07-10-2009 09:21 AM
Hello Cisco Netpro!
I've got a weird one that I can't nail down. These 2950s had previously been available over the web interface (client was managing them with CNA) and then I decided to bring the configuration up a little closer to best-practices.
But now the web interface won't load, it just dumps the browser at a blank page (but no error).
I ran some debugs on the CLI and it shows only this error:
Jul 10 10:05:44.098 UTC: HTTP: out of lines
This error appears whether or not a valid URL is requested.
I can point a browser to "images/logo.gif" and it shows the error on the CLI, but instead of the Cisco logo it shows the text path "http://<host>/images/logo.gif"
I am debugging these:
HTTP:
HTTP transactions debugging is on
HTTP URL debugging is on
HTTP Authentication debugging is on
But the error is coming from HTTP transactions debugging only.
The major changes I made were enabling AAA authentication, creating an RSA key for ssh. Minor changes included adding a domain-name and name-server, and setting an ACL to restrict access to http and inbound ssh.
Any ideas? I can't find documentation on this debug error in the bug toolkit, or anywhere on the web.
Paul
Solved! Go to Solution.
07-10-2009 09:58 AM
Your 2950s are configured:
line con 0
exec-timeout 5 0
privilege level 15
line vty 0 4
access-class 10 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
There's this caveat in the CNA release notes:
These limitations apply only to the Catalyst 3750, 3560, 3550, 2970, 2955, 2950, and 2940 switches:
â¢Network Assistant fails when a device is running the cryptographic software image and the vty lines have been configured by using the transport input ssh and line vty 0 15 global configuration commands to use only SSH. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands. (CSCdz01037)
07-10-2009 09:52 AM
Can you attach the output of debug http tok ?
Also can you attach the output of the java console in CNA ? (shift + F2 and then get the java output generated in CNA, after reproducing the issue)
07-10-2009 09:58 AM
Your 2950s are configured:
line con 0
exec-timeout 5 0
privilege level 15
line vty 0 4
access-class 10 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
There's this caveat in the CNA release notes:
These limitations apply only to the Catalyst 3750, 3560, 3550, 2970, 2955, 2950, and 2940 switches:
â¢Network Assistant fails when a device is running the cryptographic software image and the vty lines have been configured by using the transport input ssh and line vty 0 15 global configuration commands to use only SSH. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands. (CSCdz01037)
07-10-2009 10:16 AM
Great thanks! With this configuration I was able to get the web interface back up:
line vty 0 15
transport input ssh telnet
The bug id you referenced says this:
"If vty line 15 is not configured for "transport input all/telnet, http access to the switch will not work. Therefore if only ssh and http is suppose to be allowed to manage the switch, do not configure vty line 15 with any transport input command."
This suggest that it should be sufficient to do this:
line vty 0 14
transport input ssh
line vty 15
transport input all
# or "no transport input"
But I found that this did not work. Did I misinterpret the instructions in the bug?
07-10-2009 10:30 AM
If the quote is from the Bug Tool, I won't take it too literally. The bug descriptions often even get CatOS vis-a-vis IOS mixed up. But by "do not configure vty line 15 with any transport input command", maybe Cisco means the opposite: "transport input none".
07-10-2009 10:43 AM
"transport input none" was definitely not it.
But I determined that in an environment where multiple computers may be accessing the switch via CNA at the same time, each http session takes up a line on the vty.
So with the following configuration I had problems as my client was accessing the system via CNA at the same time.
line vty 0 14
access-class 10 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
line vty 15
access-class 10 in
exec-timeout 5 0
transport output telnet ssh
With this configuration it seems to work, and gives enough space for more than one device to connect and view the device at the same time.
line vty 0 12
access-class 10 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
line vty 13 15
access-class 10 in
exec-timeout 5 0
transport output telnet ssh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: