cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10846
Views
0
Helpful
42
Replies

Can't Access 3650 Web Panel (but works on CLI)

BashedRoot
Level 2
Level 2

Strange issue here. I have 2 x 3650 switches both running Version 3.76. Web interface shows fine, but cannot log into switch #1.

I've had no issues accessing the panels via web on both switches, saved my passwords locally in Roboform too. Suddenly, my login is not working for switch #1, but works fine on switch #2. I'm baffled.

How do I correct this?

I checked the user/pw in show run

enable secret 5 ********
enable password ********
42 Replies 42

Small correction, I use SSH2 protocol not telnet.

I also added a new username with 15 privilege in the web GUI. It got me in via SSH2 directly into enable mode. One step forward, however, still want the prior user authentication first for extra security.

Here's where I'm stuck now.

Cisco3650#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco3650(config)#line vty 0 4
Cisco3650(config-line)#login local
^% Invalid input detected at '^' marker.

What are your options at 'login' ?

login ?

Try and remove the aaa model
no aaa new-model

Not working for me.

 

Cisco3650#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco3650(config)#line vty 0 4
Cisco3650(config-line)#login local
                             ^
% Invalid input detected at '^' marker.

Cisco3650(config-line)#
Cisco3650#
Cisco3650#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

Cisco3650(config)#no aaa new-model
Changing configuration back to no aaa new-model is not supported. 

What do you get after 'login' ?

 

Cisco3650(config-line)#login ?

 

Also, at:

 

Cisco3650(config)#no aaa new-model

 

just hit <enter>, this should delete the aaa model. The message is just a warning...

Yes I hit enter, tried to log in again but still goes directly to enable mode, skipping the myusername auth step prior (like I had before).

What do you get after 'login' ?

 

Cisco3650(config-line)#login ?

 

Can you post the output of that ? There should be a 'local' option...

This is the only thing I see from the moment I log in (goes directly into enabled mode) and running that command, nothing else.


Cisco3650#
Cisco3650#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco3650(config)#no aaa new-model
Cisco3650(config)#
Cisco3650(config)#end
Cisco3650#wr
Building configuration...
Compressed configuration from 24401 bytes to 9027 bytes[OK]
Cisco3650#

Here's a comparison of the 2 switches.

Switch #1 (main one trying to fix)

 

version 16.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
no service password-recovery 
no platform punt-keepalive disable-kernel-core
!
hostname Cisco3650
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
clock timezone EST -5 0
facility-alarm critical exceed-action shutdown
switch 1 provision ws-c3650-24ts

Switch #2 (works correctly by logging into myusername first and manually having to enter "en" mode)

version 16.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service compress-config
no service password-recovery 
no platform punt-keepalive disable-kernel-core
!
hostname Switch2
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no logging console
enable secret 5 xxxxxxxxxxxxxxxx
enable password TLNsxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone EST -5 0
facility-alarm critical exceed-action shutdown
switch 2 provision ws-c3650-24ts

 

 

 

What does the VTY line configuration look like on both switches ?

line vt 0 4

?

Switch #1

control-plane
 service-policy input system-cpp-policy
!
!
!
line con 0
 exec-timeout 480 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class Manage-SSH in
 exec-timeout 480 0
 login local
 length 0
 transport input ssh
line vty 5 15
 access-class Manage-SSH in
 exec-timeout 480 0
 login local
 length 0
 transport input ssh
!

Switch #2

control-plane
 service-policy input system-cpp-policy
!
!
!
line con 0
 exec-timeout 480 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class Manage-SSH in
 exec-timeout 480 0
 login local
 length 0
 transport input ssh
line vty 5 15
 access-class Manage-SSH in
 exec-timeout 480 0
 login local
 length 0
 transport input ssh
!

So in addition to the enable mode password issue on switch #1
I'm still having this odd issue with switch #2 where it works fine (logs into myusername first, then into enable mode). However, it doesn't work with new enable password I set when I log in via VPN IP address which is already whitelisted in ACL and worked fine before I reset enable password. It's crazy, I log in just fine directly via SSH2 but via the VPN IP it no longer works. It works on myusername/pw but enable pw won't work. Same one works directly into switch.
ACL config is 100% identical on switches #1 and #2 as well.

I would appreciate some help here.

Everest 16.6.2 has this issue as well.

Review Cisco Networking for a $25 gift card