Security

Splunk login page blank from outside after upgrade to 6.2

john_h_thomas
Explorer

Hello Everyone,
I have a Splunk installation that is externally facing for remote access. After upgrading to 6.2 to fix some issues I now get a blank login screen when i browse to the site externally. Viewing the source code of the page shows a bunch of javascript so I know stuff is being returned from the server however the page appears blank. Internally the splunk login page loads 100% normally and I can access it without any issues. I noticed in the release notes there is mention of 2 new ports being used by 6.2. I was wondering if this had something to do with the situation as I have not done any NAT rules for these ports from the outside. The upgrade notes did not mention this requirement anywhere that I saw. Just wondering if this is an issue anyone else has seen moving up to 6.2?
Thanks in advance for any help you folks can provide!

Tags (4)

matthieu_araman
Communicator

I've got the same problem (black page with no message) with 6.2 behind a Checkpoint vpnssl in web portal mode.(Firefox browser used)
No problem accessing directly or in tunnel mode via vpnssl.
I don't know if it worked with previous splunk versions.
I'm not using https on splunk on this instance so this is not the problem.(url=http://ip:8000/)
I can see some splunk code rewritten by the vpnssl in the source code so the vpnssl is reaching splunk.

Anybody could access a splunk instance through a Checkpoint vpnssl ?

0 Karma

bwakely
Explorer

...Yes. Yes, we did. Sorry, it had been a busy few days and it slipped my mind.

We're using F5 LTM, 11.5.1, hotfix 5
(Hotfix-BIGIP-11.5.1.5.0.147-HF5.iso)

We had set our virtual server to use an SSL certificate with SSLv3 explicitly enabled,
and F5 no longer offers that as an option.

Virtual server reconfigured to use SSL cert with SSLv3 disabled:

Local Traffic >> Virtual Servers : Virtual Server List >> vs_splunk.latrobe.edu.au_443

  • Switched the SSL certificate from the existing one to one with SSLv3 disabled.

Disabled SSLv3 in the SSL Certificate / client profile:

Profile >> SSL >> Client

In the SSL certificate profile in question,

select: "Configuration: Advanced"

In the 'ciphers' section, alter:

!EXPORT:!DH:!MD5:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:@SPEED

to

DEFAULT

Possibly relevant reading:

https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip

https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html

See if that helps.

0 Karma

john_h_thomas
Explorer

Hey bwakely,
So I tired this the other day and unfortunately it's still not working. Are there any other steps you took to correct the issue? I find it interesting that the F5 is a common variable here and I'm wondering if you changed anything on the virtual server for splunk or anything along those lines while troubleshooting? Thanks for the assistance!

0 Karma

john_h_thomas
Explorer

Excellent. This is behind an F5 as well. I'll try your solution and let you know how it goes. Thank you very much!

0 Karma

bwakely
Explorer

Hi John,

We had the same thing happen here - upgraded to 6.2 from 6.0.3,
restarted the search heads after upgrade,
and the page wouldn't render anything other than a background colour in a browser.
This effect happened when viewing the page through our F5 load-balancers (https/port 443),
it did not happen when viewing the back-end directly (http/port 8000)

yannK's answer to "Upgraded to 6 and the login page for splunk-web is broken"[2] helped - I:

  • deleted the contents of $SPLUNK_HOME/var/run/splunk/appserver/
  • restarted browser a few times
  • restarted the search head

and it eventually rendered properly every time.

--Benji

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!