I recently performed a software upgrade on our Cisco Expressway from version 14.0.x to 14.2.6 (N-1 version).
Recent edit on 12 June – Please upgrade to 14.3.0 instead, using the same method. These CVE-2023-20105 + CVE-2023-20192 are fixed in 14.3.0.
Pre-Requisites
- ESXi Requirements -From the X14.2 release, ESXi 7.0 Update 3, ESXi 7.0 Update 3c, and ESXi 7.0 Update 3d are supported.
- Cisco Expressway Release X14.2 and later only supports Smart Licensing and is capped at 2500 encrypted signalling sessions to endpoints.
Major Features and Changes in X14.2.6
- Traffic Server Enforces Certificate Verification – The Certificate Authority (CA) which signed the Expressway-C certificate must be added to the Tomcat-trust and CallManager-trust list of Cisco Unified Communications Manager (UCM), even if the UCM is in non-secure mode.
- TLS Verification Mode – Cisco has enabled server certificate verification by default when communication happens between VCS(ATS) and CUCM/CUP/JabberGuest/UNITY/CMS. When you upgrade to release 14.2, the CA of the CUCM/CUP/JabberGuest/UNITY/CMS server certificate should be present in the VCS CA trust store. You can disable it if you want to
xConfiguration EdgeConfigServer VerifyOriginServer: OFF/ON - It also includes changes in the trafficserver behaviour (bug ID CSCwc69661 refers) that can lead to MRA failures – see here.
- Security Enhancements – Much of this is behind the scenes.
- DOS Protection for TrafficServer.
- Approved Cryptographic Primitives and Parameters.
- Cipher Preferences – ECDSA Cipher Preference Over RSA.
- TLS 1.3 Support.
- Enabling or Disabling CDB API Access- Considering the Security of the Expressway product, access to CDB API has been disabled by default.
- Reducing Email Notifications – Only applies if you have email notifications on. If the same alarm is raised two or more times within an hour, emails will be sent only once. If the same alarm gets lowered and raised again, an email will be sent, regardless of the time passed.
if you are upgrading from version 12.x or earlier, I highly recommend checking out this table:
You can find additional details in the official release notes here
Pre-upgrade tasks
- Backup and VM snapshot – You should take a backup before upgrading. In case something goes wrong and you rebuild the expressway, you can restore using a backup (you may have to redo the licensing if the serial number changes). When you try to restore a backup made on a different Expressway, you receive a warning message, but you will be allowed to continue.
VM Snapshot can be useful to revert to the old state. It even preserves the serial number so you don’t have to redo the licensing. - Note any active alarms: Post-upgrade, this will help you distinguish between old and new issues.
- Maybe take a screenshot of current licenses if you aren’t using Smart licensing.
- Complete the pre-req as mentioned above.
- Prepare a detailed test plan.
For Smart licensing change be very careful. Once enabled, it cannot be reversed without a factory reset. Having backups and VM snapshots will be very useful in this case.
You may have 90 days grace period if smart licensing does not work.
Before enabling Smart Licensing (assuming you’re using an On-Prem CSSM), check the following points:
- Connectivity on both sides (expressway – CSSM) including DNS resolution for CSSM.
- DNS in DMZ – if your exp-e has a Public DNS server configured or the DNS server in your DMZ doesn’t resolve internal records for some reason and you want to use a specific DNS server (should be reachable obviously) just for a specific domain, use Per-domain DNS servers option in DNS config.
- From expressway to CSSM, HTTPS (443) should be allowed, the source port range is Ephemeral (30000- 35999). Ensure this for Exp-E as well.
- As the URL is HTTPS for CSSM, if you are using a different PKI on CSSM than expressway (for example exp-e cert is signed by public CA but internal servers certs are signed by internal CA), please ensure that the root CA/sub-CA certificate that signed the CSSM certificate is in the trusted root of the Expressway.
- Notice the Extra save button when you update the CSSM onprem URL.
- CSSM internal docker subnet conflict for 172.17.x.x. I don’t know why Cisco didn’t use APIPA subnets from the beginning. See this post on how to change the subnet in CSSM or get help from Cisco TAC.
Upgrading Expressway Software
There are 3 options:
- Web interface
- SCP
- API
See more details here on how to upgrade.
Using a Web interface, steps are very easy.
I hope this helps. If you have any feedback or questions, please let me know in the comment section or fill in feedback on the home page. You can also ping me on LinkedIn.
