https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562852#M1087886 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;Thank you for the suggestion. I tried to ssh from FTD expert mode to the chassis management address, but I'm still getting conenction refused. I will wait for console access.</P><P>Is the access list in fxos different from the one I see in Chassis manager web gui? The one I have there looks like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/145127i1B624F88A5E0F554/image-size/large?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Mar 2022 09:49:46 GMT Chess Norris 2022-03-03T09:49:46Z https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4561920#M1087858 <P>Hi,</P><P>This morning I was trying to SSH into FXOS on two Firepower 4100 devices. I have been able to SSH into those devices before, but it was probably quite a while ago since i did it the last time.</P><P>I now get&nbsp;a "The remote system refused the connection" message, when I am trying to use SSH. I still can access the web interface, and I've verified the SSH is enabled and that there are no access rules that would prevent SSH access.&nbsp;</P><P>Is there any other way I can access the CLI? If I SSH directly to the FTD device, it takes me directly to the LINA CLI but I don't have the option to type "connect fxos".</P><P>A console connection might be my only option here, but the device is located in another country and it will probably take a while to get someone on site.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>/Chess</P> Wed, 02 Mar 2022 09:01:46 GMT https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4561920#M1087858 Chess Norris 2022-03-02T09:01:46Z https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562231#M1087867 <P>I can only think that the ssh access list in fxos might have been enabled.</P> <P>Short of console access, can you try sshing to the chassis management address from an expert mode (Linux shell) session on the FTD instance?</P> Wed, 02 Mar 2022 16:20:36 GMT https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562231#M1087867 Marvin Rhoads 2022-03-02T16:20:36Z https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562852#M1087886 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;Thank you for the suggestion. I tried to ssh from FTD expert mode to the chassis management address, but I'm still getting conenction refused. I will wait for console access.</P><P>Is the access list in fxos different from the one I see in Chassis manager web gui? The one I have there looks like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/145127i1B624F88A5E0F554/image-size/large?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Mar 2022 09:49:46 GMT https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562852#M1087886 Chess Norris 2022-03-03T09:49:46Z https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562853#M1087887 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256705">@Chess Norris</a> the settings you shared are the same as what one would configure from the cli. So that looks good.</P> <P>If your FTD management address is in the same subnet as the chassis management interface, then a middleware box would not be the problem.</P> <P>So it's a bit of a mystery still - please let us know what you find out.</P> Thu, 03 Mar 2022 10:00:46 GMT https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4562853#M1087887 Marvin Rhoads 2022-03-03T10:00:46Z https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4781652#M1098126 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256705">@Chess Norris</a>Does the error message include:<BR />Unable to negotiate with &lt;IP Address&gt; port 22: no matching key exchange method found.&nbsp; Their offer: &lt;cipher&gt;<BR /><BR /></P><P>If so, you may need to explicitly include the "KexAlgorithms" stated in the &lt;cipher&gt;.<BR />Example: ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 &lt;IP Address&gt;</P><P>Then later update your ssh-server config via CLI and/or FCM to include additional algorithms.</P> Thu, 23 Feb 2023 20:40:35 GMT https://community.cisco.com/t5/network-security/cannot-access-fxos-cli-via-ssh-anymore/m-p/4781652#M1098126 councilm 2023-02-23T20:40:35Z