Cannot access web management through HTTPS despite being configured

juniperjuniper-junosjuniper-srx

I'm configuring a Juniper SRX240 router, and I wanted to set up the HTTPS protocol for web management, as opposed to plain HTTP which is working fine.

I configure HTTPS as documented here, but whenever I attempt to access web management over HTTPS, I'm immediately shown one of many error pages depending on the browser I'm using. The errors vary but suggest that the page cannot be found or the server cannot be reached. If I try with HTTP it works just fine.

I did try changing the HTTPS web management port from 443 to use 8080 instead, and instead of seeing an error page immediately it would just try to load until it timed out. I've also tried restarting the web-management service, and the router itself.

I've had a look at the httpd log and it indicates that HTTP requests are being listened for on port 80, but there's no mention of HTTPS anywhere in the log.

Here are the relevant configuration settings:

system services

services {
    web-management {
        http {
            interface ge-0/0/1.0;
        }
        https {
            system-generated-certificate;
            interface ge-0/0/1.0;
        }
        session {
            idle-timeout 10;
        }
    }
}

interfaces

ge-0/0/1 {
        description "Management Interface";
        unit 0 {
            description "Management Interface";
            family inet {
                address 192.168.1.1/24;
            }
        }
    }

security zones

functional-zone management {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                        }
                    }
                }
            }
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                }
            }
        }

Best Answer

According to Juniper the functional-zone is supposed to be used with the dedicated management interfaces (fxp0). Since this device doesn't have dedicated management interfaces (unless it's set-up as chassis cluster - which in that case interface ge-0/0/0 is assigned to fxp0), you can't use the functional zone.

Also, you have everything configured for interface ge-0/0/1 but you show the configuration of interface ge-0/0/15, so maybe there's a mistake there.

So, if you want to use a non dedicated management interface, you have to use a "normal" security zone. If you want to use the dedicated interface, then you can use the functional zone.

Related Solutions

Juniper SRX240H loses connectivity to upstream router

Here's some version info that should help. I think that the other thing that immediately strikes me is autonegotiation being disabled, which shouldn't be necessary. Is this something that your provider is asking for, or based on learned behaviors? I recommend reading what's out there, since autonegotiation has been recommended for over 10 years. Anything you're connecting to should work fine with it as well (the last time I had issues was on a 3500XL - we're talking ooooold). Check out:

http://etherealmind.com/ethernet-autonegotiation-works-why-how-standard-should-be-set/

First off, Junos 11.4R7.5 is the supported release recommended for SRX240, as of 8 April 2013, per JTAC (since you mentioned versions).

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 (need login)

Also, JTAC recommends EEOL releases on SRX or J Series for IPsec features (may or may not apply, but FYI). (For me, the only releases available for SRX240H on juniper.net are 10.4, 11.4, and 12.1 - that may help set your expectations on what to run.)

http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2013-01-822&actionBtn=Search (need login)

You are also running a version that was released before the malformed TCP vulnerability came out. I shudder to think that a live exploit exists, but you definitely need to be on versions that were published around January or February 2013, or later. The versions you need for 11.2 are 11.2R5.5 or 11.2R7.5 (or higher)

http://osvdb.org/89751

I mentioned versions because the SRX is a 'rapidly evolving' platform as well, and anecdotal evidence and hearsay suggests that you'll want to upgrade more frequently.

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

With help from our service provider we've been able to localise the problem. The idea I had in my last comment proved correct: the difference between fast ethernet and gigabit ethernet was the source of the problem.

The reason for dropping connections, undeliverable packets and segmented packets was a mismatch in link mode between the fiber switch and the SRX - they hardcoded their port to 100m full duplex, but the SRX had automatic negotiation, which resolved to 100m half duplex.

The problem was further complicated by Juniper's odd configuration of speed and link mode. Just setting these configuration options wasn't enough:

speed 100m;
link-mode full-duplex;

This configuration was accepted, but when running show interfaces ge-0/0/0, it still showed:

Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 100mbps,

Apparently, you have to explicitly disable auto-negotiation:

speed 100m;
link-mode full-duplex;
gigether-options {
    no-auto-negotiation;
}

In the end, I found that this guy had the exact same problem (and the solution!)

Thanks for all your help.

Best Answer

Related Solutions

Juniper SRX240H loses connectivity to upstream router

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

Related Topic