SRX

Hi All,

Site to site VPN, tunnel built via ethernet cable. Site1 (head office) - SSG-140, Site2 - SRX210 (11.1R1.10).

Problem is I can not get JWeb when I'm on Site1 and use http://<Site2 SRX trust interface>. Always forbidden 403 error. However I can from Site1 do telnet <Site2 SRX trust interface> port 80 is ok, telnet to CLI of Site2 SRX trust interface is ok.

From trust zone of Site2 to trust interface Jweb is ok, from Site1 to untrust interface of Site2 is ok as well.

At all zones enabled system-services all and protocols all.

Any suggestions?

Thanks in advance,

Dmitry.

Hi

What's in your [system services web-management]?

Hi,

here is it:

> show configuration system services web-management
http {
    interface [ vlan.0 ge-0/0/0.0 ];
}
https {
    system-generated-certificate;
    interface [ vlan.0 ge-0/0/0.0 ];
}

Not sure why this happens, can you try to temporary delete interfaces from http/https?

This should allow access via any interface. Are you using policy or route based VPN, by the way?

Yes! It is working!

Should i keep it as is or should add interfaces back to system services web-management?

I'm use route based vpn.

BTW, maybe you know how to make "set cli terminal vt100" permanently?

Otherwise I have to type this command each time as I login to cli...

In the following setup:

  external ------[SRX]------ internal

You will see Forbidden-403 error if logging in to internal interface from
external network, if you have web management enabled on internal interface only.

So in your case you should add tunnel interface (st0.unit) to the list of management interfaces

(ge-0/0/0, vlan.0). Then web management should work with interface list (its better to

use list if you do not want web management on internet-facing interface).

Regarding terminal type, I don't know how to set this command permanently, but

for many terminal programs (putty, securecrt) it is not needed, all keys are working

fine right away. I've seen this command command needed only for native Windows

telnet client.

Many thanks.

I did not know that st0 should be added because I tried to get access to IP of vlan.0 interface...

I know its too late to post now

.But still posting for someone who is having the same issue.

1.Please try deleting the interfaces from http and https and then check if this helps.

             These changes are made to physically separate the J-web interface and VPN terminating interfaces.

2.Also check if the desired interfaces are included under respective zones and system services http and https are enabled

3.If above methods not helped,then try to kill the http process and restart web-management.

In my case these steps helped ... It might vary based on problem scenario...

Regards,

Udhaya

I have enabled http and https on all interfaces, and chose the self-signed-certificate as the https certificate, yet I still cannot load the web interface under https (it times out), only http. What might be the problem here-- where should I start looking?

I can verify the time/date is accurate on the unit.