THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
|Affected OS Type
|Affected Software Product
|Affected Release Number
NX-OS System Software-ACI
|ACI: ACT2 Switches with 2099 cert creates 2099 cert as server.crt, causing cert validation issues
A Cisco Application Centric Infrastructure (ACI) switch that runs the release 14.1(1i) image can fail discovery or can show as active but also shows as not having a valid certificate.
This issue occurs with a switch that was manufactured after June 2020, which contains two certificates within the ACT2 chip, and then the switch is downgraded to release 4.1(1i) or 14.1(1i).
Cisco switches manufactured after June 2020 use a more recent certificate structure which may face compatibility issues if the software is downgraded to release 14.1(1i).
A switch manufactured after June 2020 is not discovered in the fabric after a downgrade to release 14.1(1i) switch image.
From the Cisco APIC, use this command to confirm the issue:
moquery -c pkiFabricNodeSSLCertificate | egrep
nodeId : 411
message : Failed to parse the subject line as a valid ACI fabric certificate AND invalid serial
validityNotAfter : 2099-05-26T19:19:27.000+00:00
- There is a message that indicates a failure to parse the subject line.
validityNotAfter property shows the year 2099.
Upgrade to release 4.1(1j)/14.1(1j) or later, and then perform a clean reload. These actions should allow the correct certificate names to be derived from the certificates on ACT2.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.