Field Notice: FN - 72315 - Cisco Unified SIP Proxy: QuoVadis Root CA 2 Decommission Might Affect Smart Licensing and Smart Call Home Functionality - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.1 |
24-Feb-22 |
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections |
1.0 |
21-Jan-22 |
Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Unified SIP Proxy Installation Software |
9.0 |
9.0.1 |
|
NON-IOS |
Unified SIP Proxy Installation Software |
9.1 |
9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9 |
|
NON-IOS |
Unified SIP Proxy Installation Software |
Full install OVA |
10.0.0, 10.1.0, 10.2.0, 10.2.1 |
Fix is available from 10.2.1v3 release. |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvx00416 | QuoVadis root CA decommission on unified-sip-proxy |
Problem Description
For affected versions of the Cisco Unified SIP Proxy (CUSP) software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing and Smart Call Home will fail to establish secure connections to Cisco and might not operate properly.
Background
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by CUSP software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing and Smart Call Home to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.
| Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
|---|---|---|
| tools.cisco.com | February 5, 2022 |
|
Problem Symptom
Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.
| Affected Services | Symptoms for Affected Services |
|---|---|
| Smart Licensing | Communication send error |
| Smart Call Home | Failure to connect to the server and the Call-Home HTTP request fails |
There are two scenarios for CUSP devices:
- Devices in the evaluation period:
- Smart Licensing will continue to function for 90 days during the evaluation period.
- Calls will start to fail once the evaluation period expires and the device is not registered to the Cisco Smart Software Manager (CSSM).
- Devices already registered with CSSM:
- If there is not a firewall rule set up to block the SSL certificate download from the Cisco website, there will be no impact.
Note: Ensure the network is able to download the certificate from http://www.cisco.com/security/pki/trs/ios_core.p7b. - If there is a firewall rule set up to block the SSL certificate download from the Cisco website, Calls will continue to function but the smart agent will fail to authorize and Failure reason would be displayed as Communication send error.
- If there is not a firewall rule set up to block the SSL certificate download from the Cisco website, there will be no impact.
For additional information, refer to the Cisco Smart Licensing Guide and the CUSP Smart Licensing Guide for your specific version of 10.x software.
For CUSP, enter the show license smart summary command in order to view the licensing status. Affected CUSP devices will show "Communication send error" in the output.
CUSP# show license smart summary Smart Agent is Enabled: true Current State of the Agent: Un-Identified Evaluation Mode: NO Registration Successful: YES Authorization Successful: NO CPS Count Requested: 10 Configured destination address: https://tools.cisco.com/its/service/oddce/services/DDCEService HTTP Proxy Address: Not Set:: Transport Mode: TransportCallHome License UDI: UC_CUSP:srBGXF15sfE Product Serial Number: srBGXF15sfE Product ID: UC_CUSP Product License Version: 10.0 Licensing State: Waiting Registration expiry period: Fri Feb 17 10:34:24 IST 2023 Latest Failure Reason String Notification: Communication send error. Auth period: Sat Mar 19 10:39:32 IST 2022
Workaround/Solution
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. For CUSP devices, upgrade to software Version 10.2.1v3 or later in order to resolve the root CA certificate issue for affected platforms.
For More Information
Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Feedback
Unleash the Power of TAC's Virtual Assistance