Guest

Preview Tool

Cisco Bug: CSCvu62127 - F3031 - Node Certificate is invalid: Failed to parse the subject line on new APIC-SERVER-L3 and M3

Last Modified

Oct 12, 2020

Products (2)

  • Cisco Application Policy Infrastructure Controller (APIC)
  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.2(3j)

Description (partial)

Symptom:
A new APIC-L3 or M3 server will not be able to complete fabric discovery. LLDP, "acidiag verifyapic," and other general checks will not exhibit a problem.

When you check the appliancedirector logs of a Cisco APIC within the cluster to which you are trying to add the affected controller, there will be messages indicating that the rejection is happening due to being unable to parse the certificate subject.

/var/log/dme/log/svc_ifc_appliancedirector.bin.log

|ifm||DBG4||co=ifm||listen fd = 16; accept()ed on fd= 52, incoming connection established from 1.2.3.4:12345||../common/src/ifm/./ServerEventHandler.cc||49
|crypto||DBG4||co=ifm||Peer Certificate Subject was also Cisco Manufacturing||../common/src/ifm/./PeerVerificationUtils.cc||506
|crypto||DBG4||co=ifm||Peer Certificate Subject was also Cisco Manufacturing||../common/src/ifm/./PeerVerificationUtils.cc||506

|crypto||ERROR||co=ifm||Failed to parse subject from peer SSL certificate (/CN=ASD1234567/serialNumber=PID:APIC-SERVER-L3 SN:ASD1234567)||../common/src/ifm/./PeerVerificationUtils.cc||287
|crypto||ERROR||co=ifm||Peer Certificate Subject is not in the expected format - REJECTING IFM SSL PEER CONNECTION||../common/src/ifm/./PeerVerificationUtils.cc||526

|ifm||DBG4||co=ifm||incoming SSL connection successfully established||../common/src/ifm/./Connection.cc||1234
|ifm||DBG4||fr=ifc_appliancedirector:2:5:17:0,co=ifm||HELLO request systemType : 2 and systemType from SSL handshake : 0 does not match.||../common/src/ifm/./Protocol.cc||948
|ifm||DBG4||fr=ifc_appliancedirector:2:5:17:0,co=ifm||received peer-verification-failed HELLO from peer, msgid 0x58949cf85000||../common/src/ifm/./Protocol.cc||971

Conditions:
This issue occurs with a new APIC-L3 or M3 server connected to leaf nodes in a correct fashion, but with a certificate having a different subject format installed by manufacturing.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.