Guest

Preview Tool

Cisco Bug: CSCvt99552 - CUBE/LGW: Certificate Unknown Error is observed when cn-san-validate server is configured

Last Modified

Sep 10, 2020

Products (142)

  • Cisco 4000 Series Integrated Services Routers
  • Cisco Catalyst 9300-48U-A Switch
  • Cisco Catalyst 9200L-48PXG-2Y Switch
  • Cisco Catalyst 9400 Supervisor Engine-1XL-Y
  • Cisco Catalyst 9300L-48P-4X-A Switch
  • Cisco Catalyst C9500-16X-E Switch
  • Cisco Catalyst 9300-48UXM-A Switch
  • Cisco Catalyst 9300-48P-A Switch
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco Catalyst 9200L-48P-4X Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

16.10.6 16.11.3 16.12.3 16.9.6 17.2.1 Amsterdam-17.1.1

Description (partial)

Symptom:
When CUBE has a stable registration with the Registrar Server, it will reuse this connection to send SIP Messages. If this registration fails and a new registration connection is opened, all new calls will work using the newly created connection, however calls that were active with the previous registration connection will require a new Socket to be opened if a SIP Message needs to be sent.

When CUBE tries to open this new connection it will use the incorrect destination name to validate the certificate when the "cn-san-validate server" command is configured under sip-ua:

sip-ua 
crypto signaling default trustpoint dummyTp cn-san-validate server

When "debug ccsip transport" is enabled the following message is printed:

SIP/Transport/sip_tls_generate_opssl_ctx: 
OPSSL_ClientSide matches: x.x.x.x 

This will contain the destination of the new connection-id which will be used to validate the Common Name(CN) and Subject Alternate Name(SAN) inside the certificate. When CUBE is used as a Local Gateway it should be the DNS from the Webex Calling destination Registrar Server instead of the IP Address.

When CUBE receives the certificate from the registrar server it will validate it against the IP Address. Since they don’t match, it will return a Certificate Unknown Error back to the Server and the connection will fail.

Conditions:
- "cn-san-validate server" is configured under sip-ua:
sip-ua 
crypto signaling default trustpoint dummyTp cn-san-validate server

-SIP over TCP/TLS is used as the transport protocol.
-CUBE is registered with a SIP Registrar (Webex Calling).
-Registration failures or TCP instability in the network causing SIP Registrations to close and new Registration will get established.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.