cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
10
Replies

cisco 3650 48 port poe

spd2612
Level 1
Level 1

I am new to Cisco switches but I needed something to handle my multiple subnets and POE devices

When I picked up this switch it had 3.x OS on it I developed my issues when I upgraded it to version 16.6 I can no longer login to HTTP and who knows what else I have going on in my config becuase even though I have created more users they cant login

Do I need to downgrade the software or is there a way to set this to a default config again ?

If so what commands would I use and would I need the console ? below is what I am showing in running config. please tell me what I need to do

 

 

User Access Verification

Username: cisco
Password:

POE-Switch>enable
Password:
POE-Switch#show runn
Building configuration...

Current configuration : 7099 bytes
!
! Last configuration change at 18:46:18 UTC Fri Jan 19 2024
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service compress-config
no platform punt-keepalive disable-kernel-core
!
hostname POE-Switch
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 5 X.X.X
!
aaa new-model
aaa local authentication default authorization default
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c3650-48ps
!
!
!
!
!
!
!
!
no login on-success log
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1716188296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1716188296
revocation-check none
rsakeypair TP-self-signed-1716188296
!
!
crypto pki certificate chain TP-self-signed-1716188296
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373136 31383832 3936301E 170D3234 30313131 31393433
33345A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37313631
38383239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A7E9 0CDD5EF9 9DBB3419 4AC2A3D0 4A75AF3A 1E6E20EB 75F67629 5524A40F
EA05AFA3 90FC6F00 221C2DAF 37209B18 BCFFA5A0 3B3D174D B8D3E633 A712CBDA
1CF91EAE C2C9FEF3 15882D06 33C9B22F 8999F934 615433C4 A0B0E4C8 6E659520
2B1F8B23 6662E72A 5E2B2ABA 65E17EE4 735A8292 9FDA2E23 5A909922 67C083F6
031B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140726FA 38B330E9 74C0687E D046AE8A DB759FA9 DB301D06
03551D0E 04160414 0726FA38 B330E974 C0687ED0 46AE8ADB 759FA9DB 300D0609
2A864886 F70D0101 05050003 81810011 E57B5E5A 6D770CFA A95355E3 E1862D99
86F0B111 0D66B6F1 29ACC685 08431059 923B5A71 0ACF7A1B 2315D2CC 0C5F2F22
4592637E A3390F39 B7414E6D BE3703C0 51E4CD89 4BE90907 54922BEE AD13647A
B0D76085 874A56BB 4E7455A0 1CF2F2FD AE96D2A0 BF7B48A1 BB84ACAF BF7E7DE6
0DA917D7 63A52C88 1647FA75 39220C
quit
!
!
!
diagnostic bootup level minimal
!
spanning-tree mode pvst
spanning-tree extend system-id
!
username cisco privilege 15 password 0 testing
username admin privilege 15 password 0 testing
username john privilege 15 password 0 15
!
redundancy
mode sso
!
!
transceiver type all
monitoring
hw-switch switch 1 logging onboard message
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.2.200 255.255.255.0
!
ip default-gateway 192.168.2.2
ip forward-protocol nd
ip http server
ip http authentication aaa exec-authorization listname
ip http secure-server
ip http secure-trustpoint TP-self-signed-1716188296
ip http timeout-policy idle 600 life 2000 requests 2000
ip http session-idle-timeout 1200
!
!
!
!
!
!
!
--More--

 

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

Is the issue with Web GUI  ?

SSH working ?

 

If you looking to user local user for AAA

below example should work for you  - since you already have local users.

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default

Make sure VLAN 1 interface up - if that only take place any of the access port connected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Well that helped but I can only log into the web interface one time with any user, If I log out and try to log in again it says my credentials are wrong

The only way I can get back in again is to run below in config

no ip http server
ip http server

 

Can you post show run again after updated config here

Once loging and  Logout (before you make no ip http server)

from console can you post below output :

show ip http client connection

show ip http client history

Try below config - for more sessions 

ip http max-connections x (default it should allow 5 connection)

also worth setup 

ip http timeout-policy idle seconds life seconds requests value

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks very much for your help, Just so you understand NO one can log in after I log out I have to disable and re-enable http to get on more login

Below is after I logged out and not restarting HTTP


User Access Verification

Username: cisco
Password:

POE-Switch#enable
POE-Switch#show runn
Building configuration...

Current configuration : 7287 bytes
!
! Last configuration change at 16:29:36 UTC Sat Jan 20 2024 by cisco
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service compress-config
no platform punt-keepalive disable-kernel-core
!
hostname POE-Switch
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 5 X.X.X
!
aaa new-model
aaa local authentication default authorization default
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c3650-48ps
!
!
!
!
!
!
!
!
no login on-success log
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1716188296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1716188296
revocation-check none
rsakeypair TP-self-signed-1716188296
!
!
crypto pki certificate chain TP-self-signed-1716188296
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373136 31383832 3936301E 170D3234 30313131 31393433
33345A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37313631
38383239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A7E9 0CDD5EF9 9DBB3419 4AC2A3D0 4A75AF3A 1E6E20EB 75F67629 5524A40F
EA05AFA3 90FC6F00 221C2DAF 37209B18 BCFFA5A0 3B3D174D B8D3E633 A712CBDA
1CF91EAE C2C9FEF3 15882D06 33C9B22F 8999F934 615433C4 A0B0E4C8 6E659520
2B1F8B23 6662E72A 5E2B2ABA 65E17EE4 735A8292 9FDA2E23 5A909922 67C083F6
031B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140726FA 38B330E9 74C0687E D046AE8A DB759FA9 DB301D06
03551D0E 04160414 0726FA38 B330E974 C0687ED0 46AE8ADB 759FA9DB 300D0609
2A864886 F70D0101 05050003 81810011 E57B5E5A 6D770CFA A95355E3 E1862D99
86F0B111 0D66B6F1 29ACC685 08431059 923B5A71 0ACF7A1B 2315D2CC 0C5F2F22
4592637E A3390F39 B7414E6D BE3703C0 51E4CD89 4BE90907 54922BEE AD13647A
B0D76085 874A56BB 4E7455A0 1CF2F2FD AE96D2A0 BF7B48A1 BB84ACAF BF7E7DE6
0DA917D7 63A52C88 1647FA75 39220C
quit
!
!
!
diagnostic bootup level minimal
!
spanning-tree mode pvst
spanning-tree extend system-id
!
username cisco privilege 15 password 0 password
username admin privilege 15 password 0 password
username john privilege 15 password 0 password
!
redundancy
mode sso
!
!
transceiver type all
monitoring
hw-switch switch 1 logging onboard message
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.2.200 255.255.255.0
!
ip default-gateway 192.168.2.2
ip forward-protocol nd
ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http secure-trustpoint TP-self-signed-1716188296
ip http timeout-policy idle 600 life 2000 requests 2000
ip http session-idle-timeout 1200
!
!
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password password
length 0
line vty 5 15
password password
!
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
end

POE-Switch#
POE-Switch#

POE-Switch#show ip http client connection
HTTP client current connections:
Persistent connection = enabled (default)
Connection establishment timeout = 10s (default)
Connection idle timeout = 30s (default)
Maximum number of connection establishment retries = 1 (default)
Connection pipeline length = 5 (default)
Maximum http client connections per host : 2
HTTP secure client capability: Present
HTTP secure client ciphersuite: 3des-ede-cbc-sha aes-128-cbc-sha
aes-256-cbc-sha dhe-aes-128-cbc-sha ecdhe-rsa-3des-ede-cbc-sha
rsa-aes-cbc-sha2 rsa-aes-gcm-sha2 dhe-aes-cbc-sha2 dhe-aes-gcm-sha2
ecdhe-rsa-aes-cbc-sha2 ecdhe-rsa-aes-gcm-sha2
HTTP secure client TLS version: TLSv1.2 TLSv1.1 TLSv1.0
HTTP secure client trustpoint:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes


Total client connections : 0

i could not able to replicate this issue on any of Cat 9300 switches this issue - i believe this is bug, may be try different version and test it.

or use EEM script  to run every few hours or day to fix the issue : 

no ip http server
ip http server

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks again for all your help, If I upgrade this switch to 16.9.10a will I be able to use it? I have herd that after 16.6 Smart Licensing is manditory but this switch runs in my Lab and I dont have smart License. what do you reccomend?

Thank you

i understand the smart license is mandatory, if you have only Essential License it does not matter, that is only perpetual -

If this is Lab  - i just upgrade and check is the issue fixed, you can also use network-advantage 

what License you have ? 

you can use below command : (but switch required to reboot to take effective that license).

#license boot level network-advantage 

Other option you can test - also remove AAA just user local password that is good enough to work (test before upgrade )

no aaa new-model

ip http authentication local

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ok I upgraded to 16.10 and this is what I have what do I need to do?

Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
ipbasek9 Smart License ipbasek9
None Subscription Smart License None


Smart Licensing Status: UNREGISTERED/EVAL MODE

You use local or aaa ?

If you use local you need to add local to authc and authz exec

MHM