Field Notice: FN74272 - Cisco Firepower Management Center: Some Software Releases Might Not Auto-Renew Talos Root Certificate After March 30, 2025 - Software Upgrade Recommended

The Cisco Secure Firewall Management Center (FMC) uses a client-side certificate to authenticate with the Cisco Talos threat intelligence service to download updates for the URL Reputation Databases (URLDBs), Lightweight Security Packages (LSPs) and other enrichment data. Some releases of Cisco Firepower Software might not auto-renew this certificate after March 30, 2025, and this prevents updates to the URLDB and LSP threat intelligence databases.

The client-side certificate that is used by Cisco FMC to communicate with the Cisco Talos threat intelligence service is pre-provisioned during Firepower software installation and upgrades. It is auto-renewed when it nears expiration, but some releases of Cisco Firepower Software fail to complete the auto-renewal process after March 30, 2025, and a process restart is required to perform the certificate renewal.

To check the current expiration date of the certificate, run the following sudo command in expert mode:

> expert
$ sudo openssl x509 --in /var/sf/beaker3/securefirewall-dev-prod-01_prod.pem --text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 46240369 (0x2c19271)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, L = San Jose, O = Cisco Systems Inc., OU = Security, CN = Keymaster CA 2
        Validity
            Not Before: Jan 30 22:32:39 2024 GMT
            Not After : Mar 30 22:32:39 2025 GMT
        Subject: CN = SFW76EVAL-prod-01, C = US, ST = California, L = San Jose, O = Cisco, OU = Security
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e5:3c:4f:84:b0:95:71:18:87:23:bf:96:88:f5:
                    e4:e7:d2:4d:3f:40:7a:a9:2f:54:aa:19:e4:bb:5c:
                    3a:23:89:56:23:c7:9a:53:69:88:35:0e:8d:ae:51:
                    0f:bb:eb:70:5c:40:03:bd:f5:d7:2b:80:8b:16:fc:
                    88:3c:46:36:3e:d8:1d:73:40:b6:26:4c:a1:28:d7:
                    e7:6f:7d:35:b3:69:1b:70:39:70:de:1c:7e:a8:8c:
                    da:0f:50:36:6a:f2:be:75:64:63:d1:df:03:2c:f1:
                    d7:19:be:12:e0:d4:3c:cd:21:83:15:92:6b:16:83:
                    a7:39:fc:0c:91:ca:9a:1e:64:15:ad:f2:ad:e8:30:
                    d1:28:a1:2d:d3:ce:83:cc:b5:13:56:be:9c:73:e9:
                    60:aa:54:4a:32:81:5d:08:32:b2:0d:52:a2:38:db:
                    e5:fd:cf:af:36:76:56:26:19:9a:33:9f:a0:db:04:
                    3e:54:3e:94:be:06:06:87:24:8f:05:47:80:0a:ac:
                    5e:04:d6:26:89:58:dd:76:7d:6a:de:ba:b8:a6:34:
                    9b:c4:7a:ad:c0:28:e7:36:01:08:07:ac:09:0e:fb:
                    c2:74:b6:58:b8:1c:fd:4d:7e:ab:04:da:62:4f:1f:
                    35:b3:08:00:20:02:81:72:11:d9:de:33:71:b5:e2:
                    49:3b
                Exponent: 65537 (0x10001)
                ….

Note: The Not After date is the current expiration date of the client-side certificate.

The Cisco FMC Health Alarms at System > Health for the Talos Connectivity Status shows one of the following messages:

• LSP - Failed to retrieve beaker inventory
• URLDB - Failed to retrieve beaker inventory
• Enrichment - Failed to perform batch query
  

The following image shows an example of the Talos Connectivity Status error in the Health Alerts menu of Cisco FMC.

Workaround

Step 1: Enable cloud connectivity for the Cisco Secure Firewall.

From the Integration tab in the Cisco Security Cloud interface, enable any one of the following three options.

• Cisco Security Cloud
• Cisco Success Network
• Cisco Support Diagnostics

Step 2: Update the Vulnerability Database (VDB) or Geolocation Database (GeoDB). For installation instructions, see the Secure Firewall Management Center Device Configuration Guide for the appropriate Cisco Firepower Software release. 

• To update the VDB database, go to System > Updates and choose Product Updates.  
• To update the GeoDB database, go to System > Updates and choose Geolocation Updates.  

Either of these updates will auto-renew the client-side certificate for cloud connectivity.

Notes:

• Resolving the health alarms may take 10-15 minutes.
• The new client-side certificate will expire in one year. When a new VDB or GeoDB is downloaded, the software will auto-renew the client-side certificate if it will expire within 30 days.

Solution

Option 1: Cisco recommends upgrading to one of the Cisco Firepower Software releases shown in the following table to fix the Firewall Management Center (FMC) client-side certificate issue.

Option 2: Install Vulnerability Database version VDB406 or later to fix the client-side certificate issue. This option requires both cloud connectivity and telemetry to be enabled. For installation instructions, see the Secure Firewall Management Center Device Configuration Guide for the appropriate Cisco Firepower Software release.

Cisco offers a guided upgrade experience through the Cisco Secure Firewall Upgrade program. This program will provide environment-specific software upgrade guidance, a customized procedure to follow, and a customized pre-upgrade checklist. For additional information and to register for the upgrade program, see Get access to Cisco Secure Firewall LevelUp.