Field Notice: FN - 70124 - AVS Certificate Issue on Application Policy Infrastructure Controller

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	26-Jan-18	Initial Release
1.1	26-Jan-18	update workaround section

Products Affected

Affected OS Type	Affected Release	Affected Release Number	Comments
NON-IOS	1.1	1.1(4g), 1.1(4e), 1.1(2i), 1.1(4m), 1.1(4f), 1.1(4l), 1.1(1s), 1.1(2h), 1.1(3f), 1.1(1o), 1.1(4i), 1.1(1r), 1.1(1j)	Affected Cisco ACI software versions with AVS: ACI software versions prior to 2.3 or ACI 2.3 onward if upgraded from prior to 2.3 version
NON-IOS	2.1	2.1(2g), 2.1(3j), 2.1(1h), 2.1(2k), 2.1(1i), 2.1(3h), 2.1(2e), 2.1(3g)	Affected Cisco ACI software versions with AVS: ACI software versions prior to 2.3 or ACI 2.3 onward if upgraded from prior to 2.3 version
NON-IOS	2.2	2.2(3r), 2.2(2e), 2.2(3s), 2.2(2j), 2.2(2k), 2.2(2q), 2.2(2f), 2.2(2i), 2.2(1n), 2.2(1o), 2.2(3p), 2.2(3j)	Affected Cisco ACI software versions with AVS: ACI software versions prior to 2.3 or ACI 2.3 onward if upgraded from prior to 2.3 version

Defect Information

Defect ID	Headline
CSCvh70579	Odev cert doesn't get updated to site based cert after fabric upgrade

Problem Description

Cisco has recently identified an SSL certificate defect, documented in Cisco bug ID CSCvh70579, that could potentially affect customers that run Cisco Application Virtual Switch (AVS) with Cisco Application Centric Infrastructure (ACI).

Background

Virtual machines on a VMware ESXi host that runs on Cisco AVS might lose connectivity to the network after any of these events:

• A VMware host that runs Cisco AVS reboots.
• A Cisco AVS kernel module restart on a VMware ESXi host.
• A Cisco AVS loses connectivity to the ACI leaf for any reason.

After any of these events, Cisco AVS might use an invalid or expired SSL certificate in order to authenticate with the ACI infrastructure and will not be able to establish a connection. This will cause all the virtual machines on that particular ESXi host to lose network connectivity.

Problem Symptom

The virtual machines on that particular ESXi host will lose network connectivity.

The affected Cisco ACI software versions with AVS are:

• ACI software versions earlier than Version 2.3.
• ACI Version 2.3 and later when upgraded from versions earlier than Version 2.3.

The unaffected Cisco ACI software versions with Cisco AVS are:

• Fresh installs of ACI Version 2.3 or later with Cisco AVS.
• Cisco ACI that is deployed without Cisco AVS.

Workaround/Solution

If you run the affected software versions, open a Technical Assistance Center (TAC) case in order to resolve the issue. Cisco TAC Engineers will use root access to check the validity of the SSL certificate. If the SSL certificate is invalid, Cisco TAC will update the SSL certificate in Application Policy Infrastructure Controller (APIC). It is recommended to perform this procedure in a maintenance window. If you are not able to determine the affected version, open a support ticket and Cisco TAC will validate your deployment and complete the necessary fixes if required. This process does not require any upgrades on APIC, the switch, or AVS.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email
• By telephone

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.