Field Notice: FN - 70594 - New APIC L3 or M3 Server Might Have Certificate Issue - Workaround Provided
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
Initial Release | |
1.11 |
Added the Serial Number Validation Section | |
1.2 |
31-Aug-20 |
Updated the How to Identify Affected Products Section |
Products Affected
| Affected Product ID | Comments |
|---|---|
APIC-SERVER-M3 |
|
APIC-SERVER-L3 |
|
APIC-SERVER-M3= |
Part Alternate |
APIC-SERVER-L3= |
Part Alternate |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvu62127 | F3031 - Node Certificate is invalid: Failed to parse the subject line on new APIC-SERVER-L3 and M3 |
Problem Description
A newly received Application Policy Infrastructure Controller (APIC) L3 or M3 server can be received with a certificate in which the subject is in an unexpected order.
Background
An X.509 library function was changed in the mid-April timeframe which resulted in certificates generated with an unexpected subject format. The APIC is unable to extract validity information from the certificate due to this unexpected subject format.
Problem Symptom
A new APIC L3 or M3 server will not be able to complete fabric discovery. Link Layer Discovery Protocol (LLDP), the acidiag verifyapic command, and other general checks will not exhibit a problem.
The appliancedirector logs of an affected Cisco APIC should be checked for messages that indicate that the rejection happens due to being unable to parse the certificate subject.
APIC# less /var/log/dme/log/svc_ifc_appliancedirector.bin.log
|crypto||ERROR||co=ifm||Failed to parse subject from peer SSL certificate (/CN=ASD1234567/serialNumber=PID:APIC-SERVER-L3 SN:ASD1234567)||../common/src/ifm/./PeerVerificationUtils.cc||287
|crypto||ERROR||co=ifm||Peer Certificate Subject is not in the expected format - REJECTING IFM SSL PEER CONNECTION||../common/src/ifm/./PeerVerificationUtils.cc||526
Workaround/Solution
Contact the Technical Assistance Center (TAC) in order to generate and reprogram the APIC certificates.
How To Identify Affected Products
Products manufactured before 2020-07-23 will have some impact. Customers can use the product serial number to identify impacted servers.
The serial number for the server is printed on a label located on the top, front of the server. See the Serial Number Validation section in this field notice for more information.
Serial Number Validation
The Cisco Support Assistant (CSA) can help verify whether a device is impacted by the issue that is described in this Field Notice. To check the device, either enter the serial number in the CSA on the right side of this page or click the following URL: https://cs.co/FNSNV.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance