Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
4
Replies

3 out of 20 ACE module contexts in cold state - Certificates are identical on both ACEs

Sahmad1983
Level 1
Level 1

‎07-09-2013 09:09 AM

Hi

I have just brought ACE module back online after it lost its configurations but some ft groups have ended up in cold state after primary

ACE failed to replicate the configs. I understand ft groups go into cold state when keys and certificates are not replicated.

I have checked the certificates and keys on both modules using "sh crypto files" under ADMIN context and they are identical.

One thing I have noticed however is that when I check crypto files on primary ACE on USER contexts that have replicated correctly

I CANNOT see any certificate files held locally but when I check certificates on affected (cold state) contexts,

they have local certificates which are only visible only on primary ACE user contexts. It seems as though the context that have not

replicated correctly are ones with local certificates where as other context are using global certificates ...

I have tried to export local certificate from primary ACE from user context to tftp server so I can import it locally on a context

on secondary ACE but it seems as though I can only tftp from admin context not user context.. is that normal ?

I have also tried to reload the ACE but same contexts seem to end up in cold state.

Could anyone advise why certain ft groups are in cold state please when ADMIN certificates are identical on both ACEs ?

could the local certificates on the user context be the issue ?

ADMIN context certificates

Primary/Admin# sh crypto file

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

cisco-sample-cert                        1082  PEM     Yes        CERT

cisco-sample-key                         887   PEM     Yes         KEY

secondary/Admin# sh crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

cisco-sample-cert                        1082  PEM     Yes        CERT

cisco-sample-key                         887   PEM     Yes         KEY

USER context (cold state) certificates

I can see local Crypto files on primary ACE on effected USER CONTEXT (COLD STATE) but I cannot see any local files on secondary user context.

These local crypto files are only held on the contexts that are in cold state for some reason...

Primary/07-xxx# sh crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

*****-CERT                          2801  PEM     Yes        CERT

******-KEY                           1708  PEM     Yes         KEY

VerisignCA                               834   PEM     Yes        CERT

VerisignIntermediate                     1728  PEM     Yes        CERT

secondary/07-xxx#

sh crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

Labels:
0 Helpful
4 Replies 4

gaursin2
Level 1
Level 1

‎07-10-2013 08:01 PM

Hi,

Every user context must have indentical SSL files to be in sync or FT hot state [not only Admin]. So you have to import missing files in desired user context.

Also you can transfer file from every user context, if its not working on your ACE try to check connectivity between user context interface to TFTP server.

0 Helpful

Sahmad1983
Level 1
Level 1
In response to gaursin2

‎07-15-2013 04:52 AM

Hi Gaurav,

Sorry for late, yes I worked it last week and it was the missing ssl files on the 3 contexts that were causing it to go into cold state. The person who designed has left the company so i am not sure why only these 3 context are configured for seperate certificates under user contexts. Its strange because all the other context are using the Admin certificate.

I transferred the certificates between user contexts by using crypto import / export terminal.. then copy pasted it. I don't think it is possible to tftp directly to or from user context.. the connectivity to tftp is ok as I can copy from admin context.

Anyway its all up now, so I need to switch traffic back to primary. I am planning to do this by increasing the peer value, once the value has been increased would the traffic switch over automatically or would I need to disable and re-enable auto synch..

0 Helpful

gaursin2
Level 1
Level 1
In response to Sahmad1983

‎07-15-2013 05:03 PM

If your state is Standby_HOT then there is no need for re-enable auto-sync.

Also I am sure that you can download files using tftp from user context, but anyways you have done that.

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to Sahmad1983

‎07-22-2013 04:26 PM

Surfraz,

Next time you need to import/export certs you can do the following:

How to export a cert/key:

#crypto export xxxx-CERT terminal

#crypto export xxxx-KEY terminal

You should see the certificates/keys there then you can just copy them from the screen

How to import a cert/key:

You can just do the following, type the command below and paste the certificate which you previously have changed to .txt format so you can copy and paste it on the CLI, pretty easier and faster and TFTP/FTP, etc

# crypto import terminal xxxx-CERT

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

MIIFOzCCBCOgAwIBAgIQX9yPyHR0J29xwzSU7adXpDANBgkqhkiG9w0BAQUFADCB

yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL

EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV

BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz

L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl

cnZlciBDQSAtIEcyMB4XDTA5MTAxNjAwMDAwMFoXDTA5MTAzMDIzNTk1OVowgZMx

CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRAwDgYDVQQHFAdPcmxhbmRv

MQ4wDAYDVQQKFAVDaXNjbzE6MDgGA1UECxQxVGVybXMgb2YgdXNlIGF0IHd3dy52

ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAoYykwNTEUMBIGA1UEAxQLbnNzc2l0ZS5j

b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc1XpSuUXra5VWQlgmF0d/G

HcbmcyiOEEI7V2w7QzAoMIGvKrxi8AqTIDkLrMHus/4dIO8RcpU1boQ3aTj7CelH

aFufJWVAooQvrc5RvEVE/CXaI3YJXEVJoj7+Duid1mREoII5ckLFFoMLeT+UMYQ1

JTA0vj7A/y+wzt+a1npVAgMBAAGjggHTMIIBzzAJBgNVHRMEAjAAMAsGA1UdDwQE

AwIFoDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vU1ZSVHJpYWwtRzItY3JsLnZl

cmlzaWduLmNvbS9TVlJUcmlhbEcyLmNybDBKBgNVHSAEQzBBMD8GCmCGSAGG+EUB

BxUwMTAvBggrBgEFBQcCARYjaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90

ZXN0Y2EwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaA

FCgXE4q91qK13AYst7aO2hBmYG7lMHQGCCsGAQUFBwEBBGgwZjAkBggrBgEFBQcw

AYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMD4GCCsGAQUFBzAChjJodHRwOi8v

U1ZSVHJpYWwtRzItYWlhLnZlcmlzaWduLmNvbS9TVlJUcmlhbEcyLmNlcjBuBggr

BgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRL

a7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20v

dnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBABcxsKhLMZvRapQllMtlklWm

RFGbAq2BWPwAvJdDOshHSPO03QLyxRv5wLFCnoE8a354ViydGQeZCxcx8751qJ8v

DxMpB9PXjrT97yRQCHuoLI79AVQQcQBBzxYLDRsC15SByYkvByfK7DKqQR1qG4DS

qzBRFWXuHQU5/SsB5P6LmP3ZWFKvASJuWp/i1qrwpMo/oMtEIrKRqDlEk0SNgTVn

tKwUrbgknkFPZhNwSaaFVgxvuNTxOlSMDU5gi+MLqwGn1GCeDajLyO1tR8AKZk1p

Gg3D7AhDgdE0opMwsetzoS0jX4tFJ7JawdPfVRpNUplY9GRRqbzoTZBpedm4Kcs=

-----END CERTIFICATE-----

quit

#

For HA in the ACEs is required to make sure you match:

-certificates, keys.

-licenses

-remove any existing core dump/ crash file ( ACE can detect this as a difference)

-make sure both devices run the same version

Then you can disable/enable FT and that should do the trick!

Hope this helps!

Jorge

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents