Field Notice: FN - 72359 - Cisco DNA Center: QuoVadis Root CA 2 Decommission Affects AI Analytics - Software Upgrade Recommended

Available Languages

Updated:March 8, 2022
Document ID:FN72359

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.1
08-Mar-22
Updated the Products Affected Section and Added the Additional Information Section
1.0
24-Feb-22
Initial Release

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
DNA Center Software
1
1.3, 1.3.1.0, 1.3.1.2, 1.3.1.3, 1.3.1.4, 1.3.1.5, 1.3.1.6, 1.3.1.7, 1.3.2.0, 1.3.2.1, 1.3.3.0, 1.3.3.1, 1.3.3.3, 1.3.3.4, 1.3.3.5, 1.3.3.6, 1.3.3.7, 1.3.3.8, 1.3.3.9
NON-IOS
DNA Center Software
2
2.1.1.0, 2.1.1.3, 2.1.2.0, 2.1.2.3, 2.1.2.4, 2.1.2.5, 2.1.2.6, 2.2.2.0, 2.2.2.1

Defect Information

Defect ID Headline
CSCwa82309 x509: certificate signed by unknown authority

Problem Description

The Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. The QuoVadis Root CA 2 certificates on the Cisco AI Network Analytics cloud expire in March 2022. After March 1, 2022, Cisco DNA Center will fail to establish a secure connection with the Cisco AI Network Analytics cloud. As a result, all Cisco DNA Center AI Analytics and AI Endpoint Analytics features will no longer function.

Background

The QuoVadis Root CA 2 Public Key Infrastructure (PKI) certificate used by Cisco DNA Center software is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on Cisco devices, Cisco cloud servers, and third-party services.

Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire.

The QuoVadis Root CA 2 certificates used by Cisco AI Network Analytics cloud expire in March 2022. Those certificates will be replaced with new ones on March 1, 2022 from a different root CA. After the certificates are replaced, affected Cisco DNA Center clusters will fail to establish a secure connection to Cisco AI Network Analytics cloud. This will cause Cisco DNA Center AI Analytics and AI Endpoint Analytics features to stop functioning.

The following features are impacted by this problem:

  • Cisco AI Network Analytics
    • AI Driven Issues
    • Network Heatmaps
    • Network Trends and Insights
    • Network Comparisons
    • Peer Comparisons
  • Cisco AI Endpoint Analytics
    • Smart Grouping
    • Download/Upgrade of AI Spoofing Detection models

Problem Symptom

The secure connection from Cisco DNA Center to the Cisco AI Analytics cloud will fail. The connection failure can be observed from the Cisco DNA Center user interface and in logs.

  • Cisco AI Analytics Settings page

    Choose Cisco DNA Center UI > System > Settings > Cisco AI Analytics.

    Cloud is currently unreachable

  • AI Analytics Trends and Insights

    Example: Heatmap

    Choose Cisco DNA Center UI > Assurance > Trends and Insights > Network Heatmap.

    Oops! There is an error fetching data.

  • AI Analytics agent logs

    The agent logs can be collected through these steps.

    1. Run this command on the Cisco DNA Center Appliance CLI. 
      $ magctl service logs -a ai-network-analytics kairos-agent
    2. Open the Cisco DNA Center RCA bundle. The logs will show errors similar to this example: 
      "x509: certificate signed by unknown authority".

Workaround/Solution

There is no manual workaround.

A software fix is available for this problem. The fix corrects the Cisco DNA Center software to include the new Identrust Commercial Root CA 1 certificate used by Cisco AI Network Analytics cloud after March 1, 2022. Cisco recommends customers upgrade their affected Cisco DNA Center appliances to one of the following versions with the fix:

  • Cisco DNA Center version 2.1.2.7 or later
  • Cisco DNA Center version 2.2.2.3 or later

Additional Information

Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products