Cisco IOS/IOS-XE FN: 70489

Photo of a bug on a leaf by Jimmy Chan from Pexels

On December 17th, 2019, Cisco released a Field Notice that could ruin a lot of people’s holiday vacations. The Field Notice says that any IOS device prior to 15.6(03)M07, 15.7(03)M05, 15.8(03)M03, or 15.9(03)M; and IOS-XE prior to 16.9.1 has a bug with the self-signed certificate. The bug is that they are set to expire on 1/1/2020 and if you don’t do something before 1/1/2020 you won’t be able to generate a new certificate. I highly recommend reading the full Field Notice for exact IOS/IOS-XE versioning.

Most switches will not have an issue as the certificate is generally used only for the web interface. However, some devices use it for other services like wireless APs running IOS (FN63942) and voice gateways (encrypted voice). Time to go check before you open that egg nog.

UPDATE: I can personally attest that Cisco’s 3850s running in converged access for wireless do NOT use this certificate for the CAPWAP DTLS.