OPERATIONAL DEFECT DATABASE
...
...
After upgrading the FPR9k FTD from 6.4.0.12 to 6.4.0.14, the FTD was not able to communicate with the new SSE. The following logs were seen in the connector.log: x509: certificate signed by unknown authority]" time="2022-03-17T21:23:56.178655504Z" level=info msg="[Firepower-module1][context_reg.go:179 context.NewRegMod:func1] UNREGISTRATION_ERR message received : CE2300: Unregistration failed - Connector internal error. Check network connectivity and retry. If problem persists, contact Cisco TAC." I see that the connector.toml has the cert_store location pointing to "/etc/ssl/certs/ios.pem" instead of "/ngfw/etc/ssl/connectorCA.pem" that is needed to trust the new Identrust chain. root@Firepower-module1:/etc/sf# cat /etc/sf/connector.toml # Default connector configuration [Globals] server_port = 8989 data_dir = "/ngfw/var/lib/connector/" # Path for SSE connector data. cert_store = "/etc/ssl/certs/ios.pem" # Path to additional CA certs (on top of default ssl_config pool). Empty string indicates no additional CAs need to be used. interface = "localhost" # all | localhost This is causing SSE telemetry failure & the FTD does not talk to SSE.
FTD managed by FMC Cloud integration via SSE
Perform this in each affected FTD via CLI: Fix 1: Copy ios.pem file to /etc/ssl/certs/ Fix 2: 1. Generate a copy of the connector.toml root@Firepower-module1:/etc/sf# cp connector.toml /ngfw/var/common/ 2. Edit the connector.toml file and added the proper cert_store location (/ngfw/etc/ssl/connectorCA.pem) root@Firepower-module1:/etc/sf# vim connector.toml root@Firepower-module1:/etc/sf# cat connector.toml # Default connector configuration [Globals] server_port = 8989 data_dir = "/ngfw/var/lib/connector/" # Path for SSE connector data. cert_store = "/ngfw/etc/ssl/connectorCA.pem" # Path to additional CA certs (on top of default ssl_config pool). Empty string indicates no additional CAs need to be used. interface = "localhost" # all | localhost 3. Restart the SSEConnector process on FTD. Later disabled the Cloud integration on FMC and re-enabled it root@Firepower-module1:/etc/sf# pmtool status | grep -i SSEConnector root@Firepower-module1:/etc/sf# pmtool restartbyid SSEConnector 4. Confirmed with logs that the FTD was registered into the SSE cloud portal
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
