01-13-2023 10:25 PM
Hi since about 11:50 pm January 13 we been getting this error
The Warning message is:
Unable to connect to the Cisco Aggregator Server.
Details: (60, 'SSL certificate problem: unable to get local issuer certificate').
I don't see any messages on status page if I browse directly to that url from.browser of says no certificate sent
Anyone else run into this issue ?
01-14-2023 12:25 AM
Hi, we have the same probleme since 06 h 00 AM (GMT+1) January 14.
telnet aggregator.cisco.com 443 from our ESA seems to works
From a browser we have this message :
{"status": 403, "message": "No valid SSL certificate was sent"}
01-14-2023 12:28 AM
Facing same issue.
Not sure if this issue is related to SSL certificate. We do have a wildcard certificate in the appliance certificates list.
Also we can telnet to cisco.aggregator.com over 443 from the ESA CLI
01-14-2023 12:38 AM
Good morning. I'm getting the same error on our devices, I assume it has something to do with Field Notice: FN - 72502 - Secure Web, Secure Management, and Secure Email Virtual Appliances Might Not Receive Updates After January 13, 2023 - Configuration Change Recommended - Cisco
However, our partner where we order the licenses sent us updated VLN certificate files two weeks ago, I installed it using loadlicense and confirmed the new licenses/certs where installed correctly using showlicense. So far everything seems to be OK, however I'm getting this error. I'll contact technical support, let's see what Cisco says.
01-14-2023 12:52 AM
Don't think so this issue is related to VLN because we have VLN who's issue date or begin_date is of after December 15, 2021. i.e Mar 2022.
And as per the Field notice article , appliance having VLN certificates created prior to December 15, 2021 is affected.
Seems something to do with aggregator.cisco.com service , coz many people have reported same issue on the same day
01-14-2023 12:59 AM
Not sure the issue il related to this notice, our VLN issue date is April 2022. On the other hand, the version of our ESA, AsyncOS 13.5.3, is indeed concerned.
01-14-2023 02:37 AM
we have the same issue, started around 6 AM (GMT+1) 14th of Jan. Our AsyncOS is 14.0.3-015
01-14-2023 04:08 AM
Same, we are getting this error as well. The issue started 1/13/2023 - 11:04 PM Pacific Time (Seattle)
01-14-2023 06:12 AM
I do not think this is related to that VLN license that was required to be updated as i can see in the updater_logs updates are still happening and there is no log entry stating "Dynamic manifest fetch failure: Failed to authenticate with manifest server" as showin in Field Notice: FN - 72502 - Secure Web, Secure Management, and Secure Email Virtual Appliances Might Not Receive Updates After January 13, 2023 - Configuration Change Recommended - Cisco
I still see all updates are still occurring
01-14-2023 06:46 AM - edited 01-14-2023 07:04 AM
Hello,
response from the TAC:
I've added the missing CA certificate from backend on your ESA, and I am currently monitoring the situation.
I am not seeing any new errors/ alerts. Let's put the case under monitoring till Monday before proceeding with closure.
M. S. A. 14.01.2023 15:48 • if the issue is just like this error
Unable to connect to the Cisco Aggregator Server.
Details: (60, 'SSL certificate problem: unable to get local issuer certificate').
then it needs to be done from the backend by us
So you need to open a TAC Case...
01-14-2023 06:55 AM
@m.trautes which was the missing CA certificate that was added to the ESA and where it was added.
Can't this be added using GUI, or it has to be added only through backed by Cisco TAC?
01-14-2023 07:13 AM
Hello, i don´t know which CA was missed. TAC say, it must fixed from the backend from the TAC Team.
I have open a remote tunnel and the engineer has fixed it. So you need to open a case.
01-14-2023 07:14 AM
01-14-2023 07:21 AM - edited 01-14-2023 07:21 AM
The actual bundle is from 3.12. (Version 2.2) - but there it is missed. So the TAC Team must do it.
01-14-2023 08:34 AM - edited 01-14-2023 08:39 AM
Notes from TAC on my side:
Kindly note that I have applied the Workaround from the backend.
For RCA, the issue was related to the FN – 72113, and aggregator server CA needed to be added manually:https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72113.html
That solution is permanent, and no actions still needed,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide