OPERATIONAL DEFECT DATABASE
...
...
Sftunnel connection failed to the device after the FMC upgrade. FMC side verification of certificate is failing with "err 68:CA signature digest algorithm too weak".
On the FMC: 1. Revoke existing certificate for this device on FMC: a.Get the device UUID. b.Select cert_serial_number,service from ssl_peer \G; c.select service from ssl_peer where cert_serial_number=; is cert_serial_number which is matching with the device UUID in step 2 then Verify the device UUID 2. The run the ?sfca_revoke /etc/sf/ca_root ? with the number found from previous step. 1. Find the entry from ?/etc/sf/ca_root/index.txt? for the device UUID, all the records should start with ?R? (revoked). It has a hexadecimal value in 3rd column, matching the cert_serial_number found earlier. Specifically that entry should have value as ?R? in the 1st column. a. cat /etc/sf/ca_root/index.txt|grep 3. Clean up ssl_peer table for this device UUID a.delete from ssl_peer where cert_serial_number = ; 3. Issue new certificate on FMC for the device, run the below command from /var/sf/peers/ directory : a. perl -e 'use FlyLoader;use Data::Dumper; print SF::PeerManager::RegUtils::generateCert("/var/sf/peers//","sftunnel","localhost","");' 5. Find the entry from ?/etc/sf/ca_root/index.txt? for the device UUID, all the records with start with ?V? (valid). It has a hexadecimal value in 3rd column, matching the cert_serial_number, hexadecimal value. This is to verify that a certificate has been issued. 6. sftunnel-key.pem and sftunnel-cert.pem files are created in the /var/sf/peers/ directory on FMC. 7. Copy the issued certificate to the FTD and place it under /var/sf/peers// on the FTD. 7.1 Move away/rename the certificate and the key on FMC ? they are not for FMC sftunnel . They are for FTD only. On the FTD: 1. In the /var/sf/peers// directory, move the old files sftunnel-cert.pem and sftunnel-cert.pem or rename them. 2. Place the FMC issued new certificate file under this directory. 3. Restart sftunnel process on the FTD.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
