SA 520 - Can not connect to Web Interface, via Cisco Config Assist or Telnet

Unanswered Question
Apr 23rd, 2010

I recently deployed my first SA520 for a client. I installed a firmware update released back at the end of Feb or beginning of Mar - I can't log into the SA520 right now to check the current version.

And that's the issue. After a few days, I can not connect to the SA via the web interface, Cisco Config Assistant or Telnet, until I reboot the SA. Inbound and out bound traffic continues to work with out any issues.

Does the current firmware update or a pending firmware update address this issue?

I have 1 SA 520 that I am hisitant to deploy and after reading the forums on the many issues of the SA product line, I am starting to question whether or not I should standardize all of my clients on this platform.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hyeh Fri, 04/23/2010 - 10:47

Hi,

From the date info you provided it is very likely you are running 1.1.21 image.

There are lots of problems found in 1.1.21 have been fixed in recent release, 1.1.42

We are encouraging you to upgrade to the latest release.

We appologize for the inconvenience

Henry

14dallas Wed, 06/02/2010 - 15:33

I downloaded the latest firmware for the SA520 and updated it last week.  I remote connected to my workstation at the clients site and guess what? I can not access the WebAccess again, telnet or connect via Cisco Confg Assist ver 2.2.4 - everything just hangs.

Needles to say, I wll not recommend the SA's to anyone as reliability seems very questionable. I now have to wait 2 or 3 days before I am back in that area to re-boot the firewall so I can make changes to port fwding.

D

14dallas Thu, 06/03/2010 - 12:10

Very similar issue as being reported with the SA540. I have confirmed that I have the lastest firmware image available - 1.1.42.

Is there another frimware release being worked on by any chance?

Thanks!

Steven DiStefano Thu, 06/03/2010 - 14:24

Due to a problem discovered with the SA5xx GUI API, that CCA used, it was decided to remove CCA support of the SA Applicance until the next firmware release of SA.  So CCA will say the current FW is not supported.  Its confusing since it used to be allowed, I know.

best thing to do is remove it from the CCA community and launch its native browser interface from CCA until its resolved.

There is a discussion of this on this community, but I cant find it at the moment.

Sorry for the delay in responding.

Steve

14dallas Thu, 06/03/2010 - 14:41

Any Idea of when the next firmware release will be? I have about 10 clients that I have recommended the SA520 to and now I am hesitant. I have this oone that freezes after a few days and you can not access the Web Interface. Packets still go through, but I can not do anything with it until after I power cycle it. I have another sitting in box to replace an old cisco PIX 501, and again, I am hesitant.

I really don't need the CCA, I just need access to the Web UI so I can manage these units.

Thanks!

Dallas

hyeh Thu, 06/03/2010 - 14:56

Hi,

Are you using SSL VPN? Or, you just try to use the web interface to manage SA500?

Do you have any special configuration that might trigger this problem?

Thanks

Henry

14dallas Thu, 06/03/2010 - 15:10

I remote connect to an Admin workstation on the local clients network via SBS 2008 Remote Web Workplace and try to connect via https.

As a side note if I connect via http://192.168.x.x, it does redirect me to https://192.168.x.x. but then hangs.

Dallas

14dallas Thu, 06/03/2010 - 15:14

No special configuration,

Just a single Static Public IP Address, no SSL, no VPN, No DHCP. Nothing special at all. After a few days, just can not log into the Web UI at all until you power cycle the unit.  Even though I can not access the Web UI until after I power cycle, the Rotuer/Firewall functions continue to work and allow traffic through.

Dallas

hyeh Thu, 06/03/2010 - 15:47

Can you try to type https directly, and don't reply on the web interface to redirect it for you to see whether it helps or not.

Thanks

Henry

14dallas Thu, 06/03/2010 - 16:00

I have tried both way's.  I was merely just trying to point out that the redirect function does work from http to https, but still hangs when connecting to https. When connecting via http using IE7/8, you get the security certificate warning, click on continue and then hangs.

Connecting directly to https just hangs - status bar says waiting for https://192.168.x.x/scgi-bin/platform.cgi...

Dallas

hyeh Thu, 06/03/2010 - 16:36

Can you try with different browser like Firefox to see whether it makes differences?

14dallas Thu, 06/03/2010 - 17:41

I tried last week when I was site with my notebook running FF 3.3.6 - Confirm Security Exception, then hangs until firewal is restarted.

Dallas

14dallas Thu, 06/03/2010 - 18:02

Just downloaded and installed 3.6 to a local workstation on the clients network. Same result - in status bar "Waiting for 192.168.x.x" and no response.

Dallas

hyeh Fri, 06/04/2010 - 10:48

Hi Dallas

Can you PM me your config so that we can try it in the lab?

Thanks

Henry

14dallas Fri, 06/04/2010 - 18:28

I have a backup from before I did the firmware upgrade, which was supposed to address this issue.  I didn't make it there today, but I should be there at some point over the weekend and I can reboot the 520. Then I can log in and take another config backup. I would like to send you both. So as soon as I can get there.

Dallas

14dallas Thu, 06/17/2010 - 19:28

Had the client reboot the firewall this afternoon.

Still can not log into the Web UI.

How do I get you the file that I saved before I did the update?

Thanks!

Billysno1 Tue, 06/29/2010 - 02:42

I have purchased 3 of these and have run into numerous problems including being told to use the quickvpn i had to create and distribute host files for all remote clients to access local resources using dns names but i am also discovering this problem as well. This is now the 3 time in 4 days the firewall locks up and cant connect to it but traffic seems to be going through ok . i am going to speak to my supplier as these are not living up to what we were told they could do. it also seems to affect my outlook web access as well.

14dallas Tue, 06/29/2010 - 09:17

Hi Bill,

Are you running the latest firmware? the firmware out of the box has serious issues, but the latest one I have downloaded seems to be stable.

My issue may have been related to an incorrect setting for DNS under the WAN Settings. When I first setup the firewall up for testing, I had it pointing to an internal DNS Server, as the PUBLIC facing WAN Port was actually on the inside of the private network and I created a different IP Network address for the LAN Side of the SA 520.  When I reconfigured for deployment, I just didn't even think of changing that setting for some reason to point to a PUBLIC DNS Server IP Address.

Check that setting if you are running the latest firmware as that and the latest firmware have me planning on rolling out my next SA 520 as soon as I can.

Dallas

14dallas Tue, 06/29/2010 - 09:20

One last thought on the DNS Issues, please verify the DNS Server IP Address under WAN settings is valid and if you are using the SA 520 DHCP Server, that the DNS IP Address handed out is also valid - that's the only thing off the top of my head that would explain the DNS issues you described.

Billysno1 Fri, 08/20/2010 - 02:42

Hi Dallas

not checked in a while busy and holidays but in response i was running the latest firmware and even after that upgraded to 2 further release candidates and had 2 main problems

1. the issue with accessing the gui still happened

2. the firewall would for no reason drop our Internet connection.

so have just download the newest firmwre 1.1.65 to replace my 1.1.62 so will try this and hopefully will resolve.

the issue with DNS is a Quickvpn problem and i know use shrewsoft and i can config the client to use my internal DNS server when it connects to my network how i require it creating and distrubuting host files is not a scenario i want which cisco should remedy in the next QucikVPN releas but im not holding my breath for.

14dallas Fri, 08/20/2010 - 05:11

After updating to 1.1.42, I have had no further issues with my SA 520.

Will be deploying quick VPN in middle of Sept so I will keep my fingers crossed.

Hugues ROCHIN Fri, 07/16/2010 - 13:02

Just boughtmy first SA520 to replace the RV082 Linksys of my customers.

After 6 hours working,  I already had 2 times the same issue, even if I upgrade to the new firmware as soon as I unpacked the box.

Internet is working inside the network, but without reason, as I was navigate to the web interface from my home, looking for status, the WEB GUI is no more accessible, and VPN also... but I can see that my skype at work still work...

Have to go at office tomorrow because I need my office connection for this WE...

After my long experience with RV082 (bought at the start of the product), I should say one thing:

CISCO IS GOOD PRODUCT IF YOU BUY OLD PRODUCTS, BUT BUYING PRODUCT WITH LESS THAN 2 OR 3 YEARS IS ALWAYS BUGGY...

At this price, this is not normal that users assume the cisco policy, that is to use the end-user at beta tester.

Better to bug an old PIX501, or definitively forget after this high named CISCO brand, and go to basic products as NETGEAR for SMall BusinesS....

Hugues ROCHIN Sun, 07/18/2010 - 03:22

After a while, I go to the office, and I saw that the ADSL was down and cannot connect even if I use lower MTU, and the modem was correctly sync...

The SA520 see the modem is up but the WAN was down...

Here is the solution I use:

I forget about using my modem as Bridge, and make my modem a normal router.

My modem is:

10.0.0.138

Static route:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Destination : 192.168.10.0

Subnet : 255.255.255.0

Gateway : 10.0.0.1

Redirect the 443, 500, GRE to the 192.168.10.1


My SA is :

LAN: 192.168.10.1

WAN: 10.0.0.1

I would like to open a route on SA (that normally work with my old RV082, but the SA does not accept it for the destination and subnet:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Destination : 0.0.0.0 (Do not accept)

Subnet : 0.0.0.0 (Do not accept)

Gateway : 10.0.0.138

Everything seems to work, but as I am not an expert in static route, my question is: Is this second route unecessary ?

For the little story, my SA still hang and stop to be accessible from WAN often.

I saw the problem after trying from WAN:

- Using SSL

- Parametring the Log email

- Some others param made from WAN

But the good thing is that the SA still work and the IPSEC with shrew still work, I "just" need to go the SA by local using my VPN access, and ask for reboot....

A bad, but working solution for the moment, waiting for new Firmware. (The SA is install for me, hopefully there is not a lot of workers, but of course, big problem if you want users SSL, as they cannot access to the interface, if I can not reboot)

rob.allison Sun, 09/05/2010 - 19:51

I hope your phone conversation was fruitful and you will share what happened with us. I have an SA520 with the same problem only after power cycling it I still can not gain access. Please let us know if you were able to resolve this issue and if so how.

nmanglik Mon, 09/06/2010 - 13:51

Hi Rob,

We are yet to receive any contact information from the above but if you are facing a similar issue we would like to understand your scenario better. Is there a way we can talk on phone.

You can email me your contact information as well as briefly describe the symptom what you are seeing and I will setup a meeting to talk to you in this regards.

Thanks,

Nitin Manglik

[email protected]

rob.allison Tue, 09/21/2010 - 11:17

Updating the box to 1.62 fixed the issue for now. I will let you know if I have any other issues. Thanks for all the help.

Actions

This Discussion