topic Access to Gaia Portal (WebUI) after R80.20 upgrade in Firewall and Security Management

Access to Gaia Portal (WebUI) after R80.20 upgrade

Oliver_Marzok — Wed, 06 Mar 2019 09:06:54 GMT

Hello,

after upgrading the gateway cluster, consisting of two SG5400HPP, from R80.10 with Jumbo Hotfix Take 154 to R80.20 (with jumbo hotfix take 33) we couldn't reach the GAiA Portal (Admin WebGUI) anymore. We got a certificate error like before, because of a private certificate (from the ICA), but the certificate error now said that it's for a different system. Afterwards, we renewed the certificate by the ICA (gateway cluster object properties --> IPSec VPN) and even added additional informationen like other IPs an the DNS name, but this didn't solved the problem. We could only reach the GAiA Portal via the external IP, but because it's not facing towards the internal side, the standby member isn't reachable. The cluster members still weren't reachbable from the mgmt interface by the admin server (same network as mgmt interface --> mgmt network). Only access via SSH was possible.
We had to fallback via snapshot to R80.10 and afterwards the GAiA Portal was reachable immediately from the mgmt network again.

Are there any differences in the configuration (needed) in R80.20 comparing to R80.10 to solve this issue?

Best regards

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Jerry — Wed, 06 Mar 2019 09:20:08 GMT

tellpm process:httpd2
tellpm process:httpd2 t

works now?

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Oliver_Marzok — Wed, 06 Mar 2019 09:24:03 GMT

Hello Jerry,

yes, the processes were running. The portal was accessible from the external site like described.
It's seems there're differences in the configuration and dependencies of the certificate in R80.20.

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Jerry — Wed, 06 Mar 2019 10:03:42 GMT

httpd2 is equally the same on R80.20 afaik. guys, can you please confirm that?

when you set the WebUI what ports have you specified for it?

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Oliver_Marzok — Wed, 06 Mar 2019 10:18:01 GMT

The service is the same, yes.

We didn't changed the Port. It's still the default one 443, only added a path (.../admin).

On R80.10 it's working, and worked immediatly after the fallback to R80.10, but on R80.20 (even after certifcate renewal) it's not working.

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Jerry — Wed, 06 Mar 2019 11:07:00 GMT

ok.now I gotcha. change the port from 443 to 4434 and restart the daemon:

tellpm process:httpd2
tellpm process:httpd2 t

make sure that there are no more sockets on tcp/443 running on the same GW.

I had this before and by customizing port it has solved itself plus, bear in mind that tcp/443 is shared on GAIA and for WebUI should be rather NOT USED (my own experience sorry).

is the MAB running there too? if yes - you've got all the answers, if not - please change port to any custom one but 443 and restart httpd2. Cert is another story, easy to re-deploy

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Oliver_Marzok — Wed, 06 Mar 2019 13:40:29 GMT

Thank you very much, Jerry. That's sounds realy good.

MAB isn't running, but I think that on R80.20 based on new features, there're more shared services with tcp/443. That would explain why on R80.10 everything is fine and on R80.20 we have issues.

I will first try this at other customers in a few weeks and come back to this one when R80.20 works fine on the others.

Re: Access to Gaia Portal (WebUI) after R80.20 upgrade

Jerry — Wed, 06 Mar 2019 15:24:17 GMT

great stuff. let us know please.

best