Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cant access 819 Router via CCP anymore

I have been setting up a 819HGW and seem to have locked myself out of the CCP interface. I can still access the unit via CCP Express and CLI but need to be able to access via the full CCP. I was finishing up the unit and configuring WAAS express and im not sure what change has affected this.

If I now try to access via CCP I get the below error. I have checked http and https via CLI.

"Security Applet failed on device 172.16.81.1 with error The HTTP and HTTPS protocols are not enabled on the router that you are attempting to discover. To discover the router, first use the Cisco IOS CLI to enable HTTP or HTTPS. Then discover the router."

17 REPLIES

Re: Cant access 819 Router via CCP anymore

Hi,

Since you can access via CLI, could you post 'show run'?

Make sure you've got:

ip http server
ip http secure-server


Sent from Cisco Technical Support iPad App

New Member

Re: Cant access 819 Router via CCP anymore

       removed config

Re: Cant access 819 Router via CCP anymore

hi,

from which subnet are you accessing CCP? what's your ipconfig?

also, what username did you use?

New Member

Re: Cant access 819 Router via CCP anymore

Hi

I was using 172.16.81.x (local) and via vpn before, but now neither work for CCP but both work for CLI

username is ciscoadmin

Re: Cant access 819 Router via CCP anymore

hi,

could you try:

no class-map type inspect match-all sdm-access  

class-map type inspect match-any sdm-access 

match class-map sdm-cls-access

match access-group 104

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTP  

ip access-list extended SDM_HTTP 

permit tcp any any eq 80

New Member

Re: Cant access 819 Router via CCP anymore

hi,

entered all, the line "no class-map type inspect match-all sdm-access" replies back with "% Class-map sdm-access is being used"

discovery in CCP still fails

Re: Cant access 819 Router via CCP anymore

hi,

try first below, do the previous CLI given and then put back again the service-policy under zone pair.

zone-pair security ccp-zp-out-self source out-zone destination self

no service-policy type inspect ccp-permit

New Member

Re: Cant access 819 Router via CCP anymore

Hi

I am still getting the previous reply back "% Class-map sdm-access is being used"

Purple

Cant access 819 Router via CCP anymore

Hi,

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$CVO$$FW_INSIDE$

ip address 172.16.81.1 255.255.255.0

ip access-group 100 in

access-list 100 deny   tcp any host 172.16.81.1 eq www

access-list 100 deny   tcp any host 172.16.81.1 eq 443

This is what is blocking the communication from the local LAN

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cant access 819 Router via CCP anymore

I have allow lists above for specific subnets

Purple

Cant access 819 Router via CCP anymore

Hi,

is it still not working from your LAN ? if so enter this command on the router: ip  inspect log drop-pkt  then enable console logging with logging on and logging console 6 commands then try again with CCP and give us the log output you get if any.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Cant access 819 Router via CCP anymore

hi,

nothing seems to be showing in the logs when using CCP. This was all working and the last thing i modified was the waas express.

Purple

Cant access 819 Router via CCP anymore

Hi,

Can you show us the output from following:

-sh ip interface Vlan1

-sh access-list

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cant access 819 Router via CCP anymore

  
Vlan1 is up, line protocol is up
  Internet address is 172.16.81.1/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 100
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching (with notification) turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reass
embly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Chec
k, TCP Adjust MSS
  Output features: NAT Inside, Common Flow Table, Stateful Inspection, CCE Post
NAT Classification, Firewall (firewall component), TCP Adjust MSS, NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

Standard IP access list 1
    10 permit 10.10.10.0, wildcard bits 0.0.0.7
Standard IP access list 2
    10 permit 172.16.1.231
    20 permit ## ExtIP ##
    30 permit 172.16.200.0, wildcard bits 0.0.0.255 (13 matches)
    40 permit 172.16.1.0, wildcard bits 0.0.0.255
    50 permit 172.16.81.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq telnet
    20 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq telnet
    30 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq telnet
    40 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq 22
    50 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq 22
    60 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq 22
    70 permit tcp host ## ExtIP ## host 172.16.81.1 eq 22
    80 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq www
    90 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq www
    100 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq www
    110 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq 443
    120 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq 443
    130 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq 443
    140 permit tcp host ## ExtIP ## host 172.16.81.1 eq 443
    150 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq cmd
    160 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq cmd
    170 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq cmd
    180 permit tcp host ## ExtIP ## host 172.16.81.1 eq cmd
    190 deny tcp any host 172.16.81.1 eq telnet
    200 deny tcp any host 172.16.81.1 eq 22
    210 deny tcp any host 172.16.81.1 eq www
    220 deny tcp any host 172.16.81.1 eq 443
    230 deny tcp any host 172.16.81.1 eq cmd
    240 deny udp any host 172.16.81.1 eq snmp
    250 permit udp host 172.16.1.13 eq ntp host 172.16.81.1 eq ntp
    260 deny ip host 255.255.255.255 any
    270 deny ip 127.0.0.0 0.255.255.255 any
    280 permit ip any any (44661 matches)
Extended IP access list 101
    10 permit udp any eq bootps any eq bootpc
    20 deny ip 10.10.10.0 0.0.0.255 any
    30 permit icmp any any echo-reply
    40 permit icmp any any time-exceeded
    50 permit icmp any any unreachable
    60 deny ip 10.0.0.0 0.255.255.255 any
    70 deny ip 172.16.0.0 0.15.255.255 any
    80 deny ip 192.168.0.0 0.0.255.255 any
    90 deny ip 127.0.0.0 0.255.255.255 any
    100 deny ip host 255.255.255.255 any
    110 deny ip any any
Extended IP access list 102
    10 permit ip 172.16.200.0 0.0.0.255 any (8 matches)
    20 permit ip 172.16.1.0 0.0.0.255 any (4 matches)
    30 permit ip 172.16.81.0 0.0.0.255 any
    40 permit ip host ## ExtIP ## any
Extended IP access list 103
    10 permit ip host 255.255.255.255 any
    20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 104
    10 permit ip host ## ExtIP ## any
Extended IP access list 105
    10 permit ip host ## ExtIP ## any
Extended IP access list 106
    10 permit ip 172.16.0.0 0.0.255.255 any
Extended IP access list 198
    10 permit ip any any (23950 matches)
Extended IP access list SDM_AH
    10 permit ahp any any
Extended IP access list SDM_ESP
    10 permit esp any any
Extended IP access list SDM_HTTPS
    10 permit tcp any any eq 443
Extended IP access list SDM_IP
    10 permit ip any any (66657 matches)
Extended IP access list SDM_SHELL
    10 permit tcp any any eq cmd
Extended IP access list SDM_SSH
    10 permit tcp any any eq 22

Purple

Cant access 819 Router via CCP anymore

Hi,

Can you provide the requested outputs.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cant access 819 Router via CCP anymore

sorry, had to edit above, pasting error

Purple

Cant access 819 Router via CCP anymore

Hi,

ok can you clear your access-list counters then do sh access-list 100 to get sure the counters are cleared then try to connect from inside with CCP and do a sh access-list 100 again to see the increasing counters.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
429
Views
5
Helpful
17
Replies