×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Enabling HTTPS while SSH is enabled

Unanswered Question
Apr 27th, 2012
User Badges:

Hello


I have enabled SSH on my 3750 switches and notice that https is not working. Iam not sure they are related but seems to be oddly coincidental.

Therefore find it diffficult to monitor using CNA 5.7.6.


configs are given below     


gvadc-sf01#sh run | i ip http

ip http server

ip http access-class 11

ip http secure-server

            

From my machine, i should normally have access to https running on the switch but isnt the case..


Do I need to generate a new crypto key separately for https?


Thanks for helping out on this..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
TGF_Cisco Fri, 04/27/2012 - 05:49
User Badges:

Snapshot from the switch that secure server is enable


A1#show ip http server sec st

A1#show ip http server sec status

HTTP secure server status: Enabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha

HTTP secure server client authentication: Disabled

HTTP secure server trustpoint:

HTTP secure server active session modules: ALL

Richard Burts Sun, 04/29/2012 - 18:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The original post contains this line

ip http access-class 11

which says that access to http in controlled by access list 11. So what is in access list 11? And particularly is the address of your machine included in a permit in access list 11?


HTH


Rick

Marvin Rhoads Mon, 04/30/2012 - 07:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You should specify an authentication method for http(s). e.g., "ip http server authentication local"

TGF_Cisco Mon, 05/07/2012 - 06:40
User Badges:

Hi


It worked on the server farm devices bt i am unable to discover the core and the distribution devices.


in the topology the core devices are seen but when i add them to the community , it fails.


Attached is the snapshot.


and the devices are reachable from the server


ping 172.19.26.252

Pinging 172.19.26.252 with 32 bytes of data:
Reply from 172.19.26.252: bytes=32 time=1ms TTL=255
Reply from 172.19.26.252: bytes=32 time=2ms TTL=255
Reply from 172.19.26.252: bytes=32 time=2ms TTL=255

Ping statistics for 172.19.26.252:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
Control-C
^C



I guess it is trying to connect on this IP address and pings fine.. but the moment i try to discover it fails. It could successfully discover the other devices but not the core and the distribution devices

Marvin Rhoads Mon, 05/07/2012 - 07:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Cisco says "unable to connect" to cover any communications or authentication issue. Have you checked the actual packets with, say Wireshark, to see what's going on? I would suggest looking for and verifying that the SNMP community string matches.

Actions

This Discussion

Related Content