BugZero | Cisco BugID CSCwa10423 - Sftunnel connection failed after FMC upgrade .

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Last updated on November 26th, 2025

BugZero Risk Score
7.4 High

Overall: 7.4

Severity: 8.2

Lifecycle: 4.0

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 595

Description

Symptom

Sftunnel connection failed to the device after the FMC upgrade. FMC side verification of certificate is failing with "err 68:CA signature digest algorithm too weak".

Conditions

Workaround

On the FMC: 1. Revoke existing certificate for this device on FMC: a.Get the device UUID. b.Select cert_serial_number,service from ssl_peer \G; c.select service from ssl_peer where cert_serial_number=; is cert_serial_number which is matching with the device UUID in step 2 then Verify the device UUID 2. The run the ?sfca_revoke /etc/sf/ca_root ? with the number found from previous step. 1. Find the entry from ?/etc/sf/ca_root/index.txt? for the device UUID, all the records should start with ?R? (revoked). It has a hexadecimal value in 3rd column, matching the cert_serial_number found earlier. Specifically that entry should have value as ?R? in the 1st column. a. cat /etc/sf/ca_root/index.txt|grep 3. Clean up ssl_peer table for this device UUID a.delete from ssl_peer where cert_serial_number = ; 3. Issue new certificate on FMC for the device, run the below command from /var/sf/peers/ directory : a. perl -e 'use FlyLoader;use Data::Dumper; print SF::PeerManager::RegUtils::generateCert("/var/sf/peers//","sftunnel","localhost","");' 5. Find the entry from ?/etc/sf/ca_root/index.txt? for the device UUID, all the records with start with ?V? (valid). It has a hexadecimal value in 3rd column, matching the cert_serial_number, hexadecimal value. This is to verify that a certificate has been issued. 6. sftunnel-key.pem and sftunnel-cert.pem files are created in the /var/sf/peers/ directory on FMC. 7. Copy the issued certificate to the FTD and place it under /var/sf/peers// on the FTD. 7.1 Move away/rename the certificate and the key on FMC ? they are not for FMC sftunnel . They are for FTD only. On the FTD: 1. In the /var/sf/peers// directory, move the old files sftunnel-cert.pem and sftunnel-cert.pem or rename them. 2. Place the FMC issued new certificate file under this directory. 3. Restart sftunnel process on the FTD.

Further Problem Description

Change history

2024-12-09 Added: 7.0.0, 7.0.1, 7.0.1.1, 7.1.0, 7.2.0

Relevant Products

Click on a version to see all relevant bugs

Affected versions:7.0.0, 7.0.1, 7.0.1.1, 7.1.0, 7.2.0

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:7.0.0, 7.0.1, 7.0.1.1, 7.1.0, 7.2.0

Fixed versions: No known fixed versions

Top Cisco Defects

9.7Defect ID: CSCvx82406
Memory leaks in IOS_PRIV_OPER_DB
9.7Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
9.7Defect ID: CSCvv15096
9200L: SYS-3-CPUHOG: Task is running for (2843)msecs, more than (2000)msecs process = SAUtilReport.
9.7Defect ID: CSCwa47133
ISE Evaluation log4j CVE-2021-44228
9.7Defect ID: CSCwe01579
Cat9800 wncd reload while creating an RRM Client Coverage on large scale setup

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Last updated on November 26th, 2025

BugZero Risk Score7.4 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
7.4 High