Cisco SDWAN bug: Identify vEdge Certificate Expired
Cisco SDWAN bug: Identify vEdge Certificate Expired
It may possible you are going to hit with the bug where a vEdge that has an expired certificate affecting control plane connections, which eventually impacts data plane connections resulting in loss of service. The impacted devices are vEdge 1000, vEdge 2000, and vEdge 100M/B platforms.
Fig 1.1- Cisco Viptela SDWAN |
In our case, our issue controller and vEdge versions were :
vEdge : 20.4.2
Controllers : 20.6.4
Fixed Versions
vEdge : 20.6.4.1
Controllers: 20.6.4.1
You can check the issue version and the fixed version on the below URL
Identify vEdge Certificate Expired on May 9th 2023 - Cisco
How you will know the cert is expired ?
Well just run the below command to see the status of the certvEdge_NDNA1# show control local-properties
personality vedge
sp-organization-name NDNA-1122
organization-name NDNA-1122
root-ca-chain-status Installed
certificate-status Installed
certificate-validity Not Valid - certificate has expired
certificate-not-valid-before May 10 05:11:21 2013 GMT
certificate-not-valid-after Jan 04 03:25:07 2038 GMT
what will be the impact of this ?
Below are the impact and you should make sure that the device will not be reboot in any case.
- Loss of connections to vSmart
- Loss of connections to vManage
- Port-Hop
- Control policy changes such as topology changes in the network
- Clear control connection
- Interface Flaps
- Device Reload
How to resolve this issue ?
You need to upgrade the controller which the fix version from Cisco. As in our case we have vManage/vSmart/vBond controllers on 20.6.4 and the fix is 20.6.4.1, So we need to first upgrade the controller and then upgrade the vEdge to the same fix code of 20.6.4.1- vEdge Code be : viptela-20.6.4.1-mips64.tar.gz Software Download - Cisco Systems
- vManage Code be : vmanage-20.6.4.1-x86_64.tar.gz Software Download - Cisco Systems
- vSmart/vBond Code be : vmanage-20.6.4.1-x86_64.tar.gz Software Download - Cisco Systems
Lets do the upgrade procedure now. Before upgrade, please take the database backup and the AURA report from vManage CLI interface as shown below:
STEP 1: Database backup
NDNA_vManage# request nms configuration-db backup path /home/admin/backup-may23.tar.gz
NDNA_vManage # vshell
NDNA_vManage:~$
Step 3: From the AURA report, we saw some of the issues with the Elastic search, so we removed that one by one from vManage
STEP 4: Run from the vManage CLI to remove these
NDNA_vManage:~$ curl -X DELETE 'http://localhost:9200/bridgemacstatistics_2018_09_30t23_15_35'
Step 5: Now upgrade the Controllers with 20.6.4.1 and later on vEdge with 20.6.4.1 from your vManage screen as the way you are doing
Part 1: Cisco Viptela SDWAN: Upgrade vEdge image from vManage - The Network DNA
- Rollback clock to May 1st, 2023 on vEdge which has control connection DOWN
- Wait 2-3 minutes for the board-id to initialize. Check "show control local-properties" to ensure the device now has a SN listed in the output. (If this doesn't happen within 2-3 minutes, reload vEdge and check "show control local-properties" output to ensure the device now has a SN listed in the output)
- Revert the clock to current time.
- Verify if control connections are up
Continue Reading..