BugZero | Cisco BugID CSCvt11260 - cEdge/vEdge: New routers out of the box May have d...

Cisco - Defect ID: CSCvt11260

cEdge/vEdge: New routers out of the box May have different RootCert than vManage

Cisco - Defect ID: CSCvt11260

cEdge/vEdge: New routers out of the box May have different RootCert than vManage

Last updated on April 2nd, 2024

BugZero Risk Score
5.8 Medium

Overall: 5.8

Severity: 6.4

Lifecycle: 4.6

Popularity: 6.0

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 6

Description

Symptom

-Onboarding a new cEdge to an existing overlay may fail. -The control connections fails due to the certificate being mismatched with the certificate that exists on vManage. -The output of "show control connections-history" or "show sdwan control connection-history" on the cEdge/vEdge devices, may show the following: PEER PEER LOCAL REMOTE REPEAT TYPE PROTOCOL STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------- vbond dtls tear_down CRTVERFL NOERR 55 2020-02-05T15:24:23-0600 vbond dtls tear_down CRTVERFL NOERR 54 2020-02-05T15:24:07-0600 -vBond rejects the edge claiming it doesn't have the correct Cert.

Conditions

So far a New cEdge out of the box running 16.10.3a and/or upgraded to 16.12.2r

Workaround

a) if this is an on-prem setup, then use the below workaround: On the vManage/vBond, 1. ssh into the CLI and drop into the shell. 2. Run the command "cat /usr/share/viptela/root-ca.crt" 3. Copy the output making sure to capture everything On cEdges, 1. Save the copied information on the cEdge in a file 2. Run the command "request platform software sdwan root-cert-chain install bootflash:certificate-file.crt" 3. Check if the control connections are established "show sdwan control connections". You may have to go through the request process again. On vEdges, 1. Save the copied information on the vEdge under /home/admin 2. Run the command "request root-cert-chain install /home/admin/certificate-file.crt" 3. Check if the control connections are established "show control connections". You may have to go through the request process again. If you would prefer to use scp, ftp, or some other method to get the file on the Edge, that is fine as long as the whole file in its entirety is installed. b) if this is a hosted solution: -The proper fix for this issue, is to use PNP portal and install the root-cert of the controllers into the controller profile section. Then the Edge device can call-home using ZTP to install the proper cert.

Further Problem Description

Change history

2024-04-02 Added: 16.10.3a, 16.12.2r

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.10.3a, 16.12.2r

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.10.3a, 16.12.2r

Fixed versions: No known fixed versions

Top Cisco Defects

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvt11260

cEdge/vEdge: New routers out of the box May have different RootCert than vManage

Cisco - Defect ID: CSCvt11260

cEdge/vEdge: New routers out of the box May have different RootCert than vManage

Last updated on April 2nd, 2024

BugZero Risk Score5.8 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
5.8 Medium