Guest

Preview Tool

Cisco Bug: CSCvv85487 - Enforcement Endpoint vault tokens expired after long duration without upgrade

Last Modified

Sep 26, 2020

Products (1)

  • Cisco Tetration Workload Security

Known Affected Releases

3.3(2.2) 3.4(1.1)

Description (partial)

Symptom:
Service Status shows failures for Enforcement Endpoint services with failures to check if SSL certificates are expired.

Details on the failures seen in services status : Enforcement Endpoint failing
"Dependencies Failed, 
Certificate will not expire found in stdout:Certificate will not expire cmd:
true | openssl s_client -connect <IP ADDRESS>:5660 | openssl x509 -checkend 604800"

Checking using a user having customer supprot role and going to left hand menu -> maintenance -> explore : 
Using POST as action, using the affected IP ADDRESS as snapshot host and using "sv?args=status efe".

Output shows the Enforcement endpoint service is restarting every few seconds.

Checking Enforcement Endpoint logs sing a user having customer supprot role and going to left hand menu -> maintenance -> explore : 
Using POST as action, using the affected IP ADDRESS as snapshot hoist and using "tail?args=-30 /local/logs/tetration/efe/current".

Output contains errors fetching password for policystore from vault :
"2020-09-15_10:02:36.51002 E0915 10:02:36.510010 31510 mongo_reader.cpp:89] Unable to fetch password for policystore for path: secret/policystore/efe/password
2020-09-15_10:02:36.51004 E0915 10:02:36.510035 31510 mongo_reader.cpp:130] Unable to fetch password from vault."

Conditions:
The cluster has not  been rebooted or upgrade since one year.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.