Cisco is warning customers that an expired certificate bug in a number of its Viptela SD-WAN devices can take down the boxes and consequently their attached SD-WAN environments.
In a tweeted alert and a Tech Note Wednesday morning, Cisco said it is actively working to address a device failure problem that's impacting a number of Viptela SD-WAN platforms including the vEdge 100, 1000, 2000. It defined the problem as “an expired certificate affecting control plane connections, which eventually impacts data plane connections resulting in loss of service.”
Cisco’s SD-WAN vEdge 100, 1000, 2000 routers typically sit at the edge of the network and bring SD-WAN, security and multi-cloud capability connectivity to the enterprise.
“We have identified the problem as an expired hardware certificate affecting connections resulting in SD-WAN downtime,” Cisco stated. “Our teams are developing and testing solutions to resolve this issue for our customers. At this time, we believe the only potentially impacted products are vEdge 100, 1000, 2000. We will continue to communicate with our customers through our established channels throughout this process so they can take appropriate action and we apologize for the challenge this is creating.”
In order to prevent a complete loss of service, customers should avoid reloading the device, updating policies and template pushes, Cisco wrote.
The following conditions may result in the vEdge devices with the bug:
- Loss of connections to vSmart
- Loss of connections to vManage
- Port-hop
- Control policy changes such as topology changes in the network
- Clear control connection
- Interface flaps
- Device reload
Cisco also offered an update on identifying and implementing solutions for restoration of service.
“We’ve determined that a certificate replacement is expected to be the most effective resolution to the problem [and] are in the process of testing and validating the procedure for controllers and remote devices to clearly outline what is required to restore service,” Cisco stated.
“In addition, we are developing an operational plan to support our customers and partners to implement this procedure,” Cisco stated. “For customers already impacted, please contact Cisco Technical Support.”