Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
4
Replies

FMC cert expiration notification and catalyst jobs stuck "in progress"

Eric R. Jones
Level 4
Level 4

‎04-16-2024 02:27 PM

Hello, we recently had our cert for our VPN expire without notification via alert message. I've done some research in the FMC but can't find anything that monitors certificate expiration dates. A google search points toward REST API's of course but that's going to take me some time to learn. Not a skill to be ignored but lots of stuff on the plate. 

Also, on a side note any of you who have Catalyst Center have you ever experienced a job being run that got stuck in "in progress" but never completes?

 

0 Helpful
4 Replies 4

tvotna
Spotlight
Spotlight

‎04-17-2024 04:27 AM

Good question. It looks like you need syslog server which can react to specific syslog messages and notify you via email or something. The messages are:

%ASA-1-717054: The type certificate in the trustpoint tp name is due to expire in number days. Expiration date and time Subject Name
subject name Issuer Name issuer name Serial Number serial number

%ASA-1-717055: The type certificate in the trustpoint tp name has expired. Expiration date and time Subject Name subject name Issuer
Name issuer name Serial Number serial number

They are produced by default:

crypt ca alerts expiration begin 60 repeat 7

To the best of my knowledge, FMC currently can only receive VPN syslogs from a pre-defined list ("Enable Logging to Secure Firewall Management Center" option under Devices > Platform Settings > Syslog), which results in:

logging list FMC_VPN_EVENT_LIST level errors class vpn
logging fmc MANAGER_VPN_EVENT_LIST

Messages 717054, 717055 belong to class "ca" and hence not sent to FMC, if I'm not mistaken. Also, it looks like we don't have Telegraph Health Module for managed devices which can react to certain syslogs (e.g. those with high severity level) generated from Lina and notify corresponding health module on the FMC so that it can generate health alert.

Sadly enough, we don't have full visibility to what happens on managed devices when FMC alone is used for management.

 

0 Helpful

tvotna
Spotlight
Spotlight
In response to tvotna

‎04-17-2024 07:30 AM

I found that FMC is able to warn you about expiring certificates on RA VPN dashboard (Overview > Dashboards > Remote Access VPN).

 

 

0 Helpful

Eric R. Jones
Level 4
Level 4
In response to tvotna

‎04-17-2024 04:55 PM

This is in version 7.3 we are on 7.2.X

0 Helpful

tvotna
Spotlight
Spotlight
In response to Eric R. Jones

‎04-18-2024 12:48 AM

Correct.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card