Field Notice: FN74334 - Cisco Secure Workload Clusters, Agents, and Connectors Must Be Upgraded to Release 3.10.5.6 Before Upgrading to Later Releases - Software Upgrade Recommended

Available Languages

Updated:October 20, 2025
Document ID:FN74334

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

High
Impact Rating:
High
First Published:
2025-Oct-20
Last Published:
2025-Oct-20
Revision:
1.0
Cisco Bug IDs:

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected


Affected Software Product Affected Release Affected Release Number Comments
Tetration OS 1 1 All 1.x.x releases are affected
Tetration OS 2 2 All 2.x.x releases are affected
Tetration OS 3 3 All 3.x.x releases earlier than Release 3.10.5.6 are affected

Defect Information


Defect IDHeadline
CSCwr54868All Secure Workload Clusters, Non-Windows Agents, and Connectors MUST Upgrade/Patch to 3.10.5.5 Before Upgrading/Patching to Higher Versions

Problem Description


Due to changes in binary signing key, both on-premises and software as a service (SaaS) deployments of Cisco Secure Workload will need to follow a certain upgrade sequence:

  • On-premises Cisco Secure Workload clusters: Upgrades from a release earlier than Release 3.10.5.6 to a release later than Release 3.10.5.6 will fail unless the cluster is first upgraded to Release 3.10.5.6.
  • SaaS and On-premises Cisco Secure Workload:
    • Non-Windows-based agents and Encapsulated Remote Switched Port Analyzer (ERSPAN) connectors that require a manual upgrade from a release earlier than Release 3.10.5.6 to a release later than Release 3.10.5.6 will fail unless the agent or connector is first upgraded to Release 3.10.5.6.
    • Agents and connectors with the auto-upgrade feature enabled will be upgraded automatically when the Cisco Secure Workload cluster is upgraded.
    • Microsoft Windows-based agents are not affected by this binary signing key change.

Background


Starting November 15, 2025, Cisco will change the binary signing key for all binary files related to Cisco Secure Workload that are published to Cisco.com.  

Cisco Secure Workload publishes three types of binaries. After November 15, 2025, the following binaries will be signed by a new key:

  • Non-Windows-based agents (Linux, AIX, Solaris) binaries that are published by on-premises Cisco Secure Workload clusters and SaaS environments
  • Connector binaries
  • Each Red Hat Packet Manager (RPM) file for on-premises cluster upgrade and patch binaries

Windows-based agents are signed with Microsoft Authenticode and are unaffected by this change.


Problem Symptom


After the Cisco Secure Workload binary signing key change, the following will occur: 

  • On-premises Cisco Secure Workload clusters: Any full upgrade or patch upgrade from a release earlier than Release 3.10.5.6 to a release later than Release 3.10.5.6 will fail during the RPM upload stage setup UI.
  • SaaS and On-premises Cisco Secure Workload: Non-Windows-based agents and ERSPAN connectors that require manual upgrades and are running a release earlier than Release 3.10.5.6 will not be able to upgrade to a release later than Release 3.10.5.6 unless they are first upgraded to Release 3.10.5.6.
    • For example, if a Linux agent is manually upgraded to Cisco Secure Workload Release 4.0 before upgrading to Release 3.10.5.6, the upgrade package verification will fail, and the upgrade will stop. Every 24 hours, the agent will re-try the upgrade and will fail. The upgrade failure will appear in the UI. Despite the upgrade failures, the agent will continue to function normally.

Workaround/Solution


On-premises Cisco Secure Workload clusters: On-premises Cisco Secure Workload clusters running a release earlier than Release 3.10.5.6 should upgrade to Release 3.10.5.6 first before upgrading to a later release. 

SaaS and On-premises Cisco Secure Workload: Non-Windows-based agents and ERSPAN connectors that are manually upgraded should upgrade to Release 3.10.5.6 first before upgrading to a later release. 

Agents and connectors with the auto-upgrade feature enabled will be upgraded automatically when the cluster is upgraded. No special action is required for the agents or connectors in this scenario.


Revision History


VersionDescriptionSectionDate
1.0Initial Release2025-OCT-20

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products