cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
4
Replies

SD-Wan certificate issue.

R Manjunatha
Level 3
Level 3

Hi

I need to understand what will happen if the sd-wan certificate is expired. The communication between the edge device and the controllers will be interrupted.

regards,

1 Accepted Solution

Accepted Solutions

Torbjørn
Spotlight
Spotlight

If you know you are going to face this issue in production I would escalate this to ensure you have "all hands on deck" to replace the certificate ASAP. You can raise the IPsec rekey timer to 14 days and the graceful restart timer to 7 days to extend the time before you face dataplane issues. You should create a TAC case for this.

If the root CA expires your DTLS tunnels/control connections will drop.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

4 Replies 4

Torbjørn
Spotlight
Spotlight

Which certificate is it that you are asking about? The root CA or the certificates used by specific controllers?

If it is the root certificate all control connections will drop and forwarding will continue as usual until the OMP graceful restart timer runs out or the ipsec rekeying timer runs out. You will experience the same issue as the one caused by the expired certificate in May: https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/220448-identify-vedge-certificate-expired-on-ma.html

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Yes, I'm asking about root CA. 

Torbjørn
Spotlight
Spotlight

If you know you are going to face this issue in production I would escalate this to ensure you have "all hands on deck" to replace the certificate ASAP. You can raise the IPsec rekey timer to 14 days and the graceful restart timer to 7 days to extend the time before you face dataplane issues. You should create a TAC case for this.

If the root CA expires your DTLS tunnels/control connections will drop.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Thanks, for the clarification.

Review Cisco Networking for a $25 gift card