address changed to [192.168.18.100].<30>systemd[1]: Starting ntp watcher...
[*05/20/2025 06:59:22.2036] ethernet_port wired0, ip 192.168.18.36, netmask 255.255.255.0, gw 192.168.18.1, mtu 1500, bcast 192.168.18.255, dns1 192.168.18.1, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*05/20/2025 06:59:22.2061] Controller ip address changed to [192.168.18.100].<30>systemd[1]: Started ntp watcher.

WEB GUI available only when I logged out from AP2800

Did the test one more time, without logging in into Cisco Controller or as AP user.

PC Network configuration
Physical port: Static
192.168.18.100
255.255.255.0

WIFI: DHCP
192.168.18.6
255.255.255.0
192.168.18.1

Connection:
PC to POE, POE to AP2800
PC wifi to router

...
Starting LWAPP: ok
Starting CAPWAP: ok
Starting LOCP: ok
Starting Security Services: ok
Starting OpenDNS Services: ok
Starting Policy Manager: ok
Starting Authentication Engine: ok
Starting Mobility Management: ok
Starting Capwap Ping Component: ok
Starting AVC Services: ok
Starting AVC Flex Services: ok
Starting Virtual AP Services: ok
Starting AireWave Director: open rrm: not able to ipv4 by pass rule ok
Starting Network Time Services: ok
Starting Cisco Discovery Protocol: ok
Starting Broadcast Services: ok
Starting Logging Services: ok
Starting DHCP Server: ok
Starting IDS Signature Manager: ok
Starting RFID Tag Tracking: ok
Starting RF Profiles: ok
Starting Mesh Services: ok
Starting TSM: ok
Starting CIDS Services: ok
Starting DTLS server: enabled in CAPWAP
Starting CleanAir: ok
Starting WIPS: ok
Starting SSHPM LSC PROV LIST: ok
Starting RRC Services: ok
Starting Alarm Services: ok
Starting FMC HS: ok
Starting FLEXEXPRESS ConfigSync Task: ok
Starting Hotspot Services: ok
Starting HTTP Image Download Task: ok
Starting Tunnel Services New: ok
Starting mDNS Services: ok
Starting Management Services:
Web Server: CLI: Secure Web: Starting IPSec Profiles component: ok
ok

(Cisco Controller)

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)

User:

Changed connection:
Router to POE, POE to AP2800
Until this point I was unable to get ping reply from 198.168.18.100 and could not find the WIFI network.

User: [05/20/2025 06:49:11.9400] wired0 emac 2: link down
[05/20/2025 06:49:12.0000] wired0: link down
[05/20/2025 06:49:16.1000] wired0 emac 2: link up
[05/20/2025 06:49:16.1500] wired0: link up

Then few seconds later, I got ping reply, I saw the WIFI network and WEB GUI

Changed connection:
PC to POE, POE to AP2800
PF WIFI off

WEB GUI still available

My conclusion: After the configuration is completed using CLI commands, the AP needs to be rebooted being connected to a router. Wait until the Wi-Fi becomes available.
Then, connect the Ethernet cable from the AP to your PC, ensuring both are on the same VLAN as the AP2800’s management port, in order to access the web GUI.

Note: The web GUI is only accessible through an Ethernet connection on the same VLAN.