The rules are not the same for primary and secondary addresses. For example if an interface has primary and secondary addresses and is running a dynamic routing protocol then it will use the primary address for establishing neighbor relationships and sending routing updates.

And I am pretty sure that using ip ssh source-interface <source iinterface> will result in using the primary address not the secondary one.

There might be some differences in options for SSH depending on the platform initiating the SSH. Can you tell us what device will initiate the SSH?

Although Rick is 100% correct about there are some differences between uses of primary and secondary interfaces addresses (such as he correctly describes with routing protocols; another that I have bumped into is issues trying to acquire DHCP host IPs for a secondary interface address network), my inclination would be, as the other posters have noted, it shouldn't matter for a protocol source IP (assuming the secondary is via routing reachable).

Regardless, if you have devices already configured with secondary interface addresses, perhaps a fast and good way to find out your answers, is just try it.  If you need to confirm what IP is actually being used, without getting into packet captures, included embedded device packet captures, you might set of a temporary logging ACL, on any transit interface, logging both primary and selected secondary IPs and see what ACE is getting matched.

I was initiating ssh connection from Cisco Switch WS-3850-24S

Thanks for clarifying the device originating the ssh. Try the ssh command specifying the destination and instead of hitting enter use the question mark to identify options and provide us with that output.

38501#ssh 172.22.xx.xx ?
WORD Command string
<cr>

38501#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system

Hopefully Cisco may add that command in future IOS builds, considering when the pings packets can already be sourced from secondary ip address in existing ios versions.

Thanks

I am glad that our suggestions have been helpful and sorry that we could not find a solution that made it work. It would be nice if Cisco did add this capability. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

"And I am pretty sure that using ip ssh source-interface <source iinterface> will result in using the primary address not the secondary one."

I suspect Rick has nailed it.  I just jumped into CML to see what "source" options are available.

With SSH, only the global ip ssh source-interface appears to be available.  I strongly suspect Rick is correct pointing out if an interface source is used the primary IP likely will be the only IP used.

I was hoping, current IOSs might support either source-interface or source-address (like ping does), but that doesn't appear to be the case for SSH (or tftp, FTP, Telnet).