Guest

Preview Tool

Cisco Bug: CSCuw24209 - DX650/80/70 preinstalled root CA rejected

Last Modified

Jul 29, 2016

Products (4)

  • Cisco DX Series
  • Cisco DX650
  • Cisco DX80
  • Cisco DX70

Known Affected Releases

10.2(4)

Description (partial)

Symptom:
This symptom occurs when Expressway-E certificates are signed by root CA "CN=Entrust Root Certification Authority - G2" This CA is on the approval list and verification of the root CA has been applied to the device. DX devices do not negotiate TLS when this root CA is the signer of the Expressway-E certificate

Conditions:
This is only experienced with the DX series devices. All DX70/80/650 are seeing this problem. The MRA deployment however does work for 77XX/88XX IP phones which have the same Root CA approval list.

All DX units seem to be effected by this
This occurs when the following root CA is the signer of the Expressway-E certificate "CN=Entrust Root Certification Authority - G2"

When units attempt to login to MRA TLS is not negotiated resulting in failed logins. TLS attempts to connect until cancelled manually.

The following is presented when logins are attempted:
06342 09-11 15:12:25.233   199  7599 DEB edge_gateway: getEdgeConfig: edgeServer:216.117.34.53
06343 09-11 15:12:25.233   199  7599 DEB edge_gateway: getEdgeConfig: edgeHostName:CYH-VCS-E01.marathonoil.com<http://VCS-E01.marathonoil.com>;;
06344 09-11 15:12:25.233   199  7599 DEB edge_gateway: getEdgeConfig: src:get_edge_config:
06345 09-11 15:12:25.233   199  7599 DEB edge_gateway: getEdgeConfig: dst:/dataRoot/.system/misc/gateway/public/edge_config.xml
06346 09-11 15:12:25.233   199  7599 DEB edge_gateway: Performing TLS handshake...
06347 09-11 15:12:25.365   199  7599 DEB edge_gateway: Verify Cert[2]: Issuer = /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=<http://www.entrust.net/legal-terms/OU=>;;(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
06348 09-11 15:12:25.365   199  7599 DEB edge_gateway: Verify Cert[2]: Subject = /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=<http://www.entrust.net/legal-terms/OU=>;;(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
06349 09-11 15:12:25.365   199  7599 ERR edge_gateway: Verify Cert[2]: Certificate doesn't match
06350 09-11 15:12:25.365   199  7599 ERR edge_gateway: TLS - Handshake failed: [SSL_ERROR_SSL][reason=19]
06351 09-11 15:12:25.365   199  7599 ERR edge_gateway: sec TLS socket connect failure.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.