Solved: Cloudsec APIC and snapshots

JanWillem · ‎05-13-2021

Hi all,

We have an Multisite setup with 2 locations and have Cloudsec enabled, every 15 minutes the keys will change.

We also have recurring snapshots for the Fabric on both sites, but if we have made no changes at all ourself we still see changes in the config, these changes are the cloudsec keys that have been changed.

What will happen if you need to rollback a snapshot for 1 site, will this break the cloudsec trust or something, because the keys might differ between the 2 sites?

Has anyone experienced this or knows this?

Robert Burns · ‎05-14-2021

Rolling back a snapshot or restoring an older config on any site (APIC) will not affect CloudSec connectivity or operation. Only the Pre-Shared Keys (PSKs) appear in the snapshot, not the more critical Security Association Key (SAK). The SAK is what's used for encryption/decryption and is unaffected by the config import/rollback. When a SAK expires, it uses the next available PSK index to generate a new set of SAKs. As long as a PSK is included in the exported config/snapshot (taken while it was enabled) there will be no issues.

Robert

View solution in original post

Robert Burns · ‎05-14-2021

Rolling back a snapshot or restoring an older config on any site (APIC) will not affect CloudSec connectivity or operation. Only the Pre-Shared Keys (PSKs) appear in the snapshot, not the more critical Security Association Key (SAK). The SAK is what's used for encryption/decryption and is unaffected by the config import/rollback. When a SAK expires, it uses the next available PSK index to generate a new set of SAKs. As long as a PSK is included in the exported config/snapshot (taken while it was enabled) there will be no issues.

Robert

JanWillem · ‎05-16-2021

Hi Robert,

Thank you for your explanation.

Have a nice day!