Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
3
Helpful
14
Replies

SSH 9200 issue

Go to solution
milton-santos
Level 1
Level 1

‎07-08-2025 09:32 PM

I have a cisco catalyst 9200 and I'm trying to access the equipment via ssh but it's not possible, it has an error stating that access was denied, but access via http is possible without any problem.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
milton-santos
Level 1
Level 1

‎07-10-2025 01:43 AM

Hello, dear my friends.

I managed to solve the access problem.

I did configuration like @MHM Cisco World explaned about of authentication, but after this don't worked yet, so I configurated one interface port-channel, interface vlan 250 for Management my device and passed that vlan into trunk between device direct connect. 

Because before this I mas tryied connect in my switch by vlan 1 default. 


So my configation now in switch 

ersion 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SWCORESPDC01
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
!
switch 1 provision c9200l-48p-4g
!
!
!
!
!
ip domain name suel.2017
!
ip dhcp pool webuidhcp
login on-success log
vtp version 1
!         
!         
!         
!         
!         
!         
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!         
crypto pki trustpoint TP-self-signed-284757285
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-284757285
 revocation-check none
 rsakeypair TP-self-signed-284757285
 hash sha256
!         
!         
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  quit
crypto pki certificate chain TP-self-signed-284757285
 certificate self-signed 01
  quit
!
license boot level network-essentials addon dna-essentials
memory free low-watermark processor 8237
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$Om0uz4cfTCO11.$ogHFR3Zplntw0jBp1UvEmjzWZclfpF0KbeWp3jK06wM
!
username milton privilege 15 secret 9 $9$rjFUTaA5n1w5dk$jfwsNTNVx/EZrbmj73FofZF1tkjw6FAP9qXyrMlA1u6
!
redundancy
 mode sso
crypto engine compliance shield disable
!
!
!
!
!
transceiver type all
 monitoring
!
lldp run
!
!
!
!
!
!
!
!
!
interface Port-channel1
 switchport trunk allowed vlan 1,250
 switchport mode trunk
 switchport nonegotiate
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
!
interface GigabitEthernet1/0/48
 switchport trunk allowed vlan 1,250
 switchport mode trunk
 switchport nonegotiate
 channel-group 1 mode active
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 ip dhcp client client-id ascii cisco-20db.eada.8dc7-Vl1
 ip address dhcp
!
interface Vlan250
 ip address 10.10.250.252 255.255.255.0
!
ip http server
ip http secure-server
ip http client source-interface Vlan1
ip forward-protocol nd
ip ssh bulk-mode 131072
!
!
!
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 15
 privilege level 15
 transport input ssh
!
!
!
!
!
!
!
end

 

View solution in original post

14 Replies 14

Go to solution
David Ruess
VIP
VIP

‎07-08-2025 10:01 PM

Did you configure the following:

Hostname

Router(config)#hostname <host name>

Domain name

ip domain-name <Domain Name>

Generate the SSH key

Router(config)#crypto key generate rsa modulus <size>

Enable SSH transport

SWITCH(config)#ip ssh version 2

Make sure under the VTY lines you allow the SSHE transport

line vty 0 4

transport input ssh

 

If so, please provide us the configuration to further assist along with any error messages you are getting and how you are trying to access the device.

 

-David

0 Helpful

Go to solution
milton-santos
Level 1
Level 1
In response to David Ruess

‎07-08-2025 10:09 PM

Hi, David. I did this but doesn't work.

Building configuration...

Current configuration : 13053 bytes
!
! Last configuration change at 04:04:52 UTC Wed Jul 9 2025 by joao.sino
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SWCORESPDCSUEL02
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
aaa new-model
!

line vty 0 4
privilege level 15
length 0
transport input ssh
line vty 5 15
privilege level 15
transport input ssh

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to milton-santos

‎07-08-2025 11:10 PM

Hello @milton-santos 

if you have followed Mr Ruess advices and it is not OK after that, please check you logs... 

Thanks for sharing your logs output.

Also, do you configured a local username with privileges associated ? If yes you need the command login local under line vty 0 4. 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to milton-santos

‎07-09-2025 12:01 AM

 

Is the same device you using for GUI access  for SSH, what SSH client you using ?  ( if not far way the switch, suggest to console to see the Logs - that give you clear direction what is wrong) - you can also view the Logs on Gui when you trying to access SSH.

#show ip ssh  (from console try) or from GUI command execution try and post the output.

I use  always quick fix for the switches have SSH issue as below - change the username and password as per requirement.

 

enable secret 5 $1$jtK0$yyHFcVM7xyelts1csVwrV/
!
username cisco privilege 15 secret 5 $1$0qFD$ZEMDi.7z1QTtF4EuPdlSY.
aaa new-model
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ip domain-lookup
ip domain-name bb.com
ip cef
no ipv6 cef
!

ip ssh version 2
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
stopbits 1
line aux 0
line vty 0 4
privilege level 15
password cisco
transport input ssh
transport output all
!
######### Generate SSH keys :
crypto key generate rsa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to milton-santos

‎07-09-2025 01:29 PM

Friend 

Never NEVER add 

Aaa new-model 

Before you add 

1- username password privilege 15

2- enable password 

And after you add aaa new-model 

You need 

Aaa authentication login defualt local 

Aaa authorization defualt local 

Here your vty use aaa becuase you add aaa new-model 

Be careful abd dont WR config before you sure you can access vty (telent and ssh) and console 

MHM

0 Helpful

Go to solution
milton-santos
Level 1
Level 1
In response to MHM Cisco World

‎07-09-2025 05:31 PM - edited ‎07-09-2025 06:24 PM

Dear my friends, 

I made that the output commands don't work. just below is a configuration without a switch.

0 Helpful

Go to solution
milton-santos
Level 1
Level 1

‎07-09-2025 05:40 PM

Dear my friends. @MHM Cisco World @balaji.bandi M02@rt37 @David Ruess 

I already made these configs and even so it is still not possible to access via ssh. Below are the configs made on the switch, and I removed some things so that the output would not be too big.

# sh run
Building configuration...
Current configuration : 13139 bytes
!
! Last configuration change at 00:20:17 UTC Thu Jul 10 2025 by milton.itowl
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SWCORESPDC02
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
aaa new-model
aaa local authentication default authorization default
!
!
aaa authentication login defualt local
!
!
aaa session-id common
!
!
!
boot system switch all flash:packages.conf
switch 1 provision c9200l-48p-4g
!
!
!
!
!
ip domain name mydomain.local
!
ip dhcp pool webuidhcp
!
!
!
!
login on-success log
vtp version 1
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
crypto pki trustpoint TP-self-signed-3259926389
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3259926389
revocation-check none
rsakeypair TP-self-signed-3259926389
hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
quit
crypto pki certificate chain TP-self-signed-3259926389
certificate self-signed 03
quit
!
license boot level network-essentials addon dna-essentials
memory free low-watermark processor 8237
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$su1ecJc3i5eBGE$sC.IpqPOYaW5XXevGUIW9cWVCeA60oZXPh2QzOCRTSw
enable password cisco@1234
!
username cisco privilege 15 password 0 cisco
!
redundancy
mode sso
crypto engine compliance shield disable
!
!
!
!
!
transceiver type all
monitoring
!
lldp run
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
!
interface GigabitEthernet1/0/48
switchport mode trunk

!
interface Vlan1
ip dhcp client client-id ascii TSP28470068
ip address dhcp
!
interface Vlan250
ip address 10.10.250.250 255.255.255.0
!
ip default-gateway 192.168.6.1
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Vlan1
ip forward-protocol nd
ip ssh maxstartups 2
ip ssh bulk-mode 131072
ip ssh time-out 60
!
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0 4
privilege level 15
password cisco
length 0
transport input ssh
line vty 5 15
privilege level 15
password cisco
transport input ssh
!
!
!
!
!
!
!
end

0 Helpful

Go to solution
David Ruess
VIP
VIP
In response to milton-santos

‎07-09-2025 09:22 PM

Did you add the following command:

Router(config)#crypto key generate rsa modulus <size>

If so can you run a debug of ssh and show us any log/errors when you try to log into the device please?

 

-David

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to milton-santos

‎07-09-2025 09:48 PM

Hello @milton-santos 

aaa authentication login defualt local

-> typo error ?

Check that please.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to milton-santos

‎07-10-2025 12:22 AM

Let me ask you some basic Questions here :

1. what is IP address from you are connecting to the device ?

2. This switch acting as Layer2,  what is the IP address you get for VLAN 1 from DHCP ?

3. can you post show ip ssh (it was asked before)

4.  do you need to VTP on this switch, if not disable by doing vtp mode transparent (this will become server, if any switch participate in VTP will be other issues)

If you need further assistance post below output :

1. show ip interface brief

2. show ip ssh (asked above)

3. show ip route

4. from what IP client you connecting ?

5. what is the terminal client you using to connect to SSH.

 

here is my test Lab cat 9K config

version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform punt-keepalive disable-kernel-core
!
hostname BBTEST
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa session-id common
!
!
ip domain name bb.com
!
!
login on-success log
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-2874884994
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874884994
 revocation-check none
 rsakeypair TP-self-signed-2874884994
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
crypto pki certificate chain TP-self-signed-2874884994
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383734 38383439 3934301E 170D3235 30373130 30373037
  34355A17 0D333530 37313030 37303734 355A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373438
  38343939 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100B54C 5D692133 6E3197E2 5B6F6CD5 05EB8A00 E415D12D DC8F62A1
  C6F62F19 EC26A443 A49D92B7 E5CE7DF1 4EE189B2 8F4A707D A6AD33AC 957B2E0A
  D4F27244 08672666 567433C2 2F1FC7C8 D71A3552 16920504 AFA73779 C3BC2FF6
  2CE06A7D 684723D0 5C3704BD 50E57865 DF5D64D1 75FD85C0 9E364E9D 52E155D6
  4753690A 61029F38 A0A98D5A 41526A2F D688CF2B 9F3E33D6 18F5551C E507E9A4
  175CD80F CB91D704 88344BEC C5775F53 8892019E CE1EF3A7 D38E0C1D 482C4AE6
  A1AF76D9 6FD33CBD 6AE79EFA AFAED480 5C99C3BD FE65CAB0 923EED4A 21F2A68B
  7F3F1837 2DB15D0A 63829F1B 8B01DE48 086F9C7B 54E6E069 B554F2FC C4737792
  88F13056 7B210203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
  301F0603 551D2304 18301680 14CAA2E8 7EB364BA 73B8FC90 31CE1149 0E6E19B5
  8C301D06 03551D0E 04160414 CAA2E87E B364BA73 B8FC9031 CE11490E 6E19B58C
  300D0609 2A864886 F70D0101 05050003 82010100 0EFF3B9A D7F4857F 352B2939
  BFD4FFD0 2141A0F4 B9BD5C9A 09ADA383 D3EFB843 D4AF350A D2EE5D49 E5F8C4CA
  537AA009 5AB21F24 3DA58D1A 376D9C2E 13331580 40ED65E6 97924385 4394CBA6
  FFCD7BDD 26D357D4 906792A1 1EBE7ED5 3BDC1D69 F7A3A892 17F7AE54 410AC896
  62F55704 FD7CBD59 56201A93 60566376 27A5EAA0 786701B1 41EE67C5 F48F3D1E
  D8FF73A4 AC0BD542 EA74E991 468635F0 10BD6A81 64B63607 9E3D10A1 4629546A
  282C9D14 49D94183 FDBA956F 7508C733 E461C38A 160B3DA5 0ED15603 DE5AFF93
  7A85A5CA EB30094B A192D890 5A79ED31 591E89CE F5D20722 DC0FA23E FD964423
  8FA17C46 392832EF 82373191 569C77E5 F87F4562
        quit
!
memory free low-watermark processor 75927
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $14$jtK0$VLVqIHFV5.Ri2U$XvRZ3GquU09XimISYZtdq9qc6VSdhtgZUydk6imQDa6
!
username cisco privilege 15 secret 9 $14$0qFD$L6Yof9W.fyjfPE$nxc/Gpn11l/fuPOHABP8h2s//UArNmP4XFMthH4HYjc
!
redundancy
 mode sso
crypto engine compliance shield disable
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip dhcp client client-id ascii xxxxxxxxxxxxxxxx
 ip address dhcp
 negotiation auto
!
!
interface Vlan1
 no ip address
 shutdown
!
ip forward-protocol nd
ip tcp mss 1280
ip tcp window-size 212000
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0
ip tftp source-interface GigabitEthernet0/0
ip ssh bulk-mode 131072
!
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous level 0 limit 20
 stopbits 1
line vty 0 4
 privilege level 15
 password cisco
 transport input ssh
line vty 5 15
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
end

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
milton-santos
Level 1
Level 1

‎07-09-2025 10:21 PM - edited ‎07-09-2025 10:32 PM

@David Ruess and M02@rt37 
After apply Commands of debug ip ssh, don't show me anything, but after apply "debug ip icmp" show logs for me about of icmp.

Could be problem this model equipament ?

I try Access another equipment through the cisco and he showed these logs

*Jul 10 05:22:12.004: SSH CLIENT0: protocol version id is - SSH-2.0-OpenSSH_8.0
*Jul 10 05:22:12.004: SSH CLIENT0: sent protocol version id SSH-2.0-Cisco-1.25
*Jul 10 05:22:12.005: SSH CLIENT0: protocol version exchange successful
*Jul 10 05:22:12.005: SSH2 CLIENT 0: kexinit sent: kex algo = curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
*Jul 10 05:22:12.005: SSH2 CLIENT 0: kexinit sent: encryption algo = chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
*Jul 10 05:22:12.005: SSH2 CLIENT 0: kexinit sent: mac algo = hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
*Jul 10 05:22:12.005: SSH2 CLIENT 0: send:packet of length 736 (length also includes padlen of 11)
*Jul 10 05:22:12.006: SSH2 CLIENT 0: SSH2_MSG_KEXINIT sent
*Jul 10 05:22:12.007: SSH2 CLIENT 0: ssh_receive: 1080 bytes received
*Jul 10 05:22:12.007: SSH2 CLIENT 0: input: total packet length of 1080 bytes
*Jul 10 05:22:12.008: SSH2 CLIENT 0: partial packet length(block_size)8 bytes,
needed 1072 bytes, maclen 0
*Jul 10 05:22:12.008: SSH2 CLIENT 0: input: padlength 8 bytes
*Jul 10 05:22:12.008: SSH2 CLIENT 0: SSH2_MSG_KEXINIT received
*Jul 10 05:22:12.008: SSH2 CLIENT 0: kex: server->client enc:chacha20-poly1305@openssh.com mac:None
*Jul 10 05:22:12.008: SSH2 CLIENT 0: kex: client->server enc:chacha20-poly1305@openssh.com mac:None
*Jul 10 05:22:12.008: SSH2 CLIENT 0: Using hostkey algo = ecdsa-sha2-nistp256
*Jul 10 05:22:12.008: SSH2 CLIENT 0: Using kex_algo = curve25519-sha256
*Jul 10 05:22:12.044: SSH2 CLIENT 0: sending SSH2_MSG_KEX_ECDH_INIT
*Jul 10 05:22:12.044: SSH2 CLIENT 0: send:packet of length 48 (length also includes padlen of 6)
*Jul 10 05:22:12.044: SSH2 CLIENT 0: expecting SSH2_MSG_KEX_ECDH_INIT
*Jul 10 05:22:12.049: SSH2 CLIENT 0: ssh_receive: 280 bytes received
*Jul 10 05:22:12.049: SSH2 CLIENT 0: input: total packet length of 264 bytes
*Jul 10 05:22:12.049: SSH2 CLIENT 0: partial packet length(block_size)8 bytes,
needed 256 bytes, maclen 0
*Jul 10 05:22:12.049: SSH2 CLIENT 0: input: padlength 11 bytes
*Jul 10 05:22:12.085: SSH2 CLIENT 0: kex_c25519_client: Computated digest len 32
*Jul 10 05:22:12.085: SSH2 CLIENT 0: kex_c25519_client: keytype from keyblob 2
*Jul 10 05:22:12.085: SSH2 CLIENT 0: ssh2_blob_to_key: Got blob_public key ecdsa-sha2-nistp256, blob_key_type 2, publickey_algo_type 2
*Jul 10 05:22:12.085: SSH2 CLIENT 0: ssh2_blob_to_key: curveName nistp256 with len
*Jul 10 05:22:12.085: ssh2_calculate_modulus_length: modulus len 32
*Jul 10 05:22:12.094: SSH: Signature verification successful
*Jul 10 05:22:12.094: SSH2: kex_derive_keys complete
*Jul 10 05:22:12.094: SSH2 CLIENT 0: send:packet of length 16 (length also includes padlen of 10)
*Jul 10 05:22:12.094: SSH2 CLIENT 0: newkeys: mode 1
*Jul 10 05:22:12.094: SSH2 CLIENT 0: SSH2_MSG_NEWKEYS sent
*Jul 10 05:22:12.095: SSH2 CLIENT 0: waiting for SSH2_MSG_NEWKEYS
*Jul 10 05:22:12.095: SSH2 CLIENT 0: input: total packet length of 16 bytes
*Jul 10 05:22:12.095: SSH2 CLIENT 0: partial packet length(block_size)8 bytes,
needed 8 bytes, maclen 0
*Jul 10 05:22:12.095: SSH2 CLIENT 0: input: padlength 10 bytes
*Jul 10 05:22:12.095: SSH2 CLIENT 0: newkeys: mode 0
*Jul 10 05:22:12.095: SSH2 CLIENT 0: SSH2_MSG_NEWKEYS received
*Jul 10 05:22:12.095: SSH CLIENT0: key exchange successful and encryption on
*Jul 10 05:22:12.095: SSH2 CLIENT 0: send:packet of length 28 (length also includes padlen of 6)
*Jul 10 05:22:12.096: SSH2 CLIENT 0: ssh_receive: 44 bytes received
*Jul 10 05:22:12.097: SSH2 CLIENT 0: input: total packet length of 28 bytes
*Jul 10 05:22:12.097: SSH2 CLIENT 0: partial packet length(block_size)8 bytes,
needed 24 bytes, maclen 0
*Jul 10 05:22:12.097: SSH2 CLIENT 0: input: padlength 6 bytes
*Jul 10 05:22:12.097: SSH2 CLIENT 0: send:packet of length 52 (length also includes padlen of 4)
*Jul 10 05:22:12.107: SSH2 CLIENT 0: ssh_receive: 84 bytes received
*Jul 10 05:22:12.107: SSH2 CLIENT 0: input: total packet length of 68 bytes
*Jul 10 05:22:12.107: SSH2 CLIENT 0: partial packet length(block_size)8 bytes,
needed 64 bytes, maclen 0
*Jul 10 05:22:12.107: SSH2 CLIENT 0: input: padlength 10 bytes
*Jul 10 05:22:12.107: SSH2 CLIENT 0: using method password authentication

*Jul 10 05:22:27.093: SSH2 CLIENT 0: send:packet of length 76 (length also includes padlen of 6)

and password is correct because is my firewall and I'm using my password 

Go to solution
MHM Cisco World
VIP
VIP
In response to milton-santos

‎07-10-2025 12:56 AM

Debug ip ssh 

Debug ip tcp transcript 

Debug authen event

Share these debug please 

Abd last code yoh use 

MHM

0 Helpful

Go to solution
milton-santos
Level 1
Level 1

‎07-10-2025 01:43 AM

Hello, dear my friends.

I managed to solve the access problem.

I did configuration like @MHM Cisco World explaned about of authentication, but after this don't worked yet, so I configurated one interface port-channel, interface vlan 250 for Management my device and passed that vlan into trunk between device direct connect. 

Because before this I mas tryied connect in my switch by vlan 1 default. 


So my configation now in switch 

ersion 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SWCORESPDC01
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
!
switch 1 provision c9200l-48p-4g
!
!
!
!
!
ip domain name suel.2017
!
ip dhcp pool webuidhcp
login on-success log
vtp version 1
!         
!         
!         
!         
!         
!         
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!         
crypto pki trustpoint TP-self-signed-284757285
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-284757285
 revocation-check none
 rsakeypair TP-self-signed-284757285
 hash sha256
!         
!         
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  quit
crypto pki certificate chain TP-self-signed-284757285
 certificate self-signed 01
  quit
!
license boot level network-essentials addon dna-essentials
memory free low-watermark processor 8237
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$Om0uz4cfTCO11.$ogHFR3Zplntw0jBp1UvEmjzWZclfpF0KbeWp3jK06wM
!
username milton privilege 15 secret 9 $9$rjFUTaA5n1w5dk$jfwsNTNVx/EZrbmj73FofZF1tkjw6FAP9qXyrMlA1u6
!
redundancy
 mode sso
crypto engine compliance shield disable
!
!
!
!
!
transceiver type all
 monitoring
!
lldp run
!
!
!
!
!
!
!
!
!
interface Port-channel1
 switchport trunk allowed vlan 1,250
 switchport mode trunk
 switchport nonegotiate
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
!
interface GigabitEthernet1/0/48
 switchport trunk allowed vlan 1,250
 switchport mode trunk
 switchport nonegotiate
 channel-group 1 mode active
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 ip dhcp client client-id ascii cisco-20db.eada.8dc7-Vl1
 ip address dhcp
!
interface Vlan250
 ip address 10.10.250.252 255.255.255.0
!
ip http server
ip http secure-server
ip http client source-interface Vlan1
ip forward-protocol nd
ip ssh bulk-mode 131072
!
!
!
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 15
 privilege level 15
 transport input ssh
!
!
!
!
!
!
!
end

 

Go to solution
MHM Cisco World
VIP
VIP
In response to milton-santos

‎07-10-2025 01:48 AM

Happy ending 

Have a nice day 

MHM

0 Helpful
Customers Also Viewed These Support Documents