THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.1 |
20-Jun-23 |
Updated the Products Affected and Workaround/Solution Sections |
1.0 |
07-Jul-21 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
vManage Software |
18.3 |
18.3.0, 18.3.1, 18.3.3, 18.3.4, 18.3.5, 18.3.6, 18.3.7, 18.3.8 |
|
NON-IOS |
vManage Software |
18.4 |
18.4.0, 18.4.1, 18.4.3, 18.4.4, 18.4.5, 18.4.6 |
|
NON-IOS |
vManage Software |
19.0 |
19.0.0 |
|
NON-IOS |
vManage Software |
19.1 |
19.1.0 |
|
NON-IOS |
vManage Software |
19.2 |
19.2.0, 19.2.1, 19.2.2, 19.2.3, 19.2.4 |
|
NON-IOS |
vManage Software |
19.3 |
19.3.0 |
|
NON-IOS |
vManage Software |
20.1 |
20.1.1, 20.1.1.1, 20.1.12, 20.1.2, 20.1.3 |
|
NON-IOS |
vManage Software |
20.3 |
20.3.1, 20.3.2, 20.3.3 |
|
NON-IOS |
vManage Software |
20.4 |
20.4.1, 20.4.1.1, 20.4.1.1.5, 20.4.1.2 |
Defect ID | Headline |
---|---|
CSCvu59887 | SUDI certs will expire soon, need to ignore expiration date |
CSCvx37912 | SUDI certs will expire soon, need to ignore expiration date - Polaris side commit |
The Cisco Secure Unique Device Identifier (SUDI) certificate will expire on a limited number of Cisco products. The SUDI certificate is installed on a device during manufacturing and is immutable. Devices with an expired SUDI certificate fail the initial SD-WAN router authentication process and cannot join an SD-WAN overlay network.
Refer to Cisco field notice FN72105 for background details on SUDI certificate expiration and a full list of affected Cisco products.
Devices with an expired SUDI certificate fail the SD-WAN router authentication process because SD-WAN controllers consider the certificate to be invalid. The vBond controller will reject the control connection during initial device onboarding and will report a "BIDNTVRFD"
error. The control connection failure can be seen by entering the show sdwan control connection-history
CLI command on the device console as in this example:
router>show sdwan control connection-history PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vbond dtls 0.0.0.0 0 0 10.0.12.26 12346 10.0.12.26 12346 lte challenge_resp RXTRDWN BIDNTVRFD 285 2020-11-17T01:46:50+0000
Error messages will also appear in the vBond syslog file when a device control connection is rejected due to an expired SUDI certificate. In order to view the messages, open the log file "/var/log/vsyslog"
. Sample error messages are shown here:
local7.info: Nov 17 02:57:08 vedge VBOND[19359]: %Viptela-vm16-vbond_0-6-INFO-1400002: 2020-11-17 02:57:08 Notification: vbond-reject-vedge-connection severity-level:major host-name:"vm16" system-ip:172.16.255.26 uuid:"ISR4351/K9" organization-name:"Cisco" sp-organization-name:"Cisco" reason:"ERR_BID_NOT_VERIFIED"
local7.info: Nov 17 02:57:08 vedge VBOND[19359]: %Viptela-vm16-vbond_0-6-INFO-1400002: 2020-11-17 02:57:08 Notification: control-connection-auth-fail severity-level:major host-name:"vm16" system-ip:172.16.255.26 personality:vbond peer-type:vedge peer-system-ip::: local-system-ip:172.16.255.26 local-color:default reason:"ERR_BID_NOT_VERIFIED"
If debug level logging is enabled, these addtional messages will appear in the vBond syslog file to indicate the specific reason for the failure:
local7.debug: Nov 17 03:14:28 vedge VBOND[19359]: bss_verify_certificate[294]: %BSS_DBG_MAIN-1: Verification error: certificate has expired
local7.debug: Nov 17 03:14:28 vedge VBOND[19359]: vdaemon_verify_peer_bidcert[571]: %VDAEMON_DBG_MISC-1: Peer's Certificate validation Failed
There is no workaround for an expired SUDI device certificate with Cisco SD-WAN. However, Cisco has modified recent SD-WAN software versions to allow connections from Cisco devices with a genuine SUDI certificate irrespective of expiration date if the certificate is otherwise valid. This solution is available with Cisco SD-WAN software Release 20.3.4 and later, Release 20.4.2 and later, and Release 20.5.1 and later.
Note: It is desirable, but not required, to also upgrade the edge devices to the corresponding Cisco vEdge or Cisco IOS® XE SD-WAN software version.
Customers are recommended to upgrade their SD-WAN software to a release with the SUDI solution before SUDI certificates begin to expire on their devices. Instructions for how to determine the SUDI expiration date are documented in the Cisco field notice FN72105. This table lists some recommended Cisco SD-WAN software releases that contain the SUDI solution:
Current Release | Recommended Cisco SD-WAN Release |
---|---|
20.3.3 and earlier | 20.3.7.1 |
20.4.1 | 20.6.5.3 or 20.9.3.2 |
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.