Problems configuring IOS Web User Interface

Unanswered Question
Dec 21st, 2009
User Badges:

I have a Cisco ASR 1002 on which I am trying to configure the IOS WebUI following the direction here:


http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/webui.html


Problem is, I can only seem to get the so-called legacy interface running, but not the graphical interface.


I am running:

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XNE, RELEASE SOFTWARE (fc1)


Here is some added info:

ASR#show transport-map name https-webui                                                  
Transport Map:
  Name: https-webui
  Type: Persistent Webui Transport

Webui:
  Server:        disabled
  Secure Server: enabled

ASR#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
Sudbury-ASR#show ip http server all         
HTTP server status: Disabled
HTTP server port: 80
HTTP server authentication method: aaa
HTTP server access class: 0
HTTP server base path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

HTTP server application session modules:
Session module Name  Handle Status   Secure-status  Description
HOME_PAGE             2      Active   Active         IOS Homepage Server                    
QDM                   3      Active   Active         QoS Device Manager Server              
HTTP_IFS              1      Active   Active         HTTP based IOS File Server             
QDM_SA                4      Active   Active         QoS Device Manager Signed Applet Server
WEB_EXEC              5      Active   Active         HTTP based IOS EXEC Server            


HTTP server current connections:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes


HTTP server statistics:
Accepted connections total: 71


HTTP server history:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes  end-time


Any idea where I may have gone wrong with this config?


Thanks in advance.


John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 12/28/2009 - 01:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,

posting your current config would have been of help. filter username/pwds and mask public ip addresses


Have you followed the procedure that you have linked after first steps?


Have you configured the management ethernet interface as explained in the following note?


The web user interface will not work if the Management Ethernet interface has not been configured or is not working; specifically, the default route must be specified in the Management Ethernet VRF before the web user interface can be configured.
See the "Using the Management Ethernet Interface" chapter for information on configuring the Management Ethernet interface on your router. See the "Setting a Default Route in the Management Ethernet Interface VRF" section on page 8-4 chapter for information on configuring a default route in the Management Ethernet interface on your router.


sorry if these are basic questions but these are to just to start the thread.


Hope to help

Giuseppe

bhunsaker_2 Thu, 07/29/2010 - 16:19
User Badges:

Same problem here.  Must be missing something simple.


The web page that is displayed looks anemic:


---

Cisco Systems

Accessing Cisco ASR1002 "routera"

Show diagnostic log - display the diagnostic log.
Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15


Show tech-support - display information commonly needed by tech support.
Extended Ping - Send extended ping commands.
QoS Device Manager - Configure and monitor QoS through the web interface.

Help resources

  1. CCO at www.cisco.com - Cisco Connection Online, including the Technical Assistance Center (TAC).
  2. [email protected] - e-mail the TAC.
  3. 1-800-553-2447 or +1-408-526-7209 - phone the TAC.
  4. [email protected] - e-mail the HTML interface development group.


----


My software version:


Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XND2, RELEASE SOFTWARE (fc1)

System image file is "bootflash:asr1000rp1-adventerprisek9.02.04.02.122-33.XND2.bin"


Here are my configuration commands:


!   Although we don't plan on using the management interface for now, the web
!   user interface will not work if the Management Ethernet interface has not
!   been configured or is not working; specifically, the default route must be
!   specified in the Management Ethernet VRF before the web user interface can
!   be configured.


ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.xxx.yyy.254
interface GigabitEthernet0
ip address 10.xxx.yyy.1 255.255.255.0
exit


!   Allow manaagement access from our management stations only.


no ip access-list standard 20
ip access-list standard 20

permit host 10.xxx.zzz.1
permit host 10.xxx.zzz.2

exit


!   Enable https webui


no ip http server
ip http secure-server
ip http authentication local
ip http access-class 20


!   The above enables the legacy web user interface.  We'll also enable the
!   graphics-based web user interface.


transport-map type persistent webui https-webui
secure-server
exit


transport type persistent webui input https-webui


When I enter the "transport type persistent webui input https-webui" command, I get the following message:


Please enable (ip http) secure-server and set desired port information.


Here's a obscured version of the running config:


!
! Last configuration change at 16:02:23 MDT Thu Jul 29 2010
! NVRAM config last updated at 15:08:00 MDT Thu Jul 29 2010
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routera
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 1048576 informational
logging console errors
logging monitor errors
enable secret 5
enable password
!
no aaa new-model
!
transport-map type persistent webui https-webui
secure-server
!
clock timezone MST -8
clock summer-time MDT recurring
syscon address 10.www.xxx.44 burp
syscon shelf-id 0
ip subnet-zero
ip source-route
no ip domain lookup
ip domain name domain.com
!
!
!
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-28998717235
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-28998717235
revocation-check none
rsakeypair TP-self-signed-2899871775
!
!
crypto pki certificate chain TP-self-signed-2899871235
certificate self-signed 01
      quit
username bob privilege 15 password 0
!
redundancy
mode none
!
!!
!
!
interface GigabitEthernet0/0/0
description Connects to tier 1 switch in the left powerhouse phone room.
ip address 10.xxx.aaa.1 255.255.255.0 secondary
ip address 10.xxx.zzz.1 255.255.255.0
negotiation auto
vrrp 100 description Our one and only active interface on this router.
vrrp 100 ip 10.xxx.zzz.254
vrrp 100 ip 10.xxx.aaa.254 secondary
vrrp 100 priority 110
vrrp 100 authentication text t1auth
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.xxx.yyy.1 255.255.255.0
negotiation auto
no mop enabled
!
ip classless
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.xxx.yyy.254
!
no ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
!
logging facility local5
logging 10.xxx.yyy.251
access-list 20 permit 10.xxx.zzz.1
access-list 20 permit 10.xxx.zzz.2
!
!
!
control-plane
!
banner login ^C
Be careful out there
^C
!
line con 0
stopbits 1
line aux 0
line vty 0 4
login local
transport input ssh
!
transport type persistent webui input https-webui
!
ntp server 10.xxx.zzz.119
end


Any ideas why I can't even get the legacy web interface shown in the Cisco docs?


Thanks!

John Rumball Tue, 06/28/2011 - 10:52
User Badges:

Still no solution to this, eh?  I decided to look into this problem again after some time away from it, but cannot get any furhter ahead.


Hoping someone with an answer may pick-up on this this time around.

dreams_as_money Mon, 11/28/2011 - 00:23
User Badges:

Hi

update to latest ios will work for example:

asr1000rp1-adventerprisek9.03.04.01.S.151-3.S1.bin


regards

mkhalil10 Mon, 10/12/2015 - 05:07
User Badges:

I have the same issue , i am using 155-1.s1

I just get the basic web interface

nathan.kiel.pgi Wed, 01/25/2012 - 14:29
User Badges:

I had a similar issue but with mine I was seeing the advanced web interface but some features within it were not working.  For an error message in the non-working portions of the interface, it stated 'IOS is inaccessible or down'.


I noticed that if I removed the access-class for ip http that it was fully functional.


Apparently at least the ASR1013 communicates with an internal service.


if you run 'show ip http server all' you get a netstat output like this:


Note: I replaced my IP with #.#.#.# in the output.


HTTP server history:

local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes  end-time

     #.#.#.#:443        10.120.0.1:18432 0          0          22:00:01 01/25

     #.#.#.#:443        10.120.0.1:60727 343        200        22:00:03 01/25

     #.#.#.#:443        10.120.0.1:11390 386        200        22:00:14 01/25

     #.#.#.#:443        10.120.0.1:5716  386        2117       22:00:20 01/25

     #.#.#.#:443        10.120.0.1:18065 367        137        22:00:20 01/25

     #.#.#.#:443        10.120.0.1:59682 397        137        22:00:21 01/25

     #.#.#.#:443        10.120.0.1:34330 432        5929       22:00:29 01/25

    192.168.1.2:443       192.168.1.1:38016 118        200        22:07:09 01/25

    192.168.1.2:443       192.168.1.1:38017 118        200        22:07:22 01/25

    192.168.1.2:443       192.168.1.1:38018 161        2117       22:07:22 01/25

    192.168.1.2:443       192.168.1.1:50212 192        3524       22:07:39 01/25

    192.168.1.2:443       192.168.1.1:50211 149        200        22:07:40 01/25

    192.168.1.2:443       192.168.1.1:50214 191        14460      22:08:46 01/25

    192.168.1.2:443       192.168.1.1:50213 148        200        22:08:46 01/25

    192.168.1.2:443       192.168.1.1:50216 193        2246       22:09:12 01/25

    192.168.1.2:443       192.168.1.1:50218 194        3598       22:09:12 01/25

    192.168.1.2:443       192.168.1.1:50215 150        200        22:09:12 01/25

    192.168.1.2:443       192.168.1.1:50217 151        200        22:09:12 01/25

    192.168.1.2:443       192.168.1.1:32877 118        200        22:13:25 01/25

    192.168.1.2:443       192.168.1.1:42057 118        200        22:20:26 01/25


Notice that there is internal communication with the web service on IP addresses 192.168.1.2 and 192.168.1.1.  I had to add 192.168.1.1 to my access-list and re-add the ip http access-class statement.  Once I did that full functionality to the website was available.


Thus, you may have issues with an assigned access-list to your ip http config.  It may even prevent your advanced web interface from working.


Something to check.  Btw, I do not have these 192.168.1.x IP addresses in my configuration at all.


ASR1013#show ip route 192.168.1.1

% Network not in table

ASR1013#show ip route 192.168.1.2

% Network not in table

ASR1013#


Btw, I'm running:


Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(1)S, RELEASE SOFTWARE (fc1)


On an RP2

kobarley1078 Thu, 04/07/2016 - 15:11
User Badges:

Hi,

I have the same problem one the ASR1002-X.

Did you solve that?

My running-config on the ASR is almost the same of your.

If you have the solution of that, Colud you help me?

Thank you.

Danniel



Actions

This Discussion