BugZero | Cisco BugID CSCwa10423 - Sftunnel connection failed after FMC upgrade .

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Last updated on 12/9/2024

Overall: 7.47.4

Severity: 8.28.2

Lifecycle: 44.0

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.47.4

Severity: 8.28.2

Lifecycle: 44.0

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Sftunnel connection failed to the device after the FMC upgrade. FMC side verification of certificate is failing with "err 68:CA signature digest algorithm too weak".

Conditions

Workaround

On the FMC: 1. Revoke existing certificate for this device on FMC: a.Get the device UUID. b.Select cert_serial_number,service from ssl_peer \G; c.select service from ssl_peer where cert_serial_number=; is cert_serial_number which is matching with the device UUID in step 2 then Verify the device UUID 2. The run the ?sfca_revoke /etc/sf/ca_root ? with the number found from previous step. 1. Find the entry from ?/etc/sf/ca_root/index.txt? for the device UUID, all the records should start with ?R? (revoked). It has a hexadecimal value in 3rd column, matching the cert_serial_number found earlier. Specifically that entry should have value as ?R? in the 1st column. a. cat /etc/sf/ca_root/index.txt|grep 3. Clean up ssl_peer table for this device UUID a.delete from ssl_peer where cert_serial_number = ; 3. Issue new certificate on FMC for the device, run the below command from /var/sf/peers/ directory : a. perl -e 'use FlyLoader;use Data::Dumper; print SF::PeerManager::RegUtils::generateCert("/var/sf/peers//","sftunnel","localhost","");' 5. Find the entry from ?/etc/sf/ca_root/index.txt? for the device UUID, all the records with start with ?V? (valid). It has a hexadecimal value in 3rd column, matching the cert_serial_number, hexadecimal value. This is to verify that a certificate has been issued. 6. sftunnel-key.pem and sftunnel-cert.pem files are created in the /var/sf/peers/ directory on FMC. 7. Copy the issued certificate to the FTD and place it under /var/sf/peers// on the FTD. 7.1 Move away/rename the certificate and the key on FMC ? they are not for FMC sftunnel . They are for FTD only. On the FTD: 1. In the /var/sf/peers// directory, move the old files sftunnel-cert.pem and sftunnel-cert.pem or rename them. 2. Place the FMC issued new certificate file under this directory. 3. Restart sftunnel process on the FTD.

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Cisco - Defect ID: CSCwa10423

Sftunnel connection failed after FMC upgrade .

Last updated on 12/9/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?