cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2162
Views
0
Helpful
5
Replies

Expired/Invalid certificate for SDR service communication

Hi, we are getting the following error messages: The certificate used by the appliance to communicate with the SDR service was invalid or expired. Make sure that the appliance is able to fetch a valid certificate from the updater server. Anyone knows how to solve it? We are running latest GD AsyncOS 13.x.

5 Replies 5

ppreenja
Cisco Employee
Cisco Employee

Hello Jernej,

Firstly, make sure that your feature keys for SDR are not expired.
Then make sure that the Update setting is set to Cisco IronPort Update Servers.
[Security Services -->Service Updates --> Edit Update Settings]
Please find attached the screenshot.
Once the above settings are in place, perform the command "updatenow force" in the CLI and monitor the ESA appliance.

I hope the above steps help!

Cheers,
Pratham

Hi Pratham,

 

which licence is needed to SDR? I can't find any referal in licensing guide or CCW for SDR licensing?

 

Settings were already set as you described. All other services were updated successfuly.

 

Telnet to v2.sds.cisco.com:443 also works.

 

The reports stoped coming yesterday morning. I'm still not 100% if that is related to changing parameter "Do you want to verify server certificate?" from Y to N on sdrconfig CLI command I've did yesterday. Still testing - putting it back to Y.

 

I've also run

# sdrupdate force

Requesting forced update of SDR client package

 

# sdrstatus

Component Version Last Updated
SDR Client 1.0 Never updated

 

Regards

Hello Jernej,

You are correct, there is not particular key for SDR, however, I was just referring to check on the feature keys of the appliance as a good practice and certificate used on the appliance are not expired (sometimes when demo certificates are installed we see this error). So, apologies for the fuss there.

Also, I just checked further and could see that if the update server settings on the ESA appliance are correct then the error usually occurs due to network interruption.

Just to confirm if there was an issue with the SDR services itself, I was able to check in the backend and could see that SDR services were running with any issues and 100% uptime since mid of march 2020.

Cheers,
Pratham

Hello Jernej Vodopivec

Original statement: Hi, we are getting the following error messages: The certificate used by the appliance to communicate with the SDR service was invalid or expired

If you haven’t resolved the problem yet, try the below checks.


SDR uses client certificates. If they fail such as this, then there are a few reasons.

* Customer side decryption/inspection with security device such as proxy/ips/fw.
* Certificate is wrong on the ESA.

* Execute cli command to replace the certificate cli> ecupdate force
* Monitor the updater logs to confirm actions >> tail updater_logs


* Utilizing an alternate certificate on the ESA for url filtering

* Cli> websecurityconfig

URL Filtering is enabled.
No URL list used.
System provided certificate used. >>>>>>>>>>> right certificate
Web Interaction Tracking is enabled.



-------------- If you see the below…
to clear the custom certificate, enter command websecurityconfig, go till the end without changing anything. it will ask for a commit that clears custom cert

URL Filtering is enabled.
No URL list used.
Certificate 'mycompanyname.root' used. >>>> NOT the right certificate.
Web Interaction Tracking is enabled.


Thx,
Chris A




Hi, I was unable to reproduce problem. SDR works flawlessly and we are not getting any error messages. Really strange.

 

I've cheched the SSL inspection in the first place: it was turned off from the beginning.

 

I'll check the URL filtering certificates if the problem would reappear.

 

Thank you both.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: