Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
5
Replies

2950 web interface fails with debug error "http: out of lines"

Go to solution
paul
Level 1
Level 1

‎07-10-2009 09:21 AM

Hello Cisco Netpro!

I've got a weird one that I can't nail down. These 2950s had previously been available over the web interface (client was managing them with CNA) and then I decided to bring the configuration up a little closer to best-practices.

But now the web interface won't load, it just dumps the browser at a blank page (but no error).

I ran some debugs on the CLI and it shows only this error:

Jul 10 10:05:44.098 UTC: HTTP: out of lines

This error appears whether or not a valid URL is requested.

I can point a browser to "images/logo.gif" and it shows the error on the CLI, but instead of the Cisco logo it shows the text path "http://<host>/images/logo.gif"

I am debugging these:

HTTP:

HTTP transactions debugging is on

HTTP URL debugging is on

HTTP Authentication debugging is on

But the error is coming from HTTP transactions debugging only.

The major changes I made were enabling AAA authentication, creating an RSA key for ssh. Minor changes included adding a domain-name and name-server, and setting an ACL to restrict access to http and inbound ssh.

Any ideas? I can't find documentation on this debug error in the bug toolkit, or anywhere on the web.

Paul

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yjdabear
VIP Alumni
VIP Alumni

‎07-10-2009 09:58 AM

Your 2950s are configured:

line con 0

exec-timeout 5 0

privilege level 15

line vty 0 4

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 5 15

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

There's this caveat in the CNA release notes:

These limitations apply only to the Catalyst 3750, 3560, 3550, 2970, 2955, 2950, and 2940 switches:

•Network Assistant fails when a device is running the cryptographic software image and the vty lines have been configured by using the transport input ssh and line vty 0 15 global configuration commands to use only SSH. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands. (CSCdz01037)

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Lucien Avramov
Level 10
Level 10

‎07-10-2009 09:52 AM

Can you attach the output of debug http tok ?

Also can you attach the output of the java console in CNA ? (shift + F2 and then get the java output generated in CNA, after reproducing the issue)

0 Helpful

Go to solution
yjdabear
VIP Alumni
VIP Alumni

‎07-10-2009 09:58 AM

Your 2950s are configured:

line con 0

exec-timeout 5 0

privilege level 15

line vty 0 4

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 5 15

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

There's this caveat in the CNA release notes:

These limitations apply only to the Catalyst 3750, 3560, 3550, 2970, 2955, 2950, and 2940 switches:

•Network Assistant fails when a device is running the cryptographic software image and the vty lines have been configured by using the transport input ssh and line vty 0 15 global configuration commands to use only SSH. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands. (CSCdz01037)

0 Helpful

Go to solution
paul
Level 1
Level 1
In response to yjdabear

‎07-10-2009 10:16 AM

Great thanks! With this configuration I was able to get the web interface back up:

line vty 0 15

transport input ssh telnet

The bug id you referenced says this:

"If vty line 15 is not configured for "transport input all/telnet, http access to the switch will not work. Therefore if only ssh and http is suppose to be allowed to manage the switch, do not configure vty line 15 with any transport input command."

This suggest that it should be sufficient to do this:

line vty 0 14

transport input ssh

line vty 15

transport input all

# or "no transport input"

But I found that this did not work. Did I misinterpret the instructions in the bug?

0 Helpful

Go to solution
yjdabear
VIP Alumni
VIP Alumni
In response to paul

‎07-10-2009 10:30 AM

If the quote is from the Bug Tool, I won't take it too literally. The bug descriptions often even get CatOS vis-a-vis IOS mixed up. But by "do not configure vty line 15 with any transport input command", maybe Cisco means the opposite: "transport input none".

0 Helpful

Go to solution
paul
Level 1
Level 1
In response to yjdabear

‎07-10-2009 10:43 AM

"transport input none" was definitely not it.

But I determined that in an environment where multiple computers may be accessing the switch via CNA at the same time, each http session takes up a line on the vty.

So with the following configuration I had problems as my client was accessing the system via CNA at the same time.

line vty 0 14

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 15

access-class 10 in

exec-timeout 5 0

transport output telnet ssh

With this configuration it seems to work, and gives enough space for more than one device to connect and view the device at the same time.

line vty 0 12

access-class 10 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

line vty 13 15

access-class 10 in

exec-timeout 5 0

transport output telnet ssh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents