Knowledge Search


×
 

Not able to access J-Web management on SRX-Branch after upgrading to recent JUNOS 10.2 and later releases.

  [KB19411] Show Article Properties


Summary:
Not able to access J-Web management on SRX-Branch after upgrading to recent JUNOS 10.2 and later releases.

This can be resolved by configuring the command "set system services web-management management-url <path>".
Symptoms:
After upgrading to 10.2R3 and 10.3R1 or later releases, J-Web access may not work if that interface is also terminating an IPSec VPN tunnel.
Solution:
Interfaces terminating an IPSec tunnel will redirect all HTTP and HTTPS requests to the Dynamic VPN domain.
Example:
https://<srx-domain-or-ip>/dynamic-vpn
This was done to allow for Dynamic VPN support without implicitly allowing all J-Web access.
(i.e.) Access to http://x.x.x.x/ will be redirected to http://x.x.x.x/dynamic-vpn
(Where x.x.x.x is the IP address of interface configured for dynamic-vpn.)

The reason for this behavior is that it is recommend to physically separate access for J-Web and Dynamic VPN, in order to avoid Dynamic VPN user accessing to J-Web accidentally or intentionally.

In order to allow J-Web management on an interface which is terminating an IPSec VPN, you must configure management-url for J-Web access:
set system services web-management management-url <path>

For example, with the following configuration:
[edit system services]
lab@SRX210-poe.hk# show
web-management {
  management-url admin; <=== Configuration added here.
    http;
    https {
  system-generated-certificate;
  }
}

J-Web management would require administrator to browse to:

http://x.x.x.x/admin
or
https://x.x.x.x/admin
(Where x.x.x.x is the interface IP address.)
Related Links: