Symptom
The most obvious customer visible symptom is after reboot all sensors show disabled and deployments fail.
Upon further investigation it will show sftunnel is down to all devices, and failing at an SSL error.
Conditions
Having their FMC be running for 10 years. This can include restoring a backup from an FMC that was first installed 10 years ago.
Workaround
Under development.
Further Problem Description
The issue here is our FMC Certificate authority(CA) certificate is generated for 10 years on firstboot. That self signed certificate is used to then sign other certificates(such as sftunnel certificates). When the CA certificate expires all certificates signed by it also expire or go invalid which breaks SSL communications.
To validate the certificate run(as root):
openssl x509 -in /etc/sf/ca_root/cacert.pem -noout -text
Check the Validity
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: title = InternalCA + OU = Intrusion Management System + CN = f873cebe-8eb6-11ec-adea-1d080592ad28, O = "Cisco Systems, Inc"
Validity
Not Before: Jul 28 04:14:27 2012 GMT <--- Check Here
Not After : Jul 26 04:14:27 2022 GMT <--- Check Here
