OPERATIONAL DEFECT DATABASE
...
...
When the user tries to do a peer Fail command for HA version 3 in Azure gov cloud, we see the following error: show logging: CSR HA: peerFail event for node Requesting token for fetching the routes from route table Requesting token from default authentication application Obtained token successfully Route GET request failed with code 401 Route table get response: {"error":{"code":"InvalidAuthenticationTokenAudience","message":"The access token has been obtained for wrong audience or resource 'https://management.azure.com/'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'."}} Route table not found. We see that the token was received, but from the wrong resource.
This issue was seen on Azure platform for usgovcloud, while trying to setup HA version 3.
Use Azure Active Directory instead of MSI.
Support for MSI on CSR in Azure GovCloud was also seen for HA solution version 2. The fix for HAv2 is still compatible with Azure GovCloud, thus the latest releases for both HAv2 and HAv3 will support MSI for Azure GovCloud.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
