I already removed the deny entry in access-list 99. I can not restart the device in business time. I can do it later.

Thanks

Ok so what will be the next step to reactivate it again?

Hello

Without not knowing what you did in the first place it hard to know what is negating it.

Please post the config of the router

agreed, hard to say without more info. One thing that I still run into occasionally is not having in and out keepalives enabled so you run out of vtys because they're all half open. If you have console access you can check that and see.

Building configuration...

Current configuration : 12759 bytes
!
! Last configuration change at 10:11:32 UTC Fri Oct 26 2018
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
enable password 7
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
crypto pki trustpoint TP-self-signed-1280434013
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1280434013
revocation-check none
rsakeypair TP-self-signed-1280434013
!
!
crypto pki certificate chain TP-self-signed-1280434013
certificate self-signed 01
XXXXXX
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip vrf INET
rd 1:100
!
ip dhcp excluded-address 10.10.1.1 10.10.1.10
ip dhcp excluded-address 10.0.6.1 10.0.6.10
ip dhcp excluded-address vrf INET 10.0.4.1 10.0.4.9
ip dhcp excluded-address vrf INET 10.0.4.201 10.0.4.254
ip dhcp excluded-address vrf INET 10.0.5.1 10.0.5.9
ip dhcp excluded-address vrf INET 10.0.5.201 10.0.5.254
ip dhcp excluded-address vrf INET 10.0.0.1 10.0.1.0
!
ip dhcp pool XXX
vrf INET
network 10.0.0.0 255.255.252.0
default-router 10.0.0.1
domain-name XXX
dns-server 10.0.4.1 8.8.8.8
class dhcp_class_unsecure
!
ip dhcp pool XXX
vrf INET
network 10.0.4.0 255.255.255.0
default-router 10.0.4.1
domain-name XXX
dns-server 10.0.4.1 8.8.8.8
class dhcp_class_unsecure
!
ip dhcp pool XX
network 10.0.6.0 255.255.255.0
default-router 10.0.6.1
!
ip dhcp pool XX
vrf INET
network 10.0.5.0 255.255.255.0
default-router 10.0.5.1
domain-name XXX
dns-server 10.0.4.1 8.8.8.8
class dhcp_class_unsecure
!
!
ip dhcp class dhcp_class_unsecure
remark limit IP Address
!
!
ip host XXX 10.0.4.1
ip host XXX 10.0.7.2
ip host XXX 10.0.4.2

ip name-server 8.8.8.8
ip multicast-routing
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C892FSP-K9 sn FCZ2041E3D6
!
!
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
object-group service INTERNAL_UTM_SERVICE
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
!
no spanning-tree vlan 20
vtp domain XXXXX
vtp mode transparent
vtp version 2
username XXX privilege 15 secret 5
!
!
!
!
!
vlan 20
name INTERNET
!
vlan 22
!
vlan 100
name XX
!
vlan 101
name XXX
!
vlan 102
name XXXX
!
vlan 103
name XXXXX
!
vlan 104
name XXXXXX
!
vlan 1004
bridge 0
stp type ieee
!
track 2 ip sla 2 reachability
delay down 60
!
track 3 ip sla 3 reachability
delay down 60
!
track 4 interface Vlan20 line-protocol
delay down 3 up 3
!
track 5 list boolean and
object 2
object 3
delay down 3 up 3
!
track 6 list boolean or
object 4 not
object 5 not
delay down 3 up 3
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map match-all cmap1
match protocol cisco-phone-audio
match protocol cisco-phone-audio potentially
!
policy-map policy1
class cmap1
bandwidth percent 25
policy-map policy2
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
crypto keyring PUBLIC vrf INET
pre-shared-key address XXXXXXXXXXXX key XXXXXXXXXXX
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
!
crypto ipsec profile vpnprof
set transform-set trans2
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 100000
ip address 10.3.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication XXXXX
ip nhrp map 10.3.0.254 XXXXXXXXX
ip nhrp map multicast XXXXXXXXX
ip nhrp network-id 100
ip nhrp holdtime 60
ip nhrp nhs 10.3.0.254
ip nhrp registration no-unique
ip nhrp registration timeout 30
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan21
tunnel destination XXXXXXXXX
tunnel key 100001
tunnel vrf INET
!
interface GigabitEthernet0
switchport mode trunk
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
!
interface GigabitEthernet2
switchport access vlan 21
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet3
switchport access vlan 20
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 100
no ip address
!
interface GigabitEthernet5
switchport access vlan 22
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet6
no ip address
shutdown
!
interface GigabitEthernet7
switchport mode trunk
no ip address
shutdown
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet9
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip vrf forwarding INET
no ip address
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
no ip route-cache
shutdown
!
interface Vlan2
no ip address
!
interface Vlan20
description XXXXXXXXX
ip vrf forwarding INET
ip address XXXXXXXXXXX 255.255.255.252
ip nat outside
ip virtual-reassembly in
service-policy input policy2
!
interface Vlan21
description XXXXXXXXXXX
ip vrf forwarding INET
ip address XXXXXXXX 255.240.0.0
ip nat outside
ip virtual-reassembly in
shutdown
service-policy input policy2
!
interface Vlan22
description XXXXXXXXXX
ip vrf forwarding INET
ip address XXXXXXXXXX 255.255.255.248
ip nat outside
ip virtual-reassembly in
service-policy input policy2
!
interface Vlan100
description XXXXXXXX
ip vrf forwarding INET
ip address 10.0.0.1 255.255.252.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface Vlan101
description XXXXXXXX
ip vrf forwarding INET
ip address 10.0.4.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface Vlan102
description XXXXXX
ip vrf forwarding INET
ip address 10.0.5.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface Vlan103
description XXXXXXXXX
ip address 10.0.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip route-cache
!
interface Vlan104
description XXXXXXX
ip address 10.0.7.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
no ip route-cache
!
!
router eigrp 1
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
eigrp stub connected summary
!
ip forward-protocol nd
ip http server
ip http upload enable path flash:
ip http upload overwrite
no ip http secure-server
ip http path flash:
!
!
ip tftp source-interface GigabitEthernet0
ip dns view default
dns forwarder vrf INET 8.8.8.8
dns forwarding source-interface Vlan100
ip dns server
ip nat inside source list 1 interface Vlan22 vrf INET overload
ip route vrf INET 0.0.0.0 0.0.0.0 172.16.0.1 10 track 6
ip route vrf INET 0.0.0.0 0.0.0.0 XXXXXXXXXX 25
ip ospf name-lookup
ip ssh version 2
ip scp server enable
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
ip sla 1
icmp-echo 10.3.0.254 source-interface Vlan2
frequency 30
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface Vlan20
vrf INET
frequency 10
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo XXXXXXXXX source-interface Vlan20
vrf INET
frequency 10
ip sla schedule 3 life forever start-time now
logging source-interface Vlan104
logging host XXXXXXXXX
!
route-map NAT permit 10
match ip address 1
!
snmp-server group groupRW v3 priv read IPL
snmp-server group XXXXXXXXXL v3 auth
snmp-server view IPL iso included
snmp-server trap-source Vlan104
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server host 172.31.0.4 IPL
access-list 1 permit 10.0.0.0 0.0.3.255
access-list 1 permit 10.0.4.0 0.0.0.255
access-list 1 permit 10.0.5.0 0.0.0.255
access-list 99 permit 10.1.0.0 0.0.0.255
access-list 99 permit XXXXXXXXX 0.0.0.15
access-list 99 permit XXXXXXXXX 0.0.0.255
access-list 99 deny any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
password 7 01100F175804
logging synchronous
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 XXXXXXXXX
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
access-class 99 in vrf-also
privilege level 15
logging synchronous
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp server XXXXXXXXXXX
ntp server 10.1.0.254
event manager applet TRACK_INET_DOWN
event track 6 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "int tun 0"
action 4.0 cli command "shutdown"
action 5.0 cli command "tunnel source vlan 21"
action 6.0 cli command "no shut"
action 6.1 cli command "exit"
action 6.2 cli command "do clear ip nat translation forced"
action 6.3 cli command "no ip nat inside source list 1 interface vlan 20 vrf INET overload"
action 6.4 cli command "ip nat inside source list 1 interface vlan 21 vrf INET overload"
action 7.0 cli command "end"
action 8.0 syslog msg "Primary INET DOWN - Activate Backup Connection"
event manager applet TRACK_INET_UP
event track 6 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "int tun 0"
action 4.0 cli command "shutdown"
action 5.0 cli command "tunnel source vlan 20"
action 6.0 cli command "no shut"
action 6.1 cli command "exit"
action 6.2 cli command "do clear ip nat translation forced"
action 6.3 cli command "no ip nat inside source list 1 interface vlan 21 vrf INET overload"
action 6.4 cli command "ip nat inside source list 1 interface vlan 20 vrf INET overload"
action 7.0 cli command "end"
action 8.0 syslog msg "Primary INET UP - Deactivate Backup Connection"
event manager applet storePreferences
event none sync yes
action 1 file open LOG flash:ccpexp/preferences.JSON w+
action 2 file puts LOG "{"analytics":false,"ccpTheme":true,"writeMemory":false,"japIPSEnable":false,"recmndSecrtySettings":false,"analyticsOpened":false,"overrideThemePreference":false,"adminEnabledCommandsForMonitorStr":""}"
action 3 file close LOG
!
end

Thanks

Hello

So just to confirm you did have ssh access before correct?

How are you trying to access the router - FYI you need to be accessing  it from the subnets specified in access-list 99. 

Also are you trying to access the router via one of its vrf  interfaces

can appy try the following: and test telnet and ssh and let us know if you can gain access via telnet and/or ssh 

Conf t

line vty 0 15

no access-class 99

transport input telnet ssh

end