Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
10375
Views
2
Helpful
13
Replies

CSCwf28118 - vEdge: Certificate issue on Viptela devices

mdavis300
Level 1
Level 1

‎05-09-2023 03:13 PM

This is a Cisco global outage and won't open customer TAC cases it one. We already have 83 remote sites effected. Where will Cisco post incident updates and instructions for the final fix? Extending timers is just band aid.

36 people had this problem
Labels:
0 Helpful
13 Replies 13

jonathan aquino
Level 1
Level 1

‎05-09-2023 09:41 PM

We currently have this problem as well, cisco TAC did not provide any solution and they are still checking for the solution. Please see below guide/mitigation steps from Cisco TAC.
Identify vEdge Certificate Expired on May 9th 2023 - Cisco

0 Helpful

naka@nissho-ele.co.jp
Level 1
Level 1

‎05-09-2023 10:22 PM

Is rewinding the clock of all devices effective as a countermeasure?

0 Helpful

Dave Lewis
Level 1
Level 1
In response to naka@nissho-ele.co.jp

‎05-10-2023 02:50 AM

Hi,

I just tried this on a test 100b device on a test overlay but unfortunately it didn't work. 

Before change:

 

mydevice# sh control local                                                                                                                              
personality                       vedge                                                                                                                        
root-ca-chain-status              Installed                                                                                                                    
certificate-status                Installed                                                                                                                    
certificate-validity              Not Valid -  certificate has expired

 

After change:

 

mydevice# clock set date 2023-05-01 time 08:35:00.000

my device# sh control local                                                                                                                              
personality                       vedge                                                                                                                        
root-ca-chain-status              Installed                                                                                                                    
certificate-status                Installed                                                                                                                    
certificate-validity              Valid

 

Which looked good but then when I cleared the control connections it didn't come back. I haven't checked the vbond logs yet but I guess it's because the cert it's presenting to vbond is still expired.

I also tried setting the date back on one of the vbonds but the vedge still didn't recover. Device bringup logs show:
Event Name : vbond-reject-vedge-connection
reason=ERR_BID_NOT_VERIFIED

Dave

0 Helpful

infcommssupport1
Level 1
Level 1
In response to Dave Lewis

‎05-10-2023 06:33 AM

According to TAC, this would work but you'd have to change the clocks on all your routers and all controllers. For those of us with hosted controller instances, it's not an option as the time is synced with the VM host.

0 Helpful

Dave Lewis
Level 1
Level 1
In response to infcommssupport1

‎05-10-2023 07:09 AM

Thanks for the confirmation, makes sense, we're hosted too.

0 Helpful

anandpaleja1
Level 1
Level 1

‎05-09-2023 10:59 PM

Dear Cisco team,

Kindly fix this issue on a priority basis. Our work is affected due to this issue.

19 Vedge locations are impacted.

0 Helpful

Rich R
VIP
VIP
In response to anandpaleja1

‎05-10-2023 03:39 AM

@anandpaleja1 most of the people here are Cisco customers just like yourself. 

To raise with Cisco directly you should talk to your Cisco account team or TAC

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Eis3CiL8
Level 1
Level 1

‎05-10-2023 03:43 AM

Affected here as well. A number of locations still have tunnels up but control connections and OMP peers are down. We do "track-omp" for VRRP so these sites lost their default gateway. Logging in via SSH and removing "track-omp" from the VRRP configuration fixed the connectivity for now. But of course it's only a matter of time before the IPSec sessions are renegotiated and the sites go offline.

Fingers crossed that Cisco will have a fix before then. 

0 Helpful

Dave Lewis
Level 1
Level 1

‎05-10-2023 04:43 AM - edited ‎05-10-2023 04:44 AM

Interestingly we've got some control connections that have been up less than 24 hours (i.e. since the certificate expired). I'd have expected those to have failed. Wondering if Cisco disabled cert validation or something temporarily. I also couldn't get an answer from TAC on whether the control connections have some kind of timer or periodic rekey as we have some up for over 57 hours.  

 

 

0 Helpful

DrewonIT
Level 1
Level 1

‎05-10-2023 05:21 AM

We are experiencing this as well. We have two DataCenters connected using 1000's that I'm very concerned about. While we are not at this point, we may need to notify the FDIC of the potential operational interruption. 

0 Helpful

venom43212
Level 4
Level 4

‎05-11-2023 02:47 AM

Software updates are now available. In our case, it's 20.6.3.2.

Identify vEdge Certificate Expired on May 9th 2023 - Cisco

venom43212
Level 4
Level 4

‎05-11-2023 02:48 AM

Software updates are now available. In our case, it's 20.6.3.2.

Identify vEdge Certificate Expired on May 9th 2023 - Cisco

kendodso
Cisco Employee
Cisco Employee

‎06-05-2023 08:17 AM

Please view this document: https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/220448-identify-vedge-certificate-expired-on-ma.html#toc-hId--813846323

It is being updated with all the latest information. 

0 Helpful
Customers Also Viewed These Support Documents
Top