Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
2
Helpful
2
Replies

FTD 2130 HA Pair - FMC - sftunnel CA expired - Fix options

Go to solution
Simon Kosecki
Level 1
Level 1

‎01-03-2025 06:22 AM

I have a HA pair of FPR-2130s managed via FMC running ancient version 6.2.3.18 and the CA cert for sftunnel trust have expired. 

This is a production environment with very short maintenance windows and I am trying to find a solution to this issue. 

Cisco provided guide for this situation recommends upgrading to release with a hotfix (in this case 7.0.6). 

While I can upgrade the FMC easily, I am not sure what my options are for the FTDs. Can they be manually updated to 7.0.6 without using FMC but while still maintaining HA setup and configuration?. 

I would have considered re-imaging the devices but unfortunately my maintenance windows are very short and the re-imaging is my very last resort. 

Would it also be possible to simply use openssl (while still on 6.2.3.18) and re-generate the CA on FMC and re-issue all the sftunnel certs and copy these to FTD devices manually? 

I would appreciate any pointers. Thanks in advance. 

1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-03-2025 07:55 AM - edited ‎01-03-2025 07:56 AM

The FMC CA certificate can be regenerated and distributed manually to the managed devices so that sftunnel can re-establish. It's a bit painful but I have worked with TAC to do it in an earlier case. They have some scripts to rebuild the CA that use openssl and some packaging with python scripts to do the necessary work. You also have to manually copy certificates etc - TAC can guide you on this (although they may balk at supported that old of a version).

This process will not require any downtime if done carefully and correctly. (You will need to do a policy sync at some point which causes a brief inspection interruption.)

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-03-2025 07:55 AM - edited ‎01-03-2025 07:56 AM

The FMC CA certificate can be regenerated and distributed manually to the managed devices so that sftunnel can re-establish. It's a bit painful but I have worked with TAC to do it in an earlier case. They have some scripts to rebuild the CA that use openssl and some packaging with python scripts to do the necessary work. You also have to manually copy certificates etc - TAC can guide you on this (although they may balk at supported that old of a version).

This process will not require any downtime if done carefully and correctly. (You will need to do a policy sync at some point which causes a brief inspection interruption.)

Go to solution
Simon Kosecki
Level 1
Level 1

‎01-03-2025 07:58 AM

Thanks Marvin. Appreciate this. I will raise a TAC ticket in this case. Wish me luck. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card