Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4806
Views
15
Helpful
20
Replies

Cisco ESA issues aggregator

ExchangeAdmin4285
Level 1
Level 1

‎01-13-2023 10:25 PM

Hi since about 11:50 pm January 13 we been getting this error

The Warning message is:

 

Unable to connect to the Cisco Aggregator Server.

Details: (60, 'SSL certificate problem: unable to get local issuer certificate').

I don't see any messages on status page if I browse directly to that url from.browser of says no certificate sent 

Anyone else run into this issue ?

 

22 people had this problem
Labels:
0 Helpful
20 Replies 20

Komaneko
Level 1
Level 1

‎01-14-2023 12:25 AM

Hi, we have the same probleme since 06 h 00 AM (GMT+1) January 14. 

telnet aggregator.cisco.com 443 from our ESA seems to works

From a browser we have this message : 

{"status": 403, "message": "No valid SSL certificate was sent"} 

 

0 Helpful

munaf shaikh
Level 1
Level 1

‎01-14-2023 12:28 AM

Facing same issue.

Not sure if this issue is related to SSL certificate. We do have a wildcard certificate in the appliance certificates list.

Also we can telnet to cisco.aggregator.com over 443 from the ESA CLI 

0 Helpful

FloK
Level 1
Level 1

‎01-14-2023 12:38 AM

Good morning. I'm getting the same error on our devices, I assume it has something to do with Field Notice: FN - 72502 - Secure Web, Secure Management, and Secure Email Virtual Appliances Might Not Receive Updates After January 13, 2023 - Configuration Change Recommended - Cisco

However, our partner where we order the licenses sent us updated VLN certificate files two weeks ago, I installed it using loadlicense and confirmed the new licenses/certs where installed correctly using showlicense. So far everything seems to be OK, however I'm getting this error. I'll contact technical support, let's see what Cisco says.

0 Helpful

munaf shaikh
Level 1
Level 1
In response to FloK

‎01-14-2023 12:52 AM

Don't think so this issue is related to VLN because we have VLN who's issue date or begin_date is of after December 15,  2021. i.e Mar 2022.

And as per the Field notice article , appliance having VLN certificates created prior to December 15, 2021 is affected.

Seems something to do with aggregator.cisco.com service , coz many people have reported same issue on the same day

0 Helpful

Komaneko
Level 1
Level 1
In response to munaf shaikh

‎01-14-2023 12:59 AM

Not sure the issue il related to this notice, our VLN issue date is April 2022. On the other hand, the version of our ESA, AsyncOS 13.5.3, is indeed concerned.

0 Helpful

robertmanak
Level 1
Level 1

‎01-14-2023 02:37 AM

we have the same issue, started around 6 AM (GMT+1) 14th of Jan. Our AsyncOS is 14.0.3-015

0 Helpful

Ricardo Fuentes
Level 1
Level 1

‎01-14-2023 04:08 AM

Same, we are getting this error as well. The issue started 1/13/2023 - 11:04 PM Pacific Time (Seattle)

0 Helpful

ExchangeAdmin4285
Level 1
Level 1

‎01-14-2023 06:12 AM

I do not think this is related to that VLN license that was required to be updated as i can see in the updater_logs updates are still happening and there is  no log entry stating "Dynamic manifest fetch failure: Failed to authenticate with manifest server" as showin in Field Notice: FN - 72502 - Secure Web, Secure Management, and Secure Email Virtual Appliances Might Not Receive Updates After January 13, 2023 - Configuration Change Recommended - Cisco

I still see all updates are still occurring

 

0 Helpful

m.trautes
Level 1
Level 1

‎01-14-2023 06:46 AM - edited ‎01-14-2023 07:04 AM

Hello,

response from the TAC:

I've added the missing CA certificate from backend on your ESA, and I am currently monitoring the situation.
I am not seeing any new errors/ alerts. Let's put the case under monitoring till Monday before proceeding with closure.

M. S. A. 14.01.2023 15:48 • if the issue is just like this error
Unable to connect to the Cisco Aggregator Server.
Details: (60, 'SSL certificate problem: unable to get local issuer certificate').
then it needs to be done from the backend by us

So you need to open a TAC Case...

0 Helpful

munaf shaikh
Level 1
Level 1
In response to m.trautes

‎01-14-2023 06:55 AM

@m.trautes which was the missing CA certificate that was added to the ESA and where it was added.

Can't this be added using GUI, or it has to be added only through backed by Cisco TAC? 

0 Helpful

m.trautes
Level 1
Level 1
In response to munaf shaikh

‎01-14-2023 07:13 AM

Hello, i don´t know which CA was missed. TAC say, it must fixed from the backend from the TAC Team.

I have open a remote tunnel and the engineer has fixed it. So you need to open a case.

0 Helpful

Ken Stieers
VIP
VIP
In response to m.trautes

‎01-14-2023 07:14 AM

There is a CA bundle that the devices can download/update...
TAC out to add the cert to it.
0 Helpful

m.trautes
Level 1
Level 1
In response to Ken Stieers

‎01-14-2023 07:21 AM - edited ‎01-14-2023 07:21 AM

The actual bundle is from 3.12. (Version 2.2) - but there it is missed. So the TAC Team must do it. 

0 Helpful

Ricardo Fuentes
Level 1
Level 1

‎01-14-2023 08:34 AM - edited ‎01-14-2023 08:39 AM

Notes from TAC on my side:

Kindly note that I have applied the Workaround from the backend.

For RCA, the issue was related to the FN – 72113, and aggregator server CA needed to be added manually:https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72113.html

That solution is permanent, and no actions still needed, 

0 Helpful
Customers Also Viewed These Support Documents