Field Notice: FN - 72184 - Cisco SD-WAN - Devices With an Expired SUDI Certificate Fail to Register With vBond - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.1	20-Jun-23	Updated the Products Affected and Workaround/Solution Sections
1.0	07-Jul-21	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	vManage Software	18.3	18.3.0, 18.3.1, 18.3.3, 18.3.4, 18.3.5, 18.3.6, 18.3.7, 18.3.8
NON-IOS	vManage Software	18.4	18.4.0, 18.4.1, 18.4.3, 18.4.4, 18.4.5, 18.4.6
NON-IOS	vManage Software	19.0	19.0.0
NON-IOS	vManage Software	19.1	19.1.0
NON-IOS	vManage Software	19.2	19.2.0, 19.2.1, 19.2.2, 19.2.3, 19.2.4
NON-IOS	vManage Software	19.3	19.3.0
NON-IOS	vManage Software	20.1	20.1.1, 20.1.1.1, 20.1.12, 20.1.2, 20.1.3
NON-IOS	vManage Software	20.3	20.3.1, 20.3.2, 20.3.3
NON-IOS	vManage Software	20.4	20.4.1, 20.4.1.1, 20.4.1.1.5, 20.4.1.2

Defect Information

Defect ID	Headline
CSCvu59887	SUDI certs will expire soon, need to ignore expiration date
CSCvx37912	SUDI certs will expire soon, need to ignore expiration date - Polaris side commit

Problem Description

The Cisco Secure Unique Device Identifier (SUDI) certificate will expire on a limited number of Cisco products. The SUDI certificate is installed on a device during manufacturing and is immutable. Devices with an expired SUDI certificate fail the initial SD-WAN router authentication process and cannot join an SD-WAN overlay network.

Background

Refer to Cisco field notice FN72105 for background details on SUDI certificate expiration and a full list of affected Cisco products.

Problem Symptom

Devices with an expired SUDI certificate fail the SD-WAN router authentication process because SD-WAN controllers consider the certificate to be invalid. The vBond controller will reject the control connection during initial device onboarding and will report a "BIDNTVRFD" error. The control connection failure can be seen by entering the show sdwan control connection-history CLI command on the device console as in this example:

router>show sdwan control connection-history

PEER     PEER     PEER             SITE        DOMAIN PEER             PRIVATE  PEER             PUBLIC                                   LOCAL      REMOTE     REPEAT

TYPE     PROTOCOL SYSTEM IP        ID          ID     PRIVATE IP       PORT     PUBLIC IP        PORT    LOCAL COLOR      STATE           ERROR      ERROR      COUNT DOWNTIME

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

vbond    dtls     0.0.0.0          0           0      10.0.12.26       12346    10.0.12.26       12346   lte              challenge_resp  RXTRDWN    BIDNTVRFD  285   2020-11-17T01:46:50+0000

Error messages will also appear in the vBond syslog file when a device control connection is rejected due to an expired SUDI certificate. In order to view the messages, open the log file "/var/log/vsyslog". Sample error messages are shown here:

local7.info: Nov 17 02:57:08 vedge VBOND[19359]: %Viptela-vm16-vbond_0-6-INFO-1400002:  2020-11-17 02:57:08 Notification: vbond-reject-vedge-connection severity-level:major host-name:"vm16" system-ip:172.16.255.26 uuid:"ISR4351/K9" organization-name:"Cisco" sp-organization-name:"Cisco" reason:"ERR_BID_NOT_VERIFIED"

local7.info: Nov 17 02:57:08 vedge VBOND[19359]: %Viptela-vm16-vbond_0-6-INFO-1400002:  2020-11-17 02:57:08 Notification: control-connection-auth-fail severity-level:major host-name:"vm16" system-ip:172.16.255.26 personality:vbond peer-type:vedge peer-system-ip::: local-system-ip:172.16.255.26 local-color:default reason:"ERR_BID_NOT_VERIFIED"

If debug level logging is enabled, these addtional messages will appear in the vBond syslog file to indicate the specific reason for the failure:

local7.debug: Nov 17 03:14:28 vedge VBOND[19359]: bss_verify_certificate[294]: %BSS_DBG_MAIN-1: Verification error: certificate has expired

local7.debug: Nov 17 03:14:28 vedge VBOND[19359]: vdaemon_verify_peer_bidcert[571]: %VDAEMON_DBG_MISC-1: Peer's Certificate validation Failed

Workaround/Solution

There is no workaround for an expired SUDI device certificate with Cisco SD-WAN. However, Cisco has modified recent SD-WAN software versions to allow connections from Cisco devices with a genuine SUDI certificate irrespective of expiration date if the certificate is otherwise valid. This solution is available with Cisco SD-WAN software Release 20.3.4 and later, Release 20.4.2 and later, and Release 20.5.1 and later.

Note: It is desirable, but not required, to also upgrade the edge devices to the corresponding Cisco vEdge or Cisco IOS^® XE SD-WAN software version.

Customers are recommended to upgrade their SD-WAN software to a release with the SUDI solution before SUDI certificates begin to expire on their devices. Instructions for how to determine the SUDI expiration date are documented in the Cisco field notice FN72105. This table lists some recommended Cisco SD-WAN software releases that contain the SUDI solution:

Current Release	Recommended Cisco SD-WAN Release
20.3.3 and earlier	20.3.7.1
20.4.1	20.6.5.3 or 20.9.3.2

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.