Guest

Preview Tool

Cisco Bug: CSCvu25442 - Expired sdn-network-infra-iwan certificate on device

Last Modified

Oct 28, 2020

Products (1)

  • Cisco DNA Center

Known Affected Releases

DNAC1.3.0.7 DNAC2.1.2.3

Description (partial)

Symptom:
When Cisco DNA Center is managing a Catalyst 9800 elastic wireless LAN controller, the configuration for the trustpoint may not be configured correctly, or the certificate that was sent over is not correct.  

From the eWLC side, the telemetry internal connection stays in the Connecting state.

eWLC#show telemetry internal connection
Telemetry connection
Peer Address    Port  VRF Source Address  Transport  State         Profile
--------------- ----- --- --------------- ---------- ------------- -------------
x.x.x.x         25103   0 x.x.x.x         tls-native Connecting    sdn-network-infra-iwan

eWLC#show crypto pki certificates verbose sdn-network-infra-iwan
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 072A776E47CA0919
  Certificate Usage: General Purpose
  Issuer: 
    cn=sdn-network-infra-ca
  Subject:
    Name: xx_xxx_xx_xxx-Corp_VN
    cn=C9300-24P_FCWxxxxxxxx_sdn-network-infra-iwan
    hostname=xx_xxx_xx_xxx-Corp_VN
  Validity Date: 
    start date: 13:22:40 NZST Apr 30 2019
    end   date: 13:22:40 NZST Apr 29 2020
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA512 with RSA Encryption
  Fingerprint MD5: FE57186B AAC16EE3 0B001C22 5B6354CB 
  Fingerprint SHA1: 50E31A87 873E9DA7 4F62F3C0 4819D4BB C1564FA4 
  X509v3 extensions:
    X509v3 Key Usage: E0000000
      Digital Signature
      Non Repudiation
      Key Encipherment
    X509v3 Subject Key ID: 3F73B680 A55A80B4 7790B1FA BF9B6035 4B535BF3 
    X509v3 Basic Constraints:
        CA: FALSE
    X509v3 Authority Key ID: 2BB1B105 FFA56B52 5C820265 B9CAD58E 08A30ABA 
    Authority Info Access:
    Extended Key Usage:
        Email Protection
        Client Auth
  Associated Trustpoints: sdn-network-infra-iwan 
  Storage: nvram:sdn-network-#919.cer
  Key Label: sdn-network-infra-iwan
  Key storage device: private config
 
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 029009396D3BAC16
  Certificate Usage: Signature
  Issuer: 
    cn=sdn-network-infra-ca
  Subject: 
    cn=sdn-network-infra-ca
  Validity Date: 
    start date: 00:20:56 NZST Jun 16 2018
    end   date: 00:20:56 NZST Jun 15 2023
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA512 with RSA Encryption
  Fingerprint MD5: B98C4267 2503201A 3DAA96DC 3A6D1940 
  Fingerprint SHA1: CC1A93A7 CB2DB88D 1FED280E 97C052DD 289D7023 
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 2BB1B105 FFA56B52 5C820265 B9CAD58E 08A30ABA 
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 2BB1B105 FFA56B52 5C820265 B9CAD58E 08A30ABA 
    Authority Info Access:
  Associated Trustpoints: sdn-network-infra-iwan 
  Storage: nvram:sdn-network-#AC16CA.cer
 
Also when examining the Assurance collection connection:
Packet # 11142 :see client hello initiated from device to Cisco DNA Center
Packet # 11170 :server hello sent to client with certificate 
Packet # 11183 :client sent message to server that the certificate is not known.  Client does not seem to trust the server certificate 
Packet # 11184 :client sends FIN towards server (In this case, it’s Cisco DNA Center)

Conditions:
This was observed in Cisco DNA Center version 1.3.0.7, managing eWLCs running IOS-XE versions 16.10.1e and 16.12.2t.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.