Cisco Support Community
Community Member

Switch VTY locked down after 16 failed login attempts


Since yesterday I can't access one of the switches on the corporate network I manage.


  • WS-C2960-24PC-L with IOS 15.0(2)SE4.
  • Console enabled, SSH enabled, Telnet disabled, HTTP disabled, HTTPS enabled.
  • SSH and HTTPS use AAA with RADIUS (Network Policy Server Role @ Windows Server 2008 R2).

The device is switching packets correctly and it even replies ping requests. After scanning the IP and I see only port 443 open, but the last technician who upgraded the switch IOS didn't upload the TAR image containing the web UI files, instead he uploaded the just the BIN, so HTTPS is a no-no. SNMP is also working fine (only RO community configured).

While I was trying to figure out what had happened, I found 16 failed login attempts on Windows Event Viewer:

My first guess was that after 16 failed attempts the switch entered some kind of lock down mode for its own protection. I didn't configured the switch to behave like that so I'm guessing it's a by-default behavior (btw, no changes after power-cycling). The thing is, I can't find any default commands regarding the lock down, so I can't know if it will come back by itself or console is mandatory. The switch is 900 miles away from me, so console is always last resort.

About the login attempts, the switch isn't accesible through the public network, so they came from the corporate network. One way to come around with the switch IP address is guessing the name ("sw-xxxxxx.yyyyyyy.zz") and resolving it against the corporate name server *OR* capturing a CDP packet. Curious George tried to login with CISCO, Cisco, cisco, Admin and ADMIN, and, since I haven't configured a syslog server plus a technician power-cycled because of the lock down, I can't know for sure who tried to access the device (yes, I'm now setting up a syslog server, ACLs and that sort of stuff).

This lock down is actually how Cisco IOS behaves by default? Is it possible to disable it?

Could it be some sort of firmware failure?

Best regards,


Everyone's tags (6)
CreatePlease to create content