Field Notice: FN74187 - Zero Touch Provisioning Is No Longer Supported for Devices Running Cisco SD-WAN vEdge Software Releases Earlier Than Release 20.3.2 - Software Upgrade Recommended

Available Languages

Updated:September 16, 2024
Document ID:FN74187

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

High
Impact Rating:
High
First Published:
2024-Sep-16
Last Published:
2024-Sep-16
Revision:
1.0
Cisco Bug IDs:

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected


Affected Software Product Affected Release Affected Release Number Comments
SD-WAN Software Update 18 18.3.1, 18.3.3, 18.3.4, 18.3.3.1, 18.4.0, 18.4.302, 18.4.303, 18.3.5, 18.3.6, 18.3.7, 18.3.8, 18.4.1, 18.4.3, 18.4.4, 18.4.5, 18.4.6 All releases earlier than Release 20.3.2 are affected.
SD-WAN Software Update 19 19.1.0, 19.2.0, 19.2.097, 19.2.099, 19.2.1, 19.2.2, 19.2.3, 19.2.31, 19.2.4, 19.3.0 All releases earlier than Release 20.3.2 are affected.
SD-WAN Software Update 20 20.1.1, 20.1.1.1, 20.1.2, 20.1.3, 20.1.3.1, 20.1.12 All releases earlier than Release 20.3.2 are affected.

Defect Information


Defect IDHeadline
CSCwk46276ZTP process fails with CRTVERFL errors

Problem Description


Zero-touch provisioning (ZTP) is no longer supported for routers that are running Cisco SD-WAN vEdge software releases earlier than Release 20.3.2. Cisco vEdge routers that have the affected software preinstalled cannot authenticate a session with the ZTP service. These routers require manual intervention to receive initial provisioning to join an SD-WAN overlay.


Background


This issue, caused by the end of ZTP support, affects the following Cisco products if they are preinstalled with a Cisco SD-WAN vEdge software release earlier than Release 20.3.2:

  • ISR1100 Series Routers
  • ISR1100X Series Routers
  • vEdge 100 Series Routers
  • vEdge 100b Series Routers
  • vEdge 1000 Series Routers
  • vEdge 2000 Series Routers
  • vEdge 5000 Series Routers

During the initial stages of zero touch provisioning, vEdge and other ZTP-capable devices contact ztp.viptela.com and attempt to establish a secure connection to the Cisco ZTP service. The built-in trust store in Cisco SD-WAN vEdge software releases earlier than Release 20.3.2 does not include the more modern digital certificate trust chain, which is what the Cisco ZTP server presents. Affected devices cannot validate the digital certificate that the ZTP server presents, so they reject the connection. The connection is rejected before the device can receive its redirection instructions to the SD-WAN control components, and the ZTP provisioning process stops prematurely.

This issue only affects new devices preinstalled with the affected software that have either never been provisioned or have been software reset to their original factory configuration.


Problem Symptom


Affected devices fail to complete ZTP provisioning and never join the SD-WAN overlay. The output from the Cisco vEdge CLI command show control connections-history reports a CRTVERFL error, as in the following example:

vedge# show control connections-history
Legend for Errors
CRTVERFL - Fail to verify Peer Certificate.
                                                                       PEER                      PEER         
PEER     PEER     PEER             SITE        DOMAIN PEER             PRIVATE  PEER             PUBLIC                                   LOCAL      REMOTE     REPEAT              
TYPE     PROTOCOL SYSTEM IP        ID          ID     PRIVATE IP       PORT     PUBLIC IP        PORT    LOCAL COLOR      STATE           ERROR      ERROR      COUNT DOWNTIME      
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond    dtls     0.0.0.0          0           0      x.x.x.x          12346    x.x.x.x          12346   default          tear_down       CRTVERFL   NOERR      27    2024-08-22T17:23:47+0000
 
vedge#

Workaround/Solution


Solution

Manually upgrade the affected device to Cisco vEdge Release 20.3.2 or later. Fixed releases contain the root CA that is compatible with the current ZTP service. Affected Cisco vEdge devices can be upgraded by following the instructions in Upgrade SD-WAN vEdge Routers.

Devices that are staged for later deployment can be manually upgraded during the staging process. After the devices are installed, ZTP can be used as normal.

Workaround for Enterprise Certificates

Bypass ZTP and manually configure the minimum parameters required for the device to join the overlay and be fully provisioned. After the parameters have been configured, install the enterprise root CA bundle.

To bypass ZTP, do the following:

  1. Log in to the console on the affected vEdge device.
  2. Enter configuration mode using the config t CLI command.
  3. Enter system configuration sub-mode using the system CLI command.
  4. Configure the host name, organization name, and vbond/validator IP address using the associated configuration commands.  The host name configuration is optional.
  5. Commit the changes, as in the following example:
    vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# host-name vEdge-new
vedge(config-system)# organization-name cisco
vedge(config-system)# vbond 10.100.0.11
vedge(config-system)# commit
Commit complete.
vEdge-new(config-system)# exit
  6. Install the enterprise root CA bundle by following the instructions in the Install Root Certificate on SDWAN vEdges tech note.

Workaround for Cisco PKI-Based Certificates

Customers who are using Cisco PKI-based certificates on their fabric should manually upgrade the root CA bundle on the vEdge device and continue to use ZTP. The default Cisco PKI root CA bundle contains the root CA that is compatible with the current ZTP service. Obtain the root CA bundle file from the current SD-WAN Manager or Validator and follow the instructions in the Install Root Certificate on SDWAN vEdges tech note.


Revision History


VersionDescriptionSectionDate
1.0Initial Release2024-SEP-16

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products