THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|
Firepower Management Center Software | 7 | 7.6.0, 7.7.0 |
Defect ID | Headline |
CSCwo63951 | FMC/FDM Client side certificate used to communicate to Talos did not auto-renew correctly |
The Cisco Secure Firewall Management Center (FMC) uses a client-side certificate to authenticate with the Cisco Talos threat intelligence service to download updates for the URL Reputation Databases (URLDBs), Lightweight Security Packages (LSPs) and other enrichment data. Some releases of Cisco Firepower Software might not auto-renew this certificate after March 30, 2025, and this prevents updates to the URLDB and LSP threat intelligence databases.
The client-side certificate that is used by Cisco FMC to communicate with the Cisco Talos threat intelligence service is pre-provisioned during Firepower software installation and upgrades. It is auto-renewed when it nears expiration, but some releases of Cisco Firepower Software fail to complete the auto-renewal process after March 30, 2025, and a process restart is required to perform the certificate renewal.
To check the current expiration date of the certificate, run the following sudo command in expert mode:
> expert
$ sudo openssl x509 --in /var/sf/beaker3/securefirewall-dev-prod-01_prod.pem --text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 46240369 (0x2c19271)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = San Jose, O = Cisco Systems Inc., OU = Security, CN = Keymaster CA 2
Validity
Not Before: Jan 30 22:32:39 2024 GMT
Not After : Mar 30 22:32:39 2025 GMT
Subject: CN = SFW76EVAL-prod-01, C = US, ST = California, L = San Jose, O = Cisco, OU = Security
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e5:3c:4f:84:b0:95:71:18:87:23:bf:96:88:f5:
e4:e7:d2:4d:3f:40:7a:a9:2f:54:aa:19:e4:bb:5c:
3a:23:89:56:23:c7:9a:53:69:88:35:0e:8d:ae:51:
0f:bb:eb:70:5c:40:03:bd:f5:d7:2b:80:8b:16:fc:
88:3c:46:36:3e:d8:1d:73:40:b6:26:4c:a1:28:d7:
e7:6f:7d:35:b3:69:1b:70:39:70:de:1c:7e:a8:8c:
da:0f:50:36:6a:f2:be:75:64:63:d1:df:03:2c:f1:
d7:19:be:12:e0:d4:3c:cd:21:83:15:92:6b:16:83:
a7:39:fc:0c:91:ca:9a:1e:64:15:ad:f2:ad:e8:30:
d1:28:a1:2d:d3:ce:83:cc:b5:13:56:be:9c:73:e9:
60:aa:54:4a:32:81:5d:08:32:b2:0d:52:a2:38:db:
e5:fd:cf:af:36:76:56:26:19:9a:33:9f:a0:db:04:
3e:54:3e:94:be:06:06:87:24:8f:05:47:80:0a:ac:
5e:04:d6:26:89:58:dd:76:7d:6a:de:ba:b8:a6:34:
9b:c4:7a:ad:c0:28:e7:36:01:08:07:ac:09:0e:fb:
c2:74:b6:58:b8:1c:fd:4d:7e:ab:04:da:62:4f:1f:
35:b3:08:00:20:02:81:72:11:d9:de:33:71:b5:e2:
49:3b
Exponent: 65537 (0x10001)
….
Note: The Not After date is the current expiration date of the client-side certificate.
The Cisco FMC Health Alarms at System > Health for the Talos Connectivity Status shows one of the following messages:
The following image shows an example of the Talos Connectivity Status error in the Health Alerts menu of Cisco FMC.
Workaround
Step 1: Enable cloud connectivity for the Cisco Secure Firewall.
From the Integration tab in the Cisco Security Cloud interface, enable any one of the following three options.
Step 2: Update the Vulnerability Database (VDB) or Geolocation Database (GeoDB). For installation instructions, see the Secure Firewall Management Center Device Configuration Guide for the appropriate Cisco Firepower Software release.
Either of these updates will auto-renew the client-side certificate for cloud connectivity.
Notes:
Solution
Option 1: Cisco recommends upgrading to one of the Cisco Firepower Software releases shown in the following table to fix the Firewall Management Center (FMC) client-side certificate issue.
Cisco FMC Software Release | First Fixed Release |
---|---|
7.6.0 | 7.6.1 |
7.7.0 | 7.7.10 (Planned for release Aug 2025) |
Option 2: Install Vulnerability Database version VDB406 or later to fix the client-side certificate issue. This option requires both cloud connectivity and telemetry to be enabled. For installation instructions, see the Secure Firewall Management Center Device Configuration Guide for the appropriate Cisco Firepower Software release.
Cisco offers a guided upgrade experience through the Cisco Secure Firewall Upgrade program. This program will provide environment-specific software upgrade guidance, a customized procedure to follow, and a customized pre-upgrade checklist. For additional information and to register for the upgrade program, see Get access to Cisco Secure Firewall LevelUp.
Version | Description | Section | Date |
1.0 | Initial Release | — | 2025-JUN-18 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Unleash the Power of TAC's Virtual Assistance