Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

IOS-XE SDWAN - BIDNTVRFD (Peer Board ID Cert not verified.)

rudimocnik
Level 1
Level 1

‎10-25-2019 07:10 AM - edited ‎10-25-2019 07:12 AM

Hi

 

I have an ASR 1002-HX running 16.10.3a SDWAN image. The certificates are issued by my CA and I've installed the root certificate onto the ASR with this command

request platform software sdwan root-cert-chain install bootflash:ca.crt

the configuration has also been done manually. 

 

Everything seems ok on the ASR side but the vBond would fail to authenticate the ASR Board ID Cert. Note the screenshot below (or the screenshot attached):

 

PEER     PEER     PEER             SITE        DOMAIN PEER             PRIVATE  PEER             PUBLIC                                   LOCAL      REMOTE     REPEAT               
TYPE     PROTOCOL SYSTEM IP        ID          ID     PRIVATE IP       PORT     PUBLIC IP        PORT    LOCAL COLOR      STATE           ERROR      ERROR      COUNT DOWNTIME       
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond    dtls     -                0           0      10.229.4.43      12346    10.229.4.43      12346   private1         challenge_resp  RXTRDWN    BIDNTVRFD  6     2019-10-25T13:58:28+0000
vbond    dtls     -                0           0      10.229.4.43      12346    10.229.4.43      12346   private1         connect         DCONFAIL   NOERR      1     2019-10-25T13:53:05+0000
vbond    dtls     -                0           0      10.229.4.43      12346    10.229.4.43      12346   private1         tear_down       DISTLOC    NOERR      0     2019-10-25T13:52:33+0000

Note this is the Serial and SUDI (Cert serial) of the ASR

 

SlotID   PID                    SN                      UDI
--------------------------------------------------------------------------------
*        ASR1002-HX            JAE202107PG     ASR1002-HX:JAE202107PG
ASR1002_HX-1#show crypto pki certificates CISCO_IDEVID_SUDI
Certificate
  Status: Available
  Certificate Serial Number (hex): 00DBFCD6
  Certificate Usage: General Purpose
  Issuer: 
    cn=ACT2 SUDI CA
    o=Cisco
  Subject:
    Name: ASR1002-HX
    Serial Number: PID:ASR1002-HX SN:JAE202107PG
    cn=ASR1002-HX
    ou=ACT-2 Lite SUDI
    o=Cisco
    serialNumber=PID:ASR1002-HX SN:JAE202107PG
  Validity Date: 
    start date: 03:46:34 UTC Jun 10 2016
    end   date: 03:46:34 UTC Jun 10 2026
  Associated Trustpoints: CISCO_IDEVID_SUDI

The numbers marked in red above have been used to provision PnP and where pushed to controllers via vManage. See vBond output bellow.

vbond# show orchestrator valid-vedges

CHASSIS NUMBER                        SERIAL NUMBER                     VALIDITY  ORG  
---------------------------------------------------------------------------------------
AE5DCE9E-99F8-6811-4E1E-A7B5C1D43231  36ff53c80e74bf107f2f1ec95099f1b8  valid     SRC  
AEACAC9D-B733-4123-ACD8-8CCCC43702E7  a16de99334f89c6577898597ee4fd570  valid     SRC  
ASR1002-HX-JAE202107PG                00DBFCD6                          valid     SRC  
ASR1002-HX-JAE22340EL4                JAE22340EL4                       valid     SRC

The above is the output from the vBond as a proof that it indeed knows the ASR that is trying to authenticate. Am I using the wrong numbers? I've read that SUDI and Chassis numbers are not always as in my case.

 

Any ideas?

 

Rud

 

1 person had this problem
Labels:
Preview file
19 KB
0 Helpful
Who Me Too'd this topic