USG6630 SSLVPN Web代理不能打开eSight页面

发布时间:  2016-11-17 浏览次数:  205 下载次数:  0
问题描述

组网拓扑图:

在Internet侧的USG6630配置SSL VPN Web代理 Web链接到eSight管理页面;

USG6630和交换机运行OSPF路由协议

故障现象:

点击链接(链接内容http://10.0.23.252:8080)可以打开跳转前的页面,点击继续后页面提示打不开

打不开的页面:



 

处理过程

     1.测试从防火墙到eSight的连通性,ping没有问题

     2.在防火墙Debug Web代理

     [usg]diagnose

[usg-diagnose]debugging web-proxy client all

[usg-diagnose]debugging web-proxy server all

[usg-diagnose]terminal debugging

[usg-diagnose]terminal monitor

<click the web proxy resource “esight” , reproduce the problem>

[usg-diagnose]undo terminal debugging

[usg-diagnose]undo terminal monitor

[usg-diagnose]undo debugging all

3.分析debug 和10.0.23.252:8080创建TCP连接成功 但是和10.0.23.252:31943创建SSL连接失败

 

*0.5360330 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=732] WPM_ClientConnectToServer() -> Connect to 0a0017fc.8080 ...                       //10.0.23.252:8080

*0.5360330 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=747] WPM_ClientConnectToServer() -> Waiting connect ...

*0.5360330 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=466] WPM_ServerDataUpperCB() -> WPM_HTTPREQUEST_PROCESS_RESULT_DONE

*0.5360330 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=229] WPM_ClientConnNetEvtSendCB() -> Begin send network data.

*0.5360330 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=732] WPM_ClientConnectToServer() -> Connect to 0a0017fc.8080 ...

*0.5360330 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=1010] WPM_ClientConnCloseWriteEvent() -> Close WPM_ClientConn write event.

*0.5360340 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=794] WPM_ClientConnectToServer() -> Connect to 0a0017fc.8080 Succ

*0.5360340 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=813] WPM_ClientConnectToServer() -> Switch ClientConn(0xd80073a0) State to WPM_CLIENTCONN_STATE_CONNECTED.

 

*0.5360530 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=732] WPM_ClientConnectToServer() -> Connect to 0a0017fc.31943 ...                  //10.0.23.252:31943

*0.5360530 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=747] WPM_ClientConnectToServer() -> Waiting connect ...

*0.5360530 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=466] WPM_ServerDataUpperCB() -> WPM_HTTPREQUEST_PROCESS_RESULT_DONE

*0.5360530 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=732] WPM_ClientConnectToServer() -> Connect to 0a0017fc.31943 ...

*0.5360530 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=1010] WPM_ClientConnCloseWriteEvent() -> Close WPM_ClientConn write event.

*0.5360530 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=794] WPM_ClientConnectToServer() -> Connect to 0a0017fc.31943 Succ

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=807] WPM_ClientConnectToServer() -> Switch ClientConn(0xd8020a00) State to WPM_CLIENTCONN_STATE_SLLCONNECTING.

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=341] WPM_ClientConnSSLConnect() -> SSL Connect ...

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=138] WPM_ClientConnNetEvtRecvCB() -> Receive Data ...

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=341] WPM_ClientConnSSLConnect() -> SSL Connect ...

*0.5360540 MPN-USG6630-03 WPM/7/error: [s=0,t=144,l=365] WPM_ClientConnSSLConnect() -> SSL Connect Fail.The Errorcode is:[1]-

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=388] WPM_ClientConnSSLConnect() -> Switch SSLVersion to SVN_SSL_CLI_METHOD_SSLV3.

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=138] WPM_ClientConnNetEvtRecvCB() -> Receive Data ...

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=138] WPM_ClientConnNetEvtRecvCB() -> Receive Data ...

*0.5360540 MPN-USG6630-03 WPM/7/event: [s=0,t=144,l=138] WPM_ClientConnNetEvtRecvCB() -> Receive Data ...                  //wait 120 seconds

4.Web 代理有两种模式 Web-rewrite 和 Web-link 

如果使用Web-rewrite 需要确保eSight支持TLS1.0或者SSL3.0 

如果使用Web-link 需要配置两个Web-link Resource

(http://10.0.23.252:8080, https://10.0.23.252:31943)

5.由于eSight因为安全性原因不支持TLS1.0和SSL3.0,默认只支持TLS1.2安全版本,所以使用Web-link模式

 

 

根因

1.防火墙Web 代理有两种模式,Web-rewrite模式由于eSight不支持安全版本较低TLS1.0 和SSL3.0 所以跳转失败

2.使用Web-link模式由于实现机制需要配置两个web-link resource 之前只配置了一个 http://10.0.23.252:8080

解决方案

配置两条Web-link资源(http://10.0.23.252:8080, https://10.0.23.252:31943),前者启用“Display”,后者不启用“Display


END