OPERATIONAL DEFECT DATABASE
...
...
The most obvious customer visible symptom is after reboot all sensors show disabled and deployments fail. Upon further investigation it will show sftunnel is down to all devices, and failing at an SSL error.
Having their FMC be running for 10 years. This can include restoring a backup from an FMC that was first installed 10 years ago.
Under development.
The issue here is our FMC Certificate authority(CA) certificate is generated for 10 years on firstboot. That self signed certificate is used to then sign other certificates(such as sftunnel certificates). When the CA certificate expires all certificates signed by it also expire or go invalid which breaks SSL communications. To validate the certificate run(as root): openssl x509 -in /etc/sf/ca_root/cacert.pem -noout -text Check the Validity Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: title = InternalCA + OU = Intrusion Management System + CN = f873cebe-8eb6-11ec-adea-1d080592ad28, O = "Cisco Systems, Inc" Validity Not Before: Jul 28 04:14:27 2012 GMT <--- Check Here Not After : Jul 26 04:14:27 2022 GMT <--- Check Here
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
