Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
4
Replies

SD-Wan certificate issue.

Go to solution
R Manjunatha
Level 3
Level 3

‎10-31-2023 09:55 AM

Hi

I need to understand what will happen if the sd-wan certificate is expired. The communication between the edge device and the controllers will be interrupted.

regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Torbjørn
Spotlight
Spotlight

‎11-01-2023 05:34 AM

If you know you are going to face this issue in production I would escalate this to ensure you have "all hands on deck" to replace the certificate ASAP. You can raise the IPsec rekey timer to 14 days and the graceful restart timer to 7 days to extend the time before you face dataplane issues. You should create a TAC case for this.

If the root CA expires your DTLS tunnels/control connections will drop.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Torbjørn
Spotlight
Spotlight

‎10-31-2023 11:55 AM

Which certificate is it that you are asking about? The root CA or the certificates used by specific controllers?

If it is the root certificate all control connections will drop and forwarding will continue as usual until the OMP graceful restart timer runs out or the ipsec rekeying timer runs out. You will experience the same issue as the one caused by the expired certificate in May: https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/220448-identify-vedge-certificate-expired-on-ma.html

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
R Manjunatha
Level 3
Level 3
In response to Torbjørn

‎11-01-2023 04:46 AM

Yes, I'm asking about root CA. 

0 Helpful

Go to solution
Torbjørn
Spotlight
Spotlight

‎11-01-2023 05:34 AM

If you know you are going to face this issue in production I would escalate this to ensure you have "all hands on deck" to replace the certificate ASAP. You can raise the IPsec rekey timer to 14 days and the graceful restart timer to 7 days to extend the time before you face dataplane issues. You should create a TAC case for this.

If the root CA expires your DTLS tunnels/control connections will drop.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
R Manjunatha
Level 3
Level 3
In response to Torbjørn

‎11-02-2023 10:07 AM

Thanks, for the clarification.

0 Helpful
Customers Also Viewed These Support Documents