THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|
SD-WAN Software Update | 18 | 18.3.1, 18.3.3, 18.3.4, 18.3.3.1, 18.4.0, 18.4.302, 18.4.303, 18.3.5, 18.3.6, 18.3.7, 18.3.8, 18.4.1, 18.4.3, 18.4.4, 18.4.5, 18.4.6 | All releases earlier than Release 20.3.2 are affected. |
SD-WAN Software Update | 19 | 19.1.0, 19.2.0, 19.2.097, 19.2.099, 19.2.1, 19.2.2, 19.2.3, 19.2.31, 19.2.4, 19.3.0 | All releases earlier than Release 20.3.2 are affected. |
SD-WAN Software Update | 20 | 20.1.1, 20.1.1.1, 20.1.2, 20.1.3, 20.1.3.1, 20.1.12 | All releases earlier than Release 20.3.2 are affected. |
Defect ID | Headline |
CSCwk46276 | ZTP process fails with CRTVERFL errors |
Zero-touch provisioning (ZTP) is no longer supported for routers that are running Cisco SD-WAN vEdge software releases earlier than Release 20.3.2. Cisco vEdge routers that have the affected software preinstalled cannot authenticate a session with the ZTP service. These routers require manual intervention to receive initial provisioning to join an SD-WAN overlay.
This issue, caused by the end of ZTP support, affects the following Cisco products if they are preinstalled with a Cisco SD-WAN vEdge software release earlier than Release 20.3.2:
During the initial stages of zero touch provisioning, vEdge and other ZTP-capable devices contact ztp.viptela.com and attempt to establish a secure connection to the Cisco ZTP service. The built-in trust store in Cisco SD-WAN vEdge software releases earlier than Release 20.3.2 does not include the more modern digital certificate trust chain, which is what the Cisco ZTP server presents. Affected devices cannot validate the digital certificate that the ZTP server presents, so they reject the connection. The connection is rejected before the device can receive its redirection instructions to the SD-WAN control components, and the ZTP provisioning process stops prematurely.
This issue only affects new devices preinstalled with the affected software that have either never been provisioned or have been software reset to their original factory configuration.
Affected devices fail to complete ZTP provisioning and never join the SD-WAN overlay. The output from the Cisco vEdge CLI command show control connections-history reports a CRTVERFL error, as in the following example:
vedge# show control connections-history Legend for Errors CRTVERFL - Fail to verify Peer Certificate.
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vbond dtls 0.0.0.0 0 0 x.x.x.x 12346 x.x.x.x 12346 default tear_down CRTVERFL NOERR 27 2024-08-22T17:23:47+0000 vedge#
Solution
Manually upgrade the affected device to Cisco vEdge Release 20.3.2 or later. Fixed releases contain the root CA that is compatible with the current ZTP service. Affected Cisco vEdge devices can be upgraded by following the instructions in Upgrade SD-WAN vEdge Routers.
Devices that are staged for later deployment can be manually upgraded during the staging process. After the devices are installed, ZTP can be used as normal.
Workaround for Enterprise Certificates
Bypass ZTP and manually configure the minimum parameters required for the device to join the overlay and be fully provisioned. After the parameters have been configured, install the enterprise root CA bundle.
To bypass ZTP, do the following:
vedge# conf t Entering configuration mode terminal vedge(config)# system vedge(config-system)# host-name vEdge-new vedge(config-system)# organization-name cisco vedge(config-system)# vbond 10.100.0.11 vedge(config-system)# commit Commit complete. vEdge-new(config-system)# exit
Workaround for Cisco PKI-Based Certificates
Customers who are using Cisco PKI-based certificates on their fabric should manually upgrade the root CA bundle on the vEdge device and continue to use ZTP. The default Cisco PKI root CA bundle contains the root CA that is compatible with the current ZTP service. Obtain the root CA bundle file from the current SD-WAN Manager or Validator and follow the instructions in the Install Root Certificate on SDWAN vEdges tech note.
Version | Description | Section | Date |
1.0 | Initial Release | — | 2024-SEP-16 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Unleash the Power of TAC's Virtual Assistance