Re: restart web ui on 9800

merilcerpos · ‎01-28-2022

hello everyone,

is there a way to restart the webserver of the 9800 in case the web ui is "hanging"? when starting radioactive trace via gui the gui hang for several minutes/hour, it recovered by itself, but is there a way to restart webservice in such a case without network outage?

in release notes i found, is this applicable for the described case above? Thank you.

"if you encounter ERR_SSL_VERSION_OR_CIPHER_MISMATCH error from the GUI after a reboot or system crash, we recommend that you regenerate the trustpoint certificate.

The procedure to generate a new self signed trustpoint is as follows:

configure terminal
no crypto pki trustpoint <trustpoint_name>
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication <local/aaa>
! use local or aaa as applicable.

"

Arshad Safrulla · ‎01-28-2022

add the below commands, it should fix this GUI slow/hang problem.

!

service tcp-keepalives in

service tcp-keepalives out

!

line vty 0 50

!

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=from%20the%20GUI%3A-,Web%20user%20interface%20(WebUI),-WebUI%20uses%20VTY

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

johnlloyd_13 · ‎03-15-2023

hi,

i tried all steps suggested in this thread and also upgraded from 17.3.4 to 17.3.6 install mode.

but web ui is just loading/trying to connect after i entered the WLC local login.

any other suggestion?

WLC01(config)#no crypto pki trustpoint TP-self-signed-3949106471
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

WLC01(config)#
WLC01(config)#no ip http server
WLC01(config)#no ip http secure-server
WLC01(config)#ip http server
WLC01(config)#ip http secure-server

WLC01#sh ver
Cisco IOS XE Software, Version 17.03.06
Cisco IOS Software [Amsterdam], C9800 Software (C9800_IOSXE-K9), Version 17.3.6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Fri 16-Sep-22 02:09 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 16.12(3r)

WLC01 uptime is 1 hour, 52 minutes
Uptime for this control processor is 1 hour, 54 minutes
System returned to ROM by Image Install at 13:09:02 Singapo Wed Mar 8 2023
System image file is "bootflash:packages.conf"
Last reload reason: Image Install

EDIT - not sure if this is the culprit. can someone advise if web ui not loading is due to "crypto throughput level is 0 kbps"? or it's unrelated?

License Type: Smart License is permanent
License Level: adventerprise
Next reload license Level: adventerprise
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage

The current crypto throughput level is 0 kbps

Scott Fella · ‎03-16-2023

That is fine. If you search that on the forum, you will see that all the posts have that same message. Have you tried to reboot the controller again? I have had to perform the steps a few time before but also had to generate a new trustpoint and point to that trustpoint.

-Scott
*** Please rate helpful posts ***

johnlloyd_13 · ‎03-16-2023

hi,

it rebooted when i upgrade the code.

what are the specific steps you did a few times before getting the web ui working again?

EDIT - i just rebooted again. still the same. after local login to WLC, web ui just loading.

Scott Fella · ‎03-16-2023

First, I would check if http works, if http works, then you know that the certificate is corrupt.

You can use the show crypto pki trustpoints to see all the trustpoints. The show wireless management trust point will show you what the management is using or configured for. ip http secure-trustpoint will set the trust point for https. You can always use one of the default SUDI trustpoints.

-Scott
*** Please rate helpful posts ***

johnlloyd_13 · ‎03-16-2023

hi,

i tried all possible HTTP config/tshoot. nothing works.

note web ui it works fine using a LAN PC but not when managing WLC 9800 over WAN.

also note the site is using a VSAT link so latency tends to be a bit high. but same site has a WLC 2504 and web ui works fine.

we're unable to cutover 2504 > 9800 because of this web ui access issue.

WLC01(config)#do show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 75bf23acd9d7b7f894ca68e30aa30627a7017486
Private key Info : Available
FIPS suitability : Not Applicable

WLC01(config)#do sh run | i http
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint CISCO_IDEVID_SUDI
destination transport-method http
WLC01(config)#no ip http server
WLC01(config)#parameter-map type webauth global
WLC01(config-params-parameter-map)#webauth-http-enable
WLC01(config-params-parameter-map)#secure-webauth-disable

WLC01(config)#no ip http secure-server
WLC01(config)#ip http secure-server

WLC01(config)#no ip http secure-trustpoint CISCO_IDEVID_SUDI
(config)#ip http secure-trustpoint TP-self-signed-3949106471

Scott Fella · ‎03-16-2023

If it works over the LAN at the site, there is nothing wrong with the https service. Why its hanging, who knows, but removing the trust point and stoping and starting the service will not help.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-28-2022

I don’t think replacing the trustpoint is applicable to the issue you have. You can always just use the other commands to disable https and re-enable https. If the browser still hangs, open the GUI in a private window or a different browser and give that a try to.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-16-2023

Keep in mind that you can also import your own trusted certificate for this if you want.

-Scott
*** Please rate helpful posts ***

Rob Getrost · ‎08-21-2024

In case any one has received the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error without it being from a reboot or system crash, my solutions was as follows:

There seemed to have been some limitation in Chrome and Edge Cipher support for some TLS versions.

The secure-ciphersuite protocols specified in the WLC along with the HTTP tls-version TLSv1.3 were not supported in either Chrome or Edge as of 8-21-24

you can remove the the suite all together to let it use any available..

(config)#no ip http secure-ciphersuite

Or limit with TLSv1.2 ciphers with

(config)#ip http secure-ciphersuite dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2 ecdhe-rsa-aes-gcm-sha2 rsa-aes-cbc-sha2 rsa-aes-gcm-sha2

and specify the use of TLSv1.2 with

(config)#ip http tls-version TLSv1.2

This allowed me to at least use the advanced option in chome and edge to get in.