2950 web interface fails with debug error "http: out of lines"

Answered Question
Jul 10th, 2009

Hello Cisco Netpro!

I've got a weird one that I can't nail down. These 2950s had previously been available over the web interface (client was managing them with CNA) and then I decided to bring the configuration up a little closer to best-practices.

But now the web interface won't load, it just dumps the browser at a blank page (but no error).

I ran some debugs on the CLI and it shows only this error:

Jul 10 10:05:44.098 UTC: HTTP: out of lines

This error appears whether or not a valid URL is requested.

I can point a browser to "images/logo.gif" and it shows the error on the CLI, but instead of the Cisco logo it shows the text path "http://<host>/images/logo.gif"

I am debugging these:

HTTP:

HTTP transactions debugging is on

HTTP URL debugging is on

HTTP Authentication debugging is on

But the error is coming from HTTP transactions debugging only.

The major changes I made were enabling AAA authentication, creating an RSA key for ssh. Minor changes included adding a domain-name and name-server, and setting an ACL to restrict access to http and inbound ssh.

Any ideas? I can't find documentation on this debug error in the bug toolkit, or anywhere on the web.

Paul

Correct Answer by yjdabear about 7 years 7 months ago

Your 2950s are configured:

line con 0

exec-timeout 5 0

privilege level 15

line vty 0 4

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 5 15

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

There's this caveat in the CNA release notes:

These limitations apply only to the Catalyst 3750, 3560, 3550, 2970, 2955, 2950, and 2940 switches:

•Network Assistant fails when a device is running the cryptographic software image and the vty lines have been configured by using the transport input ssh and line vty 0 15 global configuration commands to use only SSH. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands. (CSCdz01037)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lucien Avramov Fri, 07/10/2009 - 09:52

Can you attach the output of debug http tok ?

Also can you attach the output of the java console in CNA ? (shift + F2 and then get the java output generated in CNA, after reproducing the issue)

Correct Answer
yjdabear Fri, 07/10/2009 - 09:58

Your 2950s are configured:

line con 0

exec-timeout 5 0

privilege level 15

line vty 0 4

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 5 15

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

There's this caveat in the CNA release notes:

These limitations apply only to the Catalyst 3750, 3560, 3550, 2970, 2955, 2950, and 2940 switches:

•Network Assistant fails when a device is running the cryptographic software image and the vty lines have been configured by using the transport input ssh and line vty 0 15 global configuration commands to use only SSH. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands. (CSCdz01037)

paul@iosecure.com Fri, 07/10/2009 - 10:16

Great thanks! With this configuration I was able to get the web interface back up:

line vty 0 15

transport input ssh telnet

The bug id you referenced says this:

"If vty line 15 is not configured for "transport input all/telnet, http access to the switch will not work. Therefore if only ssh and http is suppose to be allowed to manage the switch, do not configure vty line 15 with any transport input command."

This suggest that it should be sufficient to do this:

line vty 0 14

transport input ssh

line vty 15

transport input all

# or "no transport input"

But I found that this did not work. Did I misinterpret the instructions in the bug?

yjdabear Fri, 07/10/2009 - 10:30

If the quote is from the Bug Tool, I won't take it too literally. The bug descriptions often even get CatOS vis-a-vis IOS mixed up. But by "do not configure vty line 15 with any transport input command", maybe Cisco means the opposite: "transport input none".

paul@iosecure.com Fri, 07/10/2009 - 10:43

"transport input none" was definitely not it.

But I determined that in an environment where multiple computers may be accessing the switch via CNA at the same time, each http session takes up a line on the vty.

So with the following configuration I had problems as my client was accessing the system via CNA at the same time.

line vty 0 14

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 15

access-class 10 in

exec-timeout 5 0

transport output telnet ssh

With this configuration it seems to work, and gives enough space for more than one device to connect and view the device at the same time.

line vty 0 12

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 13 15

access-class 10 in

exec-timeout 5 0

transport output telnet ssh

Actions

This Discussion