Troubleshooting
Problem
After upgrading the firmware on a Brocade switch to 9.1.1d2, the switch status may change to MARGINAL due to expired certificates
Symptom
raslog messages will indicate that switch has expired certificates:
2024/09/21-20:31:58 (EDT), [MAPS-1003], 74978, SLOT 1 | FID 128, WARNING, Chassis, Condition=CHASSIS(EXPIRED_CERTS/NONE>0), Current Value:[EXPIRED_CERTS, 6 certs], RuleName=defCHASSISCERTS_EXPIRED, Dashboard Category=Security Violations, Quiet Time=None.
2024/09/21-20:31:58 (EDT), [MAPS-1021], 74979, SLOT 1 | FID 128, WARNING, RuleName=defCHASSISCERTS_EXPIRED, Condition=CHASSIS(EXPIRED_CERTS/NONE>0), Obj:Chassis [EXPIRED_CERTS,6 certs] has contributed to switch status MARGINAL.
2024/09/21-20:31:58 (EDT), [MAPS-1021], 74980, SLOT 1 | FID 128, WARNING, RuleName=defCHASSISHA_SYNC_0, Condition=CHASSIS(HA_SYNC/NONE==0), Obj:Chassis [HA_SYNC,0] has contributed to switch status MARGINAL.
2024/09/21-20:31:58 (EDT), [MAPS-1020], 74981, SLOT 1 | FID 128, WARNING, Switch wide status has changed from HEALTHY to MARGINAL.
2024/09/21-20:31:58 (EDT), [MAPS-1021], 74979, SLOT 1 | FID 128, WARNING, RuleName=defCHASSISCERTS_EXPIRED, Condition=CHASSIS(EXPIRED_CERTS/NONE>0), Obj:Chassis [EXPIRED_CERTS,6 certs] has contributed to switch status MARGINAL.
2024/09/21-20:31:58 (EDT), [MAPS-1021], 74980, SLOT 1 | FID 128, WARNING, RuleName=defCHASSISHA_SYNC_0, Condition=CHASSIS(HA_SYNC/NONE==0), Obj:Chassis [HA_SYNC,0] has contributed to switch status MARGINAL.
2024/09/21-20:31:58 (EDT), [MAPS-1020], 74981, SLOT 1 | FID 128, WARNING, Switch wide status has changed from HEALTHY to MARGINAL.
However, when executing the command seccertmgmt show -cert --all, no expired certificates are shown.
This discrepancy is caused by MAPS (Monitoring and Alerting Policy Suite) referencing old expired certificates after the Fabric OS (FOS) upgrade.
Cause
The issue arises because the MAPS database continues to refer to outdated certificates that were present before the firmware upgrade, even if those certificates are no longer valid or present in the system.
Resolving The Problem
The current workaround is to refresh the MAPS database by toggling the active MAPS policy on the switch. This involves enabling one of the default policies and then reactivating the current policy. Doing so will refresh the MAPS database and resolve the issue.
Steps to Resolve the Issue
1. Enable a Default MAPS Policy: To enable one of the default policies, use the following command:
mapspolicy --enable dflt_conservative_policy
This command activates the dflt_conservative_policy, temporarily switching the active policy.
2. Reactivate the Current Customized Policy: After enabling the default policy, reactivate your current policy using the following command:
mapspolicy --enable FOSv90x_Director
Replace FOSv90x_Director with the name of your customized policy if it is different.
Once the above steps are completed, the MAPS database will be refreshed, and the switch status should revert to HEALTHY if there are no other issues present. The expired certificates warning should also be cleared from the logs.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STQPQQ","label":"IBM Storage Networking SAN128B"},"ARM Category":[{"code":"a8m0z000000bqNkAAI","label":"Brocade IBM B-Type-\u003EProblems"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}]},{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STQPLH","label":"IBM Storage Networking SAN256B"},"ARM Category":[{"code":"a8m0z000000bqNkAAI","label":"Brocade IBM B-Type-\u003EProblems"}],"Platform":[{"code":"PF025","label":"Platform Independent"}]}]
Was this topic helpful?
Document Information
Modified date:
20 March 2025
UID
ibm17172959