THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|
IOS XE SD-WAN Software | 17 | 17.13.1a |
Defect ID | Headline |
CSCwi43360 | Cert expiry on Sept 2024 for DNS Security registration to Umbrella cloud |
The SSL digital certificate that is used by Cisco Catalyst SD-WAN Routers to register with the Cisco Secure Access service expires on September 30, 2024. Cisco SD-WAN Routers with the expired certificate will fail to register with the Cisco Secure Access service. The result of this failure is that any attempts to set up new Secure Service Edge (SSE) tunnels using Cisco SD-WAN policy groups will fail.
The Cisco Secure Access solution (formerly Cisco Umbrella) uses digital certificates during the SSL handshake process to establish secure HTTPS connections. For SSE, this connection is with the Cisco Secure Access endpoint, which allows for the identification of the public IP address of the device. The current SSL certificate on affected Cisco SD-WAN Routers expires on September 30, 2024.
This problem affects the following Cisco products if they are running an affected Cisco IOS XE Software release and if they are in SD-WAN Controller mode:
Affected devices will fail to establish secure connections with the Cisco Secure Access service and any attempts to set up new SSE tunnels using Cisco SD-WAN policy groups will fail.
Note: Devices that are configured for SSE tunnels that are already in operation will not be impacted until reboot. The expired certificate is used only during device registration with the Cisco Secure Access service. Device registration occurs when the Cisco Secure Access service is initially configured or when the configured device is rebooted.
Solution
Affected devices must have the affected certificate replaced with a new, unexpired certificate. The new certificate is valid until the year 2035. Customers who do not currently use SSE tunnels as part of Cisco Secure Access integration, but who expect to deploy it in the future, can replace the affected certificate by upgrading the Cisco SD-WAN Router software to a release that contains the new certificate. The new certificate is installed automatically during the upgrade. Devices that are running Cisco IOS XE Software Release 17.14.1 or later already contain the updated digital certificate.
For affected devices, the following X1 certificate must be downloaded and installed:
-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo //fb4hVC1CLQJ13hef4Y53CI rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- |
This certificate can also be downloaded from https://letsencrypt.org/certs/isrgrootx1.pem
router# copy bootflash:umbrella_root_ca_1.ca bootflash:trustidrootx3_ca_092024.ca
Version | Description | Section | Date |
1.1 | Updated the solution instructions to avoid bug number CSCwm73365. | Workaround/Solution | 2024-OCT-09 |
1.0 | Initial Release | — | 2024-AUG-20 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Unleash the Power of TAC's Virtual Assistance