10-31-2023 09:55 AM
Hi
I need to understand what will happen if the sd-wan certificate is expired. The communication between the edge device and the controllers will be interrupted.
regards,
Solved! Go to Solution.
11-01-2023 05:34 AM
If you know you are going to face this issue in production I would escalate this to ensure you have "all hands on deck" to replace the certificate ASAP. You can raise the IPsec rekey timer to 14 days and the graceful restart timer to 7 days to extend the time before you face dataplane issues. You should create a TAC case for this.
If the root CA expires your DTLS tunnels/control connections will drop.
10-31-2023 11:55 AM
Which certificate is it that you are asking about? The root CA or the certificates used by specific controllers?
If it is the root certificate all control connections will drop and forwarding will continue as usual until the OMP graceful restart timer runs out or the ipsec rekeying timer runs out. You will experience the same issue as the one caused by the expired certificate in May: https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/220448-identify-vedge-certificate-expired-on-ma.html
11-01-2023 04:46 AM
Yes, I'm asking about root CA.
11-01-2023 05:34 AM
If you know you are going to face this issue in production I would escalate this to ensure you have "all hands on deck" to replace the certificate ASAP. You can raise the IPsec rekey timer to 14 days and the graceful restart timer to 7 days to extend the time before you face dataplane issues. You should create a TAC case for this.
If the root CA expires your DTLS tunnels/control connections will drop.
11-02-2023 10:07 AM
Thanks, for the clarification.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide