How to check whether the web system login is failed?

Web System Login Failure

1. Checking Whether the PC Pings the Switch Successfully

A PC running a Windows operating system is taken as an example. The management IP address of the switch is 192.168.0.1. On the PC, press win+R, enter cmd in the dialog box that is displayed, and press Enter. The command-line interface (CLI) is displayed. Enter ping 192.168.0.1 in the CLI and press Enter. If an output similar to the following is displayed, the PC pings the switch successfully. If the PC fails to ping the switch, check the network connection status and ensure that no IP address conflict occurs. If the tested PC has two network adapters that use the same external IP address, disable one network adapter and use the other network adapter for test.

C:\Users\xxx> ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Switches that use factory settings and support first configuration through the web system provide a default IP address for web system login.
E series switches: Hold down the MODE button for 6 seconds or longer. After the switch enters the initial configuration mode, the system sets the IP address of the switch to 192.168.1.253/24 by default.
S1720: The default IP address of VLANIF 1 is 192.168.1.253/24.
Other S series fixed switches (excluding the S1720): Hold down the MODE button for 6 seconds or longer. After the switch enters the initial configuration mode, the system sets the IP address of the switch to 192.168.1.253/24 by default.
NOTE:
For E series switches, all models support first configuration using the web system.
For S series fixed switches (excluding the S1700), only the S1720, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, S5720S-SI, S5720HI, S5720EI, and S6720EI series switches support first configuration using the web system. Among the S5720EI series switches, the S5720-50X-EI-AC, S5720-50X-EI-DC, S5720-50X-EI-46S-DC, and S5720-50X-EI-46S-AC do not support first configuration using the web system.
The IP address 192.168.1.253/24 is used for first login through the web system. To ensure successful login using this IP address, the switch must use factory settings. It is recommended that you do not log in to the switch through the console interface. Performing any operation through the console interface makes login to the switch for the first time through the web system fails. After successful login, you can change the management IP address of the switch in the web system.

2. Checking Whether the Web Package Matches the System Software Package

Inversions earlier than V200R005, the switch requires a separate web package to display the web page. Log in to the switch using the CLI and run the dir command to check whether the correct web package has been uploaded.

<HUAWEI> dir
Directory of flash:/
   1  -rw-     31,488,244  Jul 10 2015 00:06:42   s5700hi-v200r003c00spc300.cc
  28  -rw-        685,821  Jan 04 2016 11:12:18   s5700hi-v200r003c00.001.web.7z

Run the following command to check whether the web package has been loaded. XXXX.web.7z indicates the web package name.

<HUAWEI> display current-configuration | include http
http server load XXXX.web.7z

Obtain the mapping between the web package and system software version in the Release Notes or Patch Release Notes, and check whether the web package matches the system software package. If not, log in to http://support.huawei.com/enterprise/, download the corresponding web package, and load it on the switch. The loading method is as follows:

[HUAWEI] http server load xxxx.web.7z

NOTE:
In versions earlier than V200R001, the web package is in the .web.zip format.

UPC fiber connect to the switch

3. Checking Whether the HTTP Server Is Enabled

Check whether the HTTP server is enabled.

<HUAWEI> display http server
HTTP Server Status: enabled
HTTP Server Port:80(80)
HTTP Timeout Interval:60
Current Online Users:2
Maximum Users Allowed:5
HTTP Secure-server Status: enabled
HTTP Secure-server Port:443(443)
HTTP SSL Policy:Default
HTTP IPv6 Server Status:disabled
HTTP IPv6 Server Port:80(80)
HTTP IPv6 Secure-server Status:disabled
HTTP IPv6 Secure-server Port:443(443)
HTTP server source address: 0.0.0.0

If HTTP Server Status displays disabled, the HTTP server is disabled. Run the following command to enable this function.

[HUAWEI] http secure-server enable
[HUAWEI] http server enable

 

4. Checking Whether the Number of Login Web Users Reaches the Maximum Value

Run the display http server command in any view to check values of Current Online Users and Maximum Users Allowed.
For example, check the number of online users.

<HUAWEI> display http server
   HTTP Server Status         : disabled
   HTTP Server Port           : 80(80)
   HTTP Timeout Interval      : 20  
   Current Online Users       : 5  //Number of online users
   Maximum Users Allowed      : 5  // Maximum number of allowed online users
   HTTP Secure-server Status  : disabled
   HTTP Secure-server Port    : 443(443)
   HTTP SSL Policy            : ssl_server

If the number of online users reaches the maximum number of allowed online users (as shown in the preceding command output), you can log in to the switch only after another user goes offline.

5. Checking Whether the Web User Is Locked

Take the user with the user name admin as an example. Run the display local-user username admin command in the AAA view to check the user status.
If the State field displays block, the user is locked. The value of the Block-time-left field indicates the remaining locking time. The user can attempt to log in to the switch again after the remaining locking time expires.

<HUAWEI> display local-user username admin
  The contents of local user(s):
  Password                        : **************** 
  State                          : block
  Service-type-mask               : FTH
  Privilege level                 : 15
  Ftp-directory                   : - 
  HTTP- directory                 : -
  Access-limit                    : - 
  Accessed-num                    : 3
  Idle-timeout                    : - 
  Block-time-left    : 4 Min(s)
  Original-password    : No                                                    
  Password-set-time    : 2015-12-14 15:02:26-10:00                                
  Password-expired     : No                                                       
  Password-expire-time : 2015-12-14 15:02:26-10:00                                
  Account-expire-time  : -

 

6. Checking Whether Access Rights Control Is Configured for the Web Client

  1. Check whether an ACL is configured on the HTTP server.

Run the display current-configuration filter http acl command in any view to check whether there is the configuration of http acl acl-number in the system. If there is the configuration of http acl acl-number in the system, record the ACL number.
Run the display acl acl-number command in any view to check whether the IP address of the web client is denied in the ACL.

If the IP address of the web client is denied in the ACL, run the undo rule rule-id command in the ACL view to delete the deny rule and use the corresponding command to modify the ACL to allow the IP address of the web client.

  1. Check whether traffic-filteris configured to deny access from the web client to the switch.

Run the display current-configuration filter traffic-filter inbound acl command in any view to check whether there is the configuration of traffic-filter inbound acl acl-number.
If there is the configuration of traffic-filter inbound acl acl-number, record the ACL number.
Run the display acl acl-number command in any view to check whether the IP address of the web client is denied in the ACL.
If the IP address of the web client is denied in the ACL, run the undo rule rule-id command in the ACL view to delete the deny rule and use the corresponding command to modify the ACL to allow the IP address of the web client.
As shown in the following command output, GE0/0/8 on the switch is directly connected to the PC and denies access from the PC.

[HUAWEI] display current-configuration filter traffic-filter inbound acl //Check the configuration of traffic-filter inbound acl acl-number.
#GigabitEthernet0/0/8
traffic-filter inbound acl 3000
#
 [HUAWEI] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5 rule 5 permit ip source 10.1.1.2 0 //Assume that the IP address of the PC is 10.1.1.2. The ACL rule matches all packets with the source IP address 10.1.1.2. 
[HUAWEI]undo acl 3000 //Run the undo rule rule-id command to delete the ACL rule and use the corresponding command to modify the ACL to allow the IP address of the web client. Alternatively, run the undo acl 3000 command to directly delete the ACL.

 

  1. Check whether traffic-policyis configured to deny access from the web client to the switch.

Run the display traffic-policy applied-record command in any view to check information about the applied traffic policy.

{HUAWEI] display traffic-policy applied-record
-------------------------------------------------
  Policy Name:   http
  Policy Index:  0
     Classifier:http     Behavior:http  //The traffic classifier http and traffic behavior http are associated with the traffic policy http.
-------------------------------------------------
*interface GigabitEthernet0/0/8
    traffic-policy http inbound  //The traffic policy http is applied to the inbound direction of GE0/0/8.
      slot 0   :  success
-------------------------------------------------
  Policy total applied times: 1.

Run the display traffic behavior user-defined behavior-name command in any view to check whether the traffic behavior associated with the traffic policy contains a deny action.

[HUAWEI] display traffic behavior user-defined http
  User Defined Behavior Information:
    Behavior: http
      Deny     //The traffic behavior http contains a deny action.

Run the display traffic classifier user-defined classifier-name command in any view to check the number of the ACL associated with the traffic classifier in the traffic policy.

[HUAWEI] display traffic classifier user-defined http
  User Defined Classifier Information:
   Classifier: http
    Precedence: 5
    Operator: OR
    Rule(s) : if-match acl 3000  //The ACL associated with the traffic classifier http is ACL 3000.

Run the display acl acl-number command in any view to check the ACL content.

[HUAWEI] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5 rule 5
permit ip source 10.1.1.2 0 //Assume that the IP address of the PC is 10.1.1.2. The ACL rule matches all packets with the source IP address 10.1.1.2.

If the traffic policy denies access from the web client to the switch, run the undo rule rule-id command in the ACL view to delete the deny rule and use the corresponding command to modify the ACL to allow the IP address of the web client. Alternatively, unbind the traffic policy.
computer imagen

7. Checking Whether the Browser Configuration Is Correct

  1. Change a browser. Use a supported operating system and browser to access the web system page.

If a browser or browser patch in an earlier version is used, the web page may not be properly displayed. Upgrade the browser and browser patch. In addition, the browser must support JavaScript.
If you log in to an S switch running V100R006C05, V200R001, V200R002, or V200R003 through the web system, the browser must be Internet Explorer 6.0 or Firefox 3.0.
Table 1 describes browser version requirements for login to S switches running V200R005 to V200R009 through the EasyOperation and Classic web systems. After entering the web user name admin and password Helloworld@6789, click GO or press Enter to access the web system home page. By default, the switch uses the EasyOperation web system.

Table 1 Mapping between the product version and browser version
Product Version Browser Version for EasyOperation Web System Browser Version for Classic Web System
V200R005 Internet Explorer 8.0, Firefox 12.0, or Google Chrome 23.0 and later Internet Explorer 8.0 or Firefox 12.0 and later
V200R006 Internet Explorer 8.0 to 11.0, Firefox 12.0 to 28.0, or Google Chrome 23.0 to 32.0 Internet Explorer 8.0 to 11.0 or Firefox 12.0 to 28.0
V200R007 Internet Explorer 8.0 to 11.0, Firefox 12.0 to 32.0, or Google Chrome 23.0 to 37.0 Internet Explorer 8.0 to 11.0 or Firefox 12.0 to 32.0
V200R008 Internet Explorer 10.0, Internet Explorer 11.0, Firefox 31.0 to 35.0, or Google Chrome 30.0 to 39.0 Internet Explorer 10.0, Internet Explorer 11.0, or Firefox 31.0 to 35.0
V200R009 Internet Explorer 10.0, Internet Explorer 11.0, or Firefox 31.0 to 35.0 Internet Explorer 10.0, Internet Explorer 11.0, or Firefox 35.0 to 43.0
  1. If the browser proxy is incorrectly configured, the page cannot be displayed. If the browser proxy is configured, disable it temporarily. Choose ToolsInternet OptionsConnections > LAN settings > Proxy server in the Internet Explorer, as shown in Figure 1.

Figure 1 Browser settings

  1. The web page may not be displayed because of the browser cache.

If you use the same PC to access web systems in different versions, the web page may be displayed incorrectly. For example, the field label or language is incorrect. Generally, the problem is caused by the browser cache. You can clear the browser cache.
If the switch’s software version changes, for example, the software version is upgraded or downgraded, you are advised to clear the browser cache before using the web system. Otherwise, the web page may not be properly displayed.

8. Checking Whether the Login Account Configuration Is Correct

If the authentication fails, the user name or password may be incorrect. You can reconfigure the login account based on the following example.
In this example, the user name is admin and the password is xxxx. If the account configuration is incorrect, run the aaa command to enter the AAA view, reconfigure the account based on the following commands, and log in to the web system.

[HUAWEI] aaa
[HUAWEI-aaa] local-user admin password cipher xxxx
[HUAWEI-aaa] local-user admin privilege level 15
[HUAWEI-aaa] local-user admin service-type telnet http

 

9. Collecting Information and Seeking Technical Support

If the fault persists, collect related information and seek technical support.

  1. Collecting Fault Information

Collect operation results of the preceding steps and record the results in a file.
Collect all diagnostic information and export the information to a file.
Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.

<HUAWEI> display diagnostic-information dia-info.txt
Now saving the diagnostic information to the device
100%
Info: The diagnostic information was saved to the device successfully.

When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTICE:
You can run the dir command in the user view to check whether the file is generated.
You can also run the display diagnostic-information command and save terminal logs in a diagnostic file on a disk.
If this command displays a long output, press Ctrl+C to abort this command.
This command displays diagnostic information, which helps locate faults but may affect system performance. For example, CPU usage may become high. Therefore, do not use this command when the system is running properly.
Running the display diagnostic-information command simultaneously on multiple terminals connected to the device is prohibited. This is because CPU usage of the device may obviously increase and the device performance may be degraded.

Collect the log and trap information on the device and export the information to files.
Run the save logfile all command in the user view to save the logs in the user log buffer area and diagnostic log buffer area to the user log file and diagnostic log file, respectively.

<HUAWEI> save logfile all
Info: Save logfile successfully.
Info: Save diagnostic logfile successfully.

When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTE:
You can also run the display logbuffer and display trapbuffer commands to view the log and trap information on the device, and save the information in diagnostic files on a disk.

  1. Seek technical support.

Contact csd@telecomate.com to seek technical support.
NOTE:
Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.