Solved: Re: Connection to the device could not be established. Either th

jason · ‎12-17-2011

This Cisco 800 series has been "handed" to me to get configured...

I am having issues ussing CCP to connect to the device, I am getting"Connection to the device could not be established. Either the device is not reachable or the HTTP/HTTPS service is not enabled on the device."

I know I saved some wrong configuration but having a tough time figuring out where. Can someone point out to a cisco newb where I am going wrong?

I have checked off the following troubleshooting and can't find where I made my mistake.

Connection to the device could not be 
established. Either the device is not reachable 
or the HTTP service is not enabled on the 
device.

This error message is displayed in one of the following conditions:

•The internet connection is down.

•The IP address of the device is wrong or the device is not reachable.

•The CLI "ip route <x.x.x.x> <x.x.x.x> <x.x.x.x>" is missing in the configuration.

•The wrong HTTP port is provided to Cisco CP to connect to the device.

•The CLI "ip http server" is missing in the configuration for non-secure connection.

•The CLI "ip http secure-server" is missing in the configuration for secure connection.

To configure the device as an HTTP or HTTPS server, enter the following commands:

Router> config terminal

Router(config)# ip http server

Router(config)# ip http secure-server

Any help with the proper commands would be greatly appreciated!

881W#show config

Using 5319 out of 262136 bytes

!

! No configuration change since last restart

! NVRAM config last updated at 14:54:38 PCTime Sat Dec 17 2011

!

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 881W

!

boot-start-marker

boot system flash c880data-universalk9-mz.151-3.T2.bin

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$0IZb$gTe9qzmC2khcz4q7t1H1r0

!

no aaa new-model

memory-size iomem 10

--More-- clock timezone PCTime -5 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-542214224

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-542214224

revocation-check none

!

crypto pki certificate chain TP-self-signed-542214224

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

ip source-route

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

--More-- !

!

ip cef

no ip domain lookup

ip domain name Masternet

no ipv6 cef

!

license udi pid CISCO881W-GN-A-K9 sn FTX152401DC

!

username ***** privilege 15 secret 5 $1$FJ5H$buqflzYdL8pf9wOuZE8wm/

!

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

--More-- match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

--More-- class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

!

zone security out-zone

--More-- zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

--More-- description $ES_WAN$

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description Bellsouth WAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

ip tcp adjust-mss 1412

!

interface Dialer0

--More-- description $FW_OUTSIDE$

ip address negotiated

ip mtu 1452

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *******

ppp chap password 0 ********

ppp pap sent-username ******** password 0 ********

no cdp enable

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

--by bytes

cache-timeout 3000000

--More-- !

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

logging esm config

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 91 permit any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 110 permit icmp any any echo

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any source-quench

access-list 110 permit icmp any any packet-too-big

access-list 110 permit icmp any any time-exceeded

dialer-list 1 protocol ip permit

no cdp run

!

banner login ^CYou are using a network that logs all users activities. If you are not authorized disconnect now.^C

--More-- !

line con 0

login local

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

ntp update-calendar

ntp server 24.56.178.140 source Wlan-GigabitEthernet0

ntp server 64.90.182.55 prefer source Wlan-GigabitEthernet0

end

cadet alain · ‎12-19-2011

Hi,

take a look at my previous post , this is a ZBF config problem.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-19-2011

Hi,

zone security in-zone

int vlan 1

no ip nat ouside

ip nat inside

no zone-member security out-zone

zone-member security in-zone

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Richard Burts · ‎12-17-2011

Jason

Can you tell us what is the source address when you attempt to use CCP? I am guessing that this is the problem. Look at these parts of the config

ip http access-class 23

access-list 23 permit 10.10.10.0 0.0.0.7

This says that the router will only accept connections from source addresses 10.10.10.1 through 10.10.10.6.

HTH

Rick

HTH

Rick

jason · ‎12-17-2011

Do you think it is the preffered adapter messing things up?

C:\ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : PC

   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller #2
   Physical Address. . . . . . . . . : 00-23-54-51-41-F7
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 10.10.10.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Masternet:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller
   Physical Address. . . . . . . . . : 00-23-54-51-41-F8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.113(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, December 17, 2011 3:54:53 PM
   Lease Expires . . . . . . . . . . : Sunday, December 18, 2011 3:54:53 PM
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 205.152.144.23
                                       205.152.132.23
                                       192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{319730B2-D3E1-4D78-BC1E-A9F7827A84E8}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1851:27dc:3f57:fe8e(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::1851:27dc:3f57:fe8e%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{B794DE4E-C0A2-4CC6-A5D3-A5657D38F1B4}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Richard Burts · ‎12-18-2011

Jason

The PC seems to have 2 IP addresses and I do not see anything in what you posted that tells us which address is being used (and both addresses have the notation that they are preferred). So I am going to assume that it is likely that the device is using the 192.168.1.113 address and that this is causing the problem. I can suggest a couple of things that you could do that would prove this.

- you could add a line to access list 23 that permits 192.168.1.113 (premit the specific host, or permit a range of hosts that include this, or permit the entire 192.168.1.0 network). If you add the line and then access works you have prooved what was the problem and have also achieved a workaround for the problem.

- you could add a line to access list 23 with deny any and specifying the log parameter like this

access-list 23 deny any log

This will generate a log message which should tell you what address is attempting access. This could tell you exactly what the problem is but you would then have to decide whether it is better to do something on the host to get it to use the 10.10.10.2 address or to do something on the router to get it to accept the address.

HTH

Rick

As an after-thought can you tell us whether that host has 2 Ethernet cards? Perhaps the solution is as simple as moving the Ethernet connection to the other card.

HTH

Rick

jason · ‎12-18-2011

Rick,

I did disable the 192.168.1.113 DHCP address and that still proved to not work. I should of been more clear back when I posted the IPCONFIG. On your advice I have switched the network cords around, and disabled the 192.x.x.x network for safe keeping. No luck...

Here is the new access-lists info:

881W(config)#end

881W#

Dec 18 23:13:04.751: %SYS-5-CONFIG_I: Configured from console by ****** on consolewrite

Building configuration...

[OK]

881W#show access-lists

Standard IP access list 23

10 permit any

Standard IP access list 91

10 permit any

Extended IP access list 100

10 permit ip host 255.255.255.255 any

20 permit ip 127.0.0.0 0.255.255.255 any

Extended IP access list 101

10 permit ip any any

Extended IP access list 110

10 permit icmp any any echo

20 permit icmp any any echo-reply

30 permit icmp any any source-quench

40 permit icmp any any packet-too-big

50 permit icmp any any time-exceeded

881W#

As you can see I did the ole permit any and still not working. Also below is my current IPCONFIG.

Windows IP Configuration

Ethernet adapter Masternet: