1

Have a Netscreen that appears to be functioning correctly (it's in production and has been for several years), but yet is not allowing me into the Web interface on port 80 or 443 (also tried 8080). Tried telneting to 22 and 23 as well. Any attempt to connect times out. I've nmap'ed the IP on the internal interface and all ports show as being filtered, but as far as I recall, it was listening on 80. Also tried the external interface as it was setup for remote management, but can't connect that way either.

It was working last time I tried getting into it (last fall, I think).

I've cycled the power on it twice (pulled the adapter, waited 30 seconds, plugged it back in), but no dice.

Cian
  • 5,777
  • 1
  • 27
  • 40
gravyface
  • 13,947
  • 16
  • 65
  • 100

6 Answers6

1

Console into the firewall as kageeslin suggested, then do a 'get interface ' and look for something like this:

Interface ethernet0/0(VSI):
  description ethernet0/0
  link up, phy-link up/full-duplex
  vsys Root, zone Untrust, vr trust-vr, vsd 0
  *ip 192.168.1.1/24   mac abcd.abcd.abcd
  manage ip 192.168.1.2, mac abcd.abcd.abcd
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled

Make sure you are trying to connect to one of your manageable interfaces and also make sure that it has a route back to you (get route). Can the firewall ping your PC?

[edited for additional testing steps]

Once you have console access:

Check the admin ports that the web server is listening on:

get conf | inc admin

Try setting a filter for your connection and debug. 

clear dbuf
set ffilter src-ip <your ip address>
debug flow basic
[try the connection again]
sh db str
Peter
  • 5,403
  • 1
  • 25
  • 32
  • routes should be fine: it's in production (doing NAT/firewalling/IPSec tunnel, etc.) and I'm remoted into the server on the same network as the management interface where I've accessed it before (had it bookmarked). – gravyface Jul 16 '09 at 00:37
  • Are the "manage" lines on that interface still enabled? – Peter Jul 16 '09 at 11:16
  • Could it be that you allowed management access not for your whole network, but only for a specific IP? (You should see that in get conf | inc admin) – Marie Fischer Jul 16 '09 at 13:52
0

If you have something forwarded through the firewall on port 80, the firewall will change its default interface to 8000. Try the ip with port 8000 in your web browser and it should work.

0

Hilariously enough, I found my co-worker's question while googling the same question. The answer to this wound up being

set admin manager-ip 192.168.1.0 255.255.255.0

set admin port 8887

Admin port might not have been needed, but at least then I could be sure. Previous IT provider had in fact set the admin manager-ip to be the internet IP on the client at the time which was entirely out of date. God bless those guys in the red clown cars.

nosf
  • 141
  • 2
0

Have you tried to access via console cable?

geeklin
  • 518
  • 2
  • 10
0

Have you tried from a local subnet as well, just incase routing is fubar'd?

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
0

Theres an odd behaviour with the web interface particularly. If you enter your username and password and press enter, the fields will be cleared and it looks like your password was not accepted. If you click the actual submit button you'll be able to log in. I ended up resetting the whole device before realizing this myself.

Tungsten
  • 46
  • 2