OPERATIONAL DEFECT DATABASE
...
...
If the config db password is updated [say due to vulnerability] and then later try to scale up for clustering. The clustering fails to form due to Authentication Exception https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/manage-cluster.html Following logs will be seen, Cluster addition will be hung in pending, the second vManage wont have UI response. vManage02: 31-Aug-2020 00:47:16,953 UTC INFO [vManage02] [ApplicationActor] (vManage-akka.actor.default-dispatcher-3) || Exception in init thread : com.viptela.vmanage.server.datastore.DatabaseSetupException: Failed to create/initialize database : vmanagedb Caused by: org.neo4j.driver.v1.exceptions.AuthenticationException: The client is unauthorized due to authentication failure. at org.neo4j.driver.internal.util.ErrorUtil.newNeo4jError(ErrorUtil.java:57) [neo4j-java-driver-1.6.1.jar:1.6.1-1cf40b7341738f0cb01b8abb1897bb1294aae9f3] vManage01: 31-Aug-2020 00:42:18,219 UTC ERROR [vManage01] [AbstractSettingsManager] (device-event-processing-2) || Failed to fetch the data collection on notification enabled setting: org.neo4j.driver.v1.exceptions.AuthenticationException: The client is unauthorized due to authentication failure.
Only happens If configdb password is changed. Existing Cluster wont exhibit any issues.
When creating cluster, form the cluster with default password, once cluster is formed. Stop application server on all nodes change/update config-db password Start application server one by one [wait till application server comes up]
Any customer who have changed config-db password as part of vulnerability issue, and tries to expand vManage for clustering will face this issue At present until 20.3.2 all version will face this issue. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
