Field Notice: FN74176 - Expired Device Certificate Causes Cisco SD-WAN Secure Service Edge Connections to Fail - Software Upgrade Recommended

Available Languages

Updated:October 9, 2024
Document ID:FN74176

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

High
Impact Rating:
High
First Published:
2024-Oct-11
Last Published:
2024-Oct-09
Revision:
1.1
Cisco Bug IDs:

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected


Affected Software Product Affected Release Affected Release Number Comments
IOS XE SD-WAN Software 17 17.13.1a  

Defect Information


Defect IDHeadline
CSCwi43360Cert expiry on Sept 2024 for DNS Security registration to Umbrella cloud

Problem Description


The SSL digital certificate that is used by Cisco Catalyst SD-WAN Routers to register with the Cisco Secure Access service expires on September 30, 2024. Cisco SD-WAN Routers with the expired certificate will fail to register with the Cisco Secure Access service. The result of this failure is that any attempts to set up new Secure Service Edge (SSE) tunnels using Cisco SD-WAN policy groups will fail.


Background


The Cisco Secure Access solution (formerly Cisco Umbrella) uses digital certificates during the SSL handshake process to establish secure HTTPS connections. For SSE, this connection is with the Cisco Secure Access endpoint, which allows for the identification of the public IP address of the device. The current SSL certificate on affected Cisco SD-WAN Routers expires on September 30, 2024.

This problem affects the following Cisco products if they are running an affected Cisco IOS XE Software release and if they are in SD-WAN Controller mode:

  • Aggregation Services Routers (ASRs)
  • Catalyst 8000 Routers
  • Catalyst 8000v Edge
  • Catalyst IR Rugged Series Routers
  • Integrated Services Routers (ISRs)

 


Problem Symptom


Affected devices will fail to establish secure connections with the Cisco Secure Access service and any attempts to set up new SSE tunnels using Cisco SD-WAN policy groups will fail.

Note: Devices that are configured for SSE tunnels that are already in operation will not be impacted until reboot. The expired certificate is used only during device registration with the Cisco Secure Access service. Device registration occurs when the Cisco Secure Access service is initially configured or when the configured device is rebooted.


Workaround/Solution


Solution

Affected devices must have the affected certificate replaced with a new, unexpired certificate. The new certificate is valid until the year 2035. Customers who do not currently use SSE tunnels as part of Cisco Secure Access integration, but who expect to deploy it in the future, can replace the affected certificate by upgrading the Cisco SD-WAN Router software to a release that contains the new certificate. The new certificate is installed automatically during the upgrade. Devices that are running Cisco IOS XE Software Release 17.14.1 or later already contain the updated digital certificate.

For affected devices, the following X1 certificate must be downloaded and installed:

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

This certificate can also be downloaded from https://letsencrypt.org/certs/isrgrootx1.pem

 

Cisco Devices That Are Running Cisco IOS XE Software Release 17.13.1a in Controller Mode

  1. Log in to Cisco vManage.
  2. Choose Administration > Settings.
  3. Choose Cloud Credentials.
  4. Choose Umbrella DNS Certificate.
  5. Paste the new certificate in the edit window. Alternatively, upload the certificate from a file by choosing the Select a File option.
  6. Click Save. Cisco vManage will now push the new certificate file to each affected device.
  7. Log in to each affected device.
  8. Use the copy CLI command to copy the file that was pushed to the new Umbrella digital certificate file by Cisco vManage, as shown in the following example:
    router# copy bootflash:umbrella_root_ca_1.ca bootflash:trustidrootx3_ca_092024.ca

   


Revision History


VersionDescriptionSectionDate
1.1Updated the solution instructions to avoid bug number CSCwm73365.Workaround/Solution2024-OCT-09
1.0Initial Release2024-AUG-20

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products