cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6004
Views
6
Helpful
11
Replies

FTD rejecting SSL Cert from FMC

Cyianara69
Level 1
Level 1

Hi All,

 

Wondering if anyone has seen this problem.  Trying to register a 6.4 FTD with 6.4 FMC.  Logs on the FTD are showing errors with the FMC SSL certificate and the sftunnel is never established between the the two devices.  All devices are straight out of the box.  

 

Error:  sftunneld:sf_ssl [Error] -Error with certificate at depth: 1

 

Any hints or clues to point in the right direction??

 

Thanks,

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

I've never encountered that problem personally. The process should work even with the default self-signed certificates on both ends. The sftunnel process uses https (TLS) over tcp/8305 to secure the communications of the management and eventing channels.

I have seen one or two cases reported where this error was caused by the time/date being out of sync between the FMC and device you are trying to add. Can you check the time and ntp status on both?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html#anc25

I check the time on both the FMC and FTD and they were off.  I'm backtracking now to make sure the FPC chassis time is correct, however after syncing the time, I get an CRL expired error now on the FTD.  Not sure how to get around that.

If it's a brand new FTD logical device on a 4100 or 9300 series chassis, it may be easier to just delete and recreate it rather than try to regenerate the self-signed certificate being used by sftunnel.

marinogr
Level 1
Level 1

Check FMC for expired certificate

FMC#openssl x509 -in /etc/sf/ca_root/cacert.pem -noout -text

Bug:CSCwd08098

Indeed @marinogr. Since this 3-year old thread was originally posted I have come across the error a couple of times myself. Cisco TAC confirmed the root cause and provided detailed instructions to resolve it. The fix should be coordinated with TAC as it requires some very low level changes which, if done incorrectly, can result in a completely non-functional system.

marinogr
Level 1
Level 1

.

 

 

marinogr
Level 1
Level 1

I have upgraded FMC to suggested version 7.4.2-172 but no fix the bug.

As Marvin and bug solution is to open a TAC or upgrade to not suggested version but for production enviroment is not the case.

If you wish to try yourself for example LAB enviroment here is how:

Make a backup of FMC or better on VM snapshot.

------
FMC
------
Cisco Secure Firewall Management Center for VMware v7.4.2 (build 172)
>

expert
FMC:~$ sudo su
FMC:/Volume/home/admin# /usr/bin/openssl x509 -noout -startdate -enddate -in /etc/sf/ca_root/cacert.pem
notAfter=Sep 29 15:49:23 2024 GMT "Check if it is expired"
FMC:/Volume/home/admin# generate_certs.pl
setting log file to /var/log/sf/sfca_generation.log
You are about to generate new certificates for FMC and devices.
After successful cert generation, device specific certs will be pushed automatically
If the connection between FMC and a device is down, user needs to copy the certificates onto the device manually
For more details on disconnected devices, use sftunnel_status.pl
Do you want to continue? [yes/no]:yes
Failed to push to FTD-01 = /var/sf/peers/FTD-UUID/cacert.pem
Failed to push to FTD-01 = /var/sf/peers/FTD-UUID/sftunnel-key.pem
Failed to push to FTD-01 = /var/sf/peers/FTD-UUID/sftunnel-cert.pem
FMC:/Volume/home/admin# cd /etc/sf/ca_root/
FMC:/etc/sf/ca_root# ls -l
total 68
...
-r-------- 1 root root 1281 Oct 8 06:04 cacert.pem
....
FMC:/etc/sf/ca_root# grep -i uuid /etc/sf/ims.conf
APPLIANCE_UUID="FMC-UUID"
FMC:/etc/sf/ca_root# cat cacert.pem
-----BEGIN CERTIFICATE-----
Copy to FTD /var/sf/peers/FMC-UUID/cacert.pem
-----END CERTIFICATE-----
FMC:/etc/sf/ca_root# cd /var/sf/peers/FTD-UUID/certs_pushed/
FMC:/var/sf/peers/****FTD-UID***/certs_pushed#ls -l
total 12
-rw-r--r-- 1 root root 2 Oct 8 06:04 serial_number
-rw------- 1 root root 1403 Oct 8 06:04 sftunnel-cert.pem
-rw------- 1 root root 1704 Oct 8 06:04 sftunnel-key.pem
FMC:/var/sf/peers/****FTD-UID***/certs_pushed#cat sftunnel-cert.pem
-----BEGIN CERTIFICATE-----
Copy to FTD /var/sf/peers/FMC-UUID/sftunnel-cert.pem
-----END CERTIFICATE-----
FMC:/var/sf/peers/FTD-UID/certs_pushed#cat sftunnel-key.pem
-----BEGIN PRIVATE KEY-----
Copy to FTD /var/sf/peers/FMC-UUID/sftunnel-key.pem
-----END PRIVATE KEY-----

----
FTD
----

Cisco Firepower Threat Defense v7.2.XXX
> show version
------------[ FTD-01 ]------------
UUID : FTD-01-UUID
----------------------------------------------------

> expert
FTD-01:~$ sudo su

FTD-01#cd /var/sf/peers/FMC-UUID
FTD-01:/var/sf/peers/FMC-UUID# ls -l


FTD-01:/var/sf/peers/FMC-UUID# mv cacert.pem cacert.pem_bkp
FTD-01:/var/sf/peers/FMC-UUID# mv sftunnel-key.pem sftunnel-key.pem_bkp
FTD-01:/var/sf/peers/FMC-UUID# mv sftunnel-cert.pem sftunnel-cert.pem_bkp

FTD-01:/var/sf/peers/FMC-UUID# vi cacert.pem
-----BEGIN CERTIFICATE-----
Copy from FMC /etc/sf/ca_root/cacert.pem
-----END CERTIFICATE-----
FTD-01:/var/sf/peers/FMC-UUID# vi sftunnel-cert.pem
-----BEGIN CERTIFICATE-----
Copy from FMC /var/sf/peers/FTD-UID/certs_pushed/sftunnel-cert.pem
-----END CERTIFICATE-----
FTD-01:/ngfw/Volume/home/admin# vi sftunnel-key.pem
-----BEGIN PRIVATE KEY-----
Copy from FMC /var/sf/peers/FTD-UID/certs_pushed/sftunnel-key.pem
-----END PRIVATE KEY-----

FTD-01:/var/sf/peers/FMC-UUID# ls -l
total 56
***
-rw-r--r-- 1 root root 1294 Aug 29 2022 cacert.pem
-rw-r--r-- 1 root root 1395 Aug 29 2022 sftunnel-cert.pem
-rw-r--r-- 1 root root 1704 Aug 29 2022 sftunnel-key.pem
-rw-r--r-- 1 root root 1294 Aug 29 2022 cacert.pem_bkp
-rw-r--r-- 1 root root 1395 Aug 29 2022 sftunnel-cert.pem_bkp
-rw-r--r-- 1 root root 1704 Aug 29 2022 sftunnel-key.pem_bkp
***
FTD-01:/var/sf/peers/FMC-UUID# pmtool restartbyid sftunnel

 

Is there a resolution for this problem ? After upgrading to 7.4.2-172 there is this sftunneld:sf_ssl [ERROR] -Error with certificate at depth: 0. ReRegister does not help.

@kerstin-534 did you check the FMC for expired certificate?

This field notice was recently published with more details: https://www.cisco.com/c/en/us/support/docs/field-notices/742/fn74214.html

kerstin-534
Level 1
Level 1

No expired certificate on FMC, it expires 2031. After upgrading FTD to 7.4 recommend version registration gets broken and cannot be established again. In FMC tasks Registration ftd1: Established secure connection

but after about 10 minutes it gets failed.

@kerstin-534 since the most common causes have been eliminated, it would be best to proceed with Cisco TAC to resolve the issue. They can analyze troubleshooting files and identify the root cause.

Review Cisco Networking for a $25 gift card