Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10734
Views
44
Helpful
13
Replies

Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-09-2010 04:46 PM

I am gettng the subject message when trying to sync my ACE modules. I am running A2(1.0a) right now (about to upgrade to 1.6a).

Both primary and backup ACE report the identical output from a "show crypto files" down to the individual file sizes.

Any tips?

1 person had this problem
Labels:
0 Helpful
13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-09-2010 09:35 PM

I found the answer in the Cisco Application Control Engine Module SSL Configuration Guide. Basically once you get out of sync (because the keys wern't loaded on both modules in my case) you need to take the units out of aut sync and then but them back in to force a bulk synchronization.

sslcfggd.fmb

In a redundant configuration, the ACE does not synchronize the SSL certificates and key pairs that are present in the active context to the standby context of an FT group. If the ACE performs a configuration synchronization and does not find the necessary certs and keys on the standby, config sync fails and the standby enters the STANDBY_COLD state. To copy the certs and keys to the standby context, you must export the certs and keys from the active context to an FTP or TFTP server using the crypto export command, and then import the certs and keys to the standby context using the crypto import command. For more information about importing and exporting certs and keys, see the “Importing or Exporting Certificate and Key Pair Files” section.

To return the standby context to the STANDBY_HOT state after a config sync failure, ensure that you have imported the necessary SSL certs and keys to the standby context, and then perform a bulk sync of the active context configuration by entering the following commands in configuration mode in the active context of the FT group:

1.no ft auto-sync running-config

2.ft auto-sync running-config

Hope this helps somone else avoid this bump.

huangedmc
Level 3
Level 3
In response to Marvin Rhoads

‎02-10-2010 10:16 PM

I see that you plan on upgrading to A2(1.6a).

We'd been running that code for a while, and it had been rock solid until the primary ACE module failed over to secondary after a memory corruption bug hit us: CSCta06378

The bug is fixed in A2(2.3), so I'd go w/ that version instead.

Thanks for the tip about the config sync issue.

Instead of disabling auto-sync and then re-enabling it, we've been doing shut & no shut on the ft interface, which seems to work too.

I'll give your method a try next time we have the same issue.

0 Helpful

Sean Merrow
Level 4
Level 4
In response to huangedmc

‎02-11-2010 09:58 AM

Hello,

If you need to force a config-sync, you are better off bouncing the ft auto-sync run.  This is because the config-sync is the only thing affected when you do this.  If you bounce the FT interface, you could cause both of your ACE modules to become active (unless you have FT Query VLAN configured).  If the standby ACE becomes active even for a second, it will GARP for the IPs it owns and could corrupt ARP tables in adjacent devices.

Hope this helps,

Sean

j.kostecki
Level 1
Level 1
In response to Marvin Rhoads

‎10-01-2010 07:35 AM

Great solution! Thank you for posting!

aakagarw
Level 1
Level 1
In response to Marvin Rhoads

‎05-10-2012 10:40 PM

Thanks guys,

I am new born baby for ACE, but I know that a bit and learning too. I had similar issue, I found both ACEs had same cert/ssl keys for the context.

All I did went to Active ACE context and :

1.no ft auto-sync running-config

2.ft auto-sync running-config

Problem Solved. thanks for the post Marvin.

-Aakash

alessandro.dona
Level 3
Level 3
In response to aakagarw

‎05-29-2013 09:11 AM

Hi,

i'm trying to import the certs and keys to secondary ACE but i'm not able because on secondary all conf are disabled.

What is the procedure in order i can import also when on secondary?

Should i launch "no ft auto.sync", import and then "auto-sync" or what else?

Regards

Alessandro.

0 Helpful

aakagarw
Level 1
Level 1
In response to alessandro.dona

‎05-29-2013 09:13 AM

You are not required to goin config mode to import cert - that can be done from User exec mode

0 Helpful

alessandro.dona
Level 3
Level 3
In response to aakagarw

‎05-29-2013 09:16 AM

I know but when i try to write crypto i got error...i think i should de-refernce ssl proxy key and cert....importo on secondaru anc then refercen again....

0 Helpful

aakagarw
Level 1
Level 1
In response to alessandro.dona

‎05-29-2013 09:17 AM

Would you mind pasting the error you get?

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to alessandro.dona

‎05-30-2013 04:43 PM

Alessandro,

Here you have a link about uploading certificates:

https://supportforums.cisco.com/message/3695563#3695563

Jorge

0 Helpful

Michal Mihaly
Level 1
Level 1
In response to Marvin Rhoads

‎04-14-2016 06:08 PM

Marvin great help! Thank you

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michal Mihaly

‎04-14-2016 08:01 PM

Michal,

Glad to know my posting is still helping 6 years later. :)

Thanks for letting me know

0 Helpful

Edward Brennan
Level 1
Level 1
In response to Marvin Rhoads

‎12-01-2017 03:40 PM

Still helping! 

 

Thank you Marvin.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents