Field Notice: FN - 72502 - Secure Web, Secure Management, and Secure Email Virtual Appliances Might Not Receive Updates After January 13, 2023 - Configuration Change Recommended

Available Languages

Updated:November 14, 2022

Document ID:FN72502

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	04-Nov-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number
NON-IOS	AsyncOS for Content Security Management Appliance (SMA)	14	14.0.0, 14.1.0, 14.2.0
NON-IOS	AsyncOS for Content Security Management Appliance (SMA)	13	13.0.0, 13.6.2, 13.8.1
NON-IOS	AsyncOS for Secure Email	14	14.0.0, 14.2.0
NON-IOS	AsyncOS for Secure Email	13	13.5.1, 13.5.3
NON-IOS	AsyncOS for WSA	12	12.0.1, 12.0.1 GD, 12.0.3, 12.0.4, 12.0.5, 12.5.1, 12.5.1 GD, 12.5.2, 12.5.3, 12.5.4, 12.5.5
NON-IOS	AsyncOS for WSA	14	14.0.1 GD, 14.0.1 LD, 14.0.2, 14.0.3, 14.1.0, 14.5.0, 14.5.0(GD)
NON-IOS	AsyncOS for Content Security Management Appliance (SMA)	11	11.0.1, 11.5.1
NON-IOS	AsyncOS for Content Security Management Appliance (SMA)	12	12.0.0, 12.0.1, 12.5.0, 12.8.1
NON-IOS	AsyncOS for Secure Email	11	11.0.0, 11.0.3, 11.1.0
NON-IOS	AsyncOS for Secure Email	12	12.0.0, 12.1.0, 12.5.0, 12.5.3

Defect Information

Defect ID	Headline
CSCwd34020	ESA Virtual Devices Requiring VLN Recreation
CSCwd34183	WSA Virtual Devices Requiring VLN Recreation
CSCwd34196	SMA Virtual Devices Requiring VLN Recreation

Problem Description

All Secure Web, Secure Management, and Secure Email virtual appliances that use the traditional Virtual License Number (VLN) certificate file with certificates created prior to December 15, 2021 that expire after January 13, 2023 will need an updated VLN file that contains a new certificate to avoid disruption to updates and upgrades.

Background

Traditional VLN certificate files include a certificate created by Talos Keymaster for access to updates and upgrades. The old Keymaster certificate authority (CA) will expire on January 13, 2023.

VLN certificate files with certificates issued prior to December 15, 2021, with a validity of more than 12 months, must be renewed and applied prior to January 13, 2023.

Problem Symptom

Engine updates and AsyncOS upgrades for affected Cisco Secure Web, Secure Management, and Secure Email virtual appliances will fail after January 13, 2023 with this error in the updater_logs subscription:

"Dynamic manifest fetch failure: Failed to authenticate with manifest server"

A negative effect on efficacy is experienced when the virtual appliance can no longer receive upgrades and updates.

Workaround/Solution

In order to resolve this issue, an updated VLN certificate file must be applied to each affected virtual appliance.

In order to obtain an updated VLN certificate file, contact the Cisco Systems Technical Assistance Center (TAC). The new VLN certificate file must be applied to each impacted appliance. See the "Load Virtual License onto Your Appliance" section of Best Practices for Virtual ESA, Virtual WSA, or Virtual SMA Licenses.

How To Identify Affected Products

Note: The issue is not AsyncOS specific. It impacts all versions that use a VLN certificate file that was made by the older Talos Keymaster CA.

Perform these steps in order to determine if your virtual appliance is affected.

Note: These steps must be performed on each individual virtual appliance.

Log in to the CLI of your appliance.
Enter the showlicense command and press Enter.
If the begin_date reads December 14, 2021 or earlier, the virtual appliance is affected.

An example CLI output that shows an affected appliance is shown here:

vWSA-com> showlicense

Virtual License

===============

vln                      VLNWSA12345678

begin_date               Fri  Dec 10 16:29:37 2021 GMT

end_date                 Fri Apr 07 16:29:36 2023 GMT

company                  Cisco Systems - Email:youremail.com

seats                    1

serial                   600274

email                    youremail.com

issue                    964c117725d842fcbd7bcd904f4d0ce3

license_version          1.1

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)