OPERATIONAL DEFECT DATABASE
...
...
Sensors may no longer be connected to the Firepower Management Center (FMC) due to an expired certificate on the FMC that is used for signing the sftunnel certificates. Logs * Error on Device: Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to FMC-IP:8305/tcp Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): FMC-IP Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [INFO] Connected to FMC-IP from resolved_ip_list (port 8305) (IPv4) Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [ERROR] -Error with certificate at depth: 1 Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [ERROR] issuer = /title=InternalCA/OU=Intrusion Management System/CN=UUID-FMC/O=Sourcefire, Inc. Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [ERROR] subject = /title=InternalCA/OU=Intrusion Management System/CN=UUID-FMC/O=Sourcefire, Inc. Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [ERROR] err 10:certificate has expired Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [ERROR] SSL_renegotiate error: 1: error:00000001:lib(0):func(0):reason(1) Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed Sep 20 04:10:47 DEVICE SF-IMS[50792]: [51982] sftunneld:sf_ssl [WARN] SSL Verification status: certificate has expired * Error on FMC: Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [INFO] VERIFY ssl_verify_callback_initial ok=1! Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [ERROR] SSL_renegotiate error: 1: error:00000001:lib(0):func(0):reason(1) Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [WARN] establishConnectionUtil: SSL handshake failed Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [WARN] establishConnectionUtil: SSL Verification status: ok Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [WARN] establishConnectionUtil: SSL handshake failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [INFO] establishConnectionUtil: Failed to connect using SSL to: 'FTD-IP' Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [ERROR] establishSSLConnection: Unable to connect with both threads: Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [ERROR] establishSSLConnection: ret_accept status : Too many levels of symbolic links Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [ERROR] establishSSLConnection: iret_connect status: Too many levels of symbolic links Sep 20 03:14:23 FMC SF-IMS[1504]: [4171] sftunneld:sf_ssl [ERROR] establishSSLConnection: Failed connecting with SSL to using to: 'FTD-IP' rval[40]
Cacert.pem is showing expired on the FMC Output of the below command should show the certificate validity date is expired cd /etc/sf/ca_root/ root@firepower:/etc/sf/ca_root# openssl x509 -text -in cacert.pem like this Validity Not Before: Jul 18 18:31:32 2012 GMT Not After : Jul 16 18:31:32 2022 GMT <<<
The suggested workaround/fix for this one is described on https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center-4600/222464-renewal-of-fmc-sftunnel-ca-certificate-f.html and depends on whether the certificate has already expired or not.
You can find more info on it on https://www.cisco.com/c/en/us/support/docs/field-notices/742/fn74214.html . Check the cacert.pem file for the expiration date using the following command: ```bash root@firepower:/etc/sf/ca_root# openssl x509 -text -in cacert.pem ``` The output will show the validity dates, with 'Not After' indicating the expiration date. The expiration date should be older than the current date: ```plaintext Validity Not Before: Jul 18 18:31:32 2012 GMT Not After : Jul 16 18:31:32 2022 GMT <<< ```
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
