THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0
|
07-Nov-18
|
Initial Release
|
1.1
|
15-Nov-18
|
Updated the Workaround/Solution Section With a Reference to the FPR2100 Series Platform
|
Affected OS Type | Affected Release | Affected Release Number | Comments |
---|---|---|---|
NON-IOS
|
2.0
|
2.0.1.135, 2.0.1.141, 2.0.1.144, 2.0.1.148, 2.0.1.149, 2.0.1.153, 2.0.1.157, 2.0.1.159, 2.0.1.188, 2.0.1.201, 2.0.1.203, 2.0.1.37, 2.0.1.68, 2.0.1.86
|
|
NON-IOS
|
2.1
|
2.1.1.106, 2.1.1.107, 2.1.1.113, 2.1.1.115, 2.1.1.64, 2.1.1.69, 2.1.1.73, 2.1.1.77, 2.1.1.83, 2.1.1.85, 2.1.1.86, 2.1.1.97
|
|
NON-IOS
|
2.2
|
2.2.1.63, 2.2.1.66, 2.2.1.70, 2.2.2.17, 2.2.2.19, 2.2.2.24, 2.2.2.26, 2.2.2.28, 2.2.2.54, 2.2.2.60, 2.2.2.71
|
|
NON-IOS
|
2.3
|
2.3.1.56, 2.3.1.58, 2.3.1.66, 2.3.1.73, 2.3.1.75, 2.3.1.88, 2.3.1.91, 2.3.1.93, 2.3.1.99
|
|
NON-IOS
|
1.1
|
1.1.1.147, 1.1.1.160, 1.1.2.178, 1.1.2.51, 1.1.3.84, 1.1.3.86, 1.1.3.97, 1.1.4.117, 1.1.4.140, 1.1.4.169, 1.1.4.175, 1.1.4.178, 1.1.4.179, 1.1.4.95
|
|
NON-IOS
|
9
|
9.0.1.ED, 9.0.1.SMP.ED, 9.0.2.ED, 9.0.2.SMP.ED, 9.0.3.ED, 9.0.3.SMP.ED, 9.0.4.ED, 9.0.4.SMP.ED, 9.1.1.ED, 9.1.1.SMP.ED, 9.1.2.ED, 9.1.2.SMP.ED, 9.1.3.ED, 9.1.3.SMP.ED, 9.1.4.ED, 9.1.4.SMP.ED, 9.1.5.ED, 9.1.5.SMP.ED, 9.1.6, 9.1.6.SMP, 9.1.6.SMP.ED, 9.1.7, 9.1.7.SMP, 9.2.1.ED, 9.2.1.SMP.ED, 9.2.2.4, 9.2.2.4.SMP, 9.2.2.ED, 9.2.2.SMP.ED, 9.2.3, 9.2.3.SMP, 9.2.4, 9.2.4.SMP, 9.3.1.SMP, 9.3.2, 9.3.2.200, 9.3.3, 9.4.1, 9.4.1.150, 9.4.1.152, 9.4.1.200, 9.4.1.225, 9.4.2, 9.4.2.145, 9.4.2.146, 9.4.3, 9.4.4, 9.5.1, 9.5.1.200, 9.5.2, 9.5.2.1, 9.5.2.11, 9.5.2.2, 9.5.2.200, 9.5.3, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.7.1, 9.8.1, 9.8.2, 9.8.3, 9.9.1, 9.9.2, 9.9.2.235
|
|
NON-IOS
|
8
|
8.2.1.11, 8.2.2.ED, 8.2.2.SMP.ED, 8.2.3.ED, 8.2.3.SMP.ED, 8.2.4.ED, 8.2.4.SMP.ED, 8.2.5.ED, 8.2.5.SMP.ED, 8.3.1.ED, 8.3.1.SMP.ED, 8.3.2.ED, 8.3.2.SMP.ED, 8.4.1.ED, 8.4.1.SMP.ED, 8.4.2.ED, 8.4.2.SMP.ED, 8.4.3.ED, 8.4.3.SMP.ED, 8.4.4.1.ED, 8.4.4.1.SMP.ED, 8.4.4.ED, 8.4.4.SMP.ED, 8.4.5.ED, 8.4.5.SMP.ED, 8.4.6.ED, 8.4.6.SMP.ED, 8.4.7.ED, 8.4.7.SMP.ED, 8.6.1.SMP.ED, 8.7.1.1.SMP.ED, 8.7.1.3.SMP.ED, 8.7.1.4.SMP.ED, 8.7.1.7.SMP.ED, 8.7.1.8.SMP.ED, 8.7.1.SMP.ED
|
Defect ID | Headline |
---|---|
CSCvm80874 | Need to update Smart Call Home built-in CA certificate for tools.cisco.com |
CSCvm81014 | FP9300/FP4100 Smart Licensing - Unable to register FXOS devices Smart Licensing |
An update of the root certificate authority (CA) for the tools.cisco.com server might affect Smart Licensing and Smart Call Home functionality for all versions of the Adaptive Security Appliance (ASA) and FirePOWER eXtensible Operating System (FXOS) software.
The root CA for the tools.cisco.com server was updated to a QuoVadis Root CA 2 certificate on 2018-10-05 in order to improve encrypted data security. This change might affect Smart Licensing and Smart Call Home functionality for all versions of ASA and FXOS software.
Affected security platforms will be unable to register (as seen in the chassis manager) with the Smart Licensing and Smart Call Home server hosted by tools.cisco.com. Smart licenses might fail entitlement and reflect an Out of Compliance status.
For ASA-based platforms, enter the show license registration command in order to view the licensing status. Affected ASA security chassis will show "Communication message send response error" in the output.
ASAv# show license registration
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Last Retry Start Time: Mar 22 13:26:32 2016 UTC.
Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC.
Number of Retries: 1.
Last License Server response time: Mar 22 13:26:32 2016 UTC.
Last License Server response message: Communication message send response error
For FXOS-based platforms, enter the show license all command in order to view the licensing status. Affected FirePOWER security chassis will show "Failure reason: Failed to authenticate server" in the output.
4100CHASSIS # show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: Not Allowed
Initial Registration: FAILED on Oct 09 18:03:27 2018 UTC
Failure reason: Failed to authenticate server
Next Registration Attempt: Oct 09 18:18:39 2018 UTC
Note: Cisco provides a 60-day grace period before affected Smart Licenses are placed in an Authorization Expired status that would impact feature functionality.
The QuoVadis Root CA 2 certificate is shown here and complies with sha1WithRSAEncryption signature algorithm requirements.
-----BEGIN CERTIFICATE----- MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp +ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1 ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og /zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2 A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y 4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza 8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u -----END CERTIFICATE-----
ASA Software
For ASA-based platforms, upgrade to ASA Version 9.4(4)25, 9.6(4)17, 9.8(3)14, 9.9(2)27 or later in order to resolve the root CA certificate issue for affected platforms.
In order to resolve the issue without an upgrade to the ASA software, enter these CLI commands to manually import the QuoVadis Root CA 2 certificate into the ASA security chassis trust store.
ASA# config t
ASA(config)# crypto ca trustpoint QuoVadisRootCA2
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# crl configure
ASA(config-ca-crl)# crypto ca authenticate QuoVadisRootCA2
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
<< Paste in the QuoVadis Root CA 2 Certificate listed in the Workaround/Solution section. Include all of the dashes.>>
quit
INFO: Certificate has the following attributes:
Fingerprint: 5e397bdd f8baec82 e9ac62ba 0c54002b
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
For ASA Version 9.5(2) and later, the Cisco Adaptive Security Virtual Appliance (ASAv) and Firepower 2100 Series platforms have the trustpool configured to auto-import at 10:00 PM device local time. However, you can immediately update the local trust store with this command.
ASA# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b
Note: This command is also available on ASA Versions 9.5(1) and earlier that do not support the auto-import feature.
FXOS Software
For FXOS-based platforms, upgrade to FXOS Version 2.2(2)83 or later in order to resolve the root CA certificate issue for affected platforms.
In order to resolve the issue without an upgrade to the FXOS software, enter these CLI commands to manually import the QuoVadis Root CA 2 certificate into the FirePOWER security chassis trust store.
4100CHASSIS #
4100CHASSIS # scope security
4100CHASSIS /security # create trustpoint QuoVadisRootCA2
4100CHASSIS /security/trustpoint* # set certchain
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Trustpoint Certificate Chain:
<< Paste in the QuoVadis Root CA 2 Certificate listed in the Workaround/Solution section. Include all of the dashes.>>
>ENDOFBUF 4100CHASSIS /security/trustpoint* # commit-buffer 4100CHASSIS /security/trustpoint # end 4100CHASSIS #
ASA Software Installations That Require Federal Information Processing Standards (FIPS) Compliance
For ASA-based platforms that require FIPS compliance, the import of the QuoVadis Root CA 2 certificate might fail for nonconformance to signature cryptographic requirements and this mesage might be displayed.
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate is not FIPS compliant. % Error in saving certificate: status = FAIL
As a workaround for FIPS compliant ASA installations, import the HydrantID SSL ICA G2 intermediate certificate for the tools.cisco.com server. The certificate can be imported with the ASA CLI commands shown in the ASA Software section.
The HydrantID SSL ICA G2 certificate is shown here and complies with sha256WithRSAEncryption signature algorithm requirements.
-----BEGIN CERTIFICATE----- MIIGxDCCBKygAwIBAgIUdRcWd4PQQ361VsNXlG5FY7jr06wwDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ BgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0xMzEyMTcxNDI1MTBaFw0yMzEy MTcxNDI1MTBaMF4xCzAJBgNVBAYTAlVTMTAwLgYDVQQKEydIeWRyYW50SUQgKEF2 YWxhbmNoZSBDbG91ZCBDb3Jwb3JhdGlvbikxHTAbBgNVBAMTFEh5ZHJhbnRJRCBT U0wgSUNBIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9p1ZOA9+ H+tgdln+STF7bdOxvnOERYyjo8ZbKumzigNePSwbQYVWuso76GI843yjaX2rhn0+ Jt0NVJM41jVctf9qwacVduR7CEi0qJgpAUJyZUuB9IpFWF1Kz14O3Leh6URuRZ43 RzHaRmNtzkxttGBuOtAg+ilOuwiGAo9VQLgdONlqQFcrbp97/fO8ZIqiPrbhLxCZ fXkYi3mktZVRFKXG62FHAuH1sLDXCKba3avDcUR7ykG4ZXcmp6kl14UKa8JHOHPE NYyr0R6oHELOGZMox1nQcFwuYMX9sJdAUU/9SQVXyA6u6YtxlpZiC8qhXM1IE00T Q9+q5ppffSUDMC4V/5If5A6snKVP78M8qd/RMVswcjMUMEnov+wykwCbDLD+IReM A57XX+HojN+8XFTL9Jwge3z3ZlMwL7E54W3cI7f6cxO5DVwoKxkdk2jRIg37oqSl SU3z/bA9UXjHcTl/6BoLho2p9rWm6oljANPeQuLHyGJ3hc19N8nDo2IATp70klGP kd1qhIgrdkki7gBpanMOK98hKMpdQgs+NY4DkaMJqfrHzWR/CYkdyUCivFaepaFS K78+jVu1oCMOFOnucPXL2fQa3VQn+69+7mA324frjwZj9NzrHjd0a5UP7waPpd9W 2jZoj4b+g+l+XU1SQ+9DWiuZtvfDW++k0BMCAwEAAaOCAZEwggGNMBIGA1UdEwEB /wQIMAYBAf8CAQAweAYDVR0gBHEwbzAIBgZngQwBAgEwCAYGZ4EMAQICMA4GDCsG AQQBvlgAAmQBAjBJBgwrBgEEAb5YAAOHBAAwOTA3BggrBgEFBQcCARYraHR0cDov L3d3dy5oeWRyYW50aWQuY29tL3N1cHBvcnQvcmVwb3NpdG9yeTByBggrBgEFBQcB AQRmMGQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNv bTA2BggrBgEFBQcwAoYqaHR0cDovL3RydXN0LnF1b3ZhZGlzZ2xvYmFsLmNvbS9x dnJjYTIuY3J0MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQahGK8SEwzJQTU 7tD2A8QZRtGUazA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnF1b3ZhZGlz Z2xvYmFsLmNvbS9xdnJjYTIuY3JsMB0GA1UdDgQWBBSYarYtLr+nqp/299YJr9WL V/mKtzANBgkqhkiG9w0BAQsFAAOCAgEAlraik8EDDUkpAnIOajO9/r4dpj/Zry76 6SH1oYPo7eTGzpDanPMeGMuSmwdjUkFUPALuWwkaDERfz9xdyFL3N8CRg9mQhdtT 3aWQUv/iyXULXT87EgL3b8zzf8fhTS7r654m9WM2W7pFqfimx9qAlFe9XcVlZrUu 9hph+/MfWMrUju+VPL5U7hZvUpg66mS3BaN15rsXv2+Vw6kQsQC/82iJLHvtYVL/ LwbNio18CsinDeyRE0J9wlYDqzcg5rhD0rtX4JEmBzq8yBRvHIB/023o/vIO5oxh 83Hic/2Xgwksf1DKS3/z5nTzhsUIpCpwkN6nHp6gmA8JBXoUlKQz4eYHJCq/ZyC+ BuY2vHpNx6101J5dmy7ps7J7d6mZXzguP3DQN84hjtfwJPqdf+/9RgLriXeFTqwe snxbk2FsPhwxhiNOH98GSZVvG02v10uHLVaf9B+puYpoUiEqgm1WG5mWW1PxHstu Ew9jBMcJ6wjQc8He9rSUmrhBr0HyhckdC99RgEvpcZpV2XL4nPPrTI2ki/c9xQb9 kmhVGonSXy5aP+hDC+Ht+bxmc4wN5x+vB02hak8Hh8jIUStRxOsRfJozU0R9ysyP EZAHFZ3Zivg2BaD4tOISO8/T2FDjG7PNUv0tgPAOKw2t94B+1evrSUhqJDU0Wf9c 9vkaKoPvX4w= -----END CERTIFICATE-----
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance