Nessus Scanner:
Tenable.io–managed Nessus Scanner v10.11.1
Cisco Switch Model:
WS-C3650-48TQ
Cisco IOS XE Version:
16.12.12
Issue Description
We are attempting to perform a credentialed SSH scan against Cisco switches using a Nessus scanner.
The SSH connection initiated by Nessus fails during SSH negotiation (pre-authentication).
The following messages are logged on the Cisco switch during the scan attempt:
%SSH-3-PACK_PADD_ERR: Padding error: needed 0 bytes, block size 25 bytes, mod= 8
%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from <scanner IP>
As a result, Nessus is unable to complete authenticated SSH checks.
Validation Performed
SSH access from the same Nessus scanner VM using OpenSSH works successfully
The same account and credentials authenticate without issue
SSH negotiation succeeds using:
ecdh-sha2-nistp256
aes256-ctr
hmac-sha2-256
This confirms:
Question / Request
This appears to be a client-side SSH negotiation issue specific to the Nessus embedded SSH client.
Is this a known limitation or defect when scanning Cisco IOS XE 16.12.x devices?
Are there any recommended scanner settings, updates, or scan templates to improve SSH compatibility?
From the Cisco perspective, are these SSH errors expected when a client fails negotiation, or is there additional tuning recommended?
