Adding vBond and vSmart to vManage

helloguys · ‎05-22-2020

Software version 19.2.2.

I'm following https://codingpackets.com/blog/cisco-sdwan-self-hosted-lab-part-2/ to add vBond and vSmart.

I went to vManage > Configuration > Devices > Controllers > Add Controller. Enter vBond's VPN 0 IP and credential. vBond was added, but not in-sync.

When I tried to view vBond running configuration from the device list, I saw a message "[vmanagedb] No system ip found for uuid 90f39711-0829-4cd7-8186-e3072299b4d8".

Troubleshooting steps performed:

1) Review vBond configuration. Make sure system-ip was configured.

2) Delete vBond from device list and re-add. Purposely entered a wrong credential and get the message "authentication failed". This means vManage was actually communicating with vBond to do authentication.

3) Reboot vBond.

vBond configuration:

system
host-name vBond1
system-ip 1.1.1.2
site-id 1
admin-tech-on-failure
no route-consistency-check
organization-name "SD-WAN Lab 2020"
vbond 100.64.1.12 local vbond-only

aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
usergroup tenantadmin
!
user admin
password $6$efEnkVadlbJFXysS$Nj4BiImulNcVIk.Zqo2pv4zKsYwkwwViWE6K78rs4lDsKOuMuUI2LtorDHU5SfRRGNdcgd1u0uJydGAVg.KpR1
!
!
logging
disk
enable
!
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
authentication-type ah-sha1-hmac sha1-hmac
!
!
vpn 0
interface ge0/0
ip address 100.64.1.12/24
no shutdown
!
!
vpn 512
interface eth0
ip address 192.168.21.12/24
no shutdown
!
!

helloguys · ‎05-22-2020

OK, I seemed to fix the problem but not quite understand why.

I carefully reviewed https://codingpackets.com/blog/cisco-sdwan-self-hosted-lab-part-2/. When adding vBond to vManage, VPN0 interfaces *need* to be in the following combination?

1) vManage VPN0 interface needs to have "tunnel-interface". (Enable control pane)

2) vBond VPN0 interface needs to have "no tunnel-interface". (Disable control pane)

After vBond was successfully added, then go to vBond CLI to add "tunnel-interface" to VPN0 (enable control pane). Can someone explain why it has to be this way?

Ali Koussan · ‎09-30-2023

Hi,

When adding vBond to Vmanage , vManage need to establish a NETCONF connection to vBond.By Default , the vBond interface is configured with tunnel-interface , this will lock down the interface and also prevent incoming NETCONF connection from vManage and DTLS tunnel will not be established (if you just leave the tunnel-interface command under vBond VPN0 interface without additional config)

Therefore , to successfully add the vBond to vManage , you can do one of the following :

option1 : Disable the tunnel-interface on vBond VPN0 interface , then add the vBond to vManage ,provision vBond certificate , then enable back the tunnel-interface on vBond VPN0 interface ( add encapsulation ipsec , and allow-service all). Adding the tunnel-interface on vBond VPN0 interface will allow DTLS tunnel to be established between vManage and vBond because we have added allow-service all)

option 2: From the begging , add tunnel-interface on vBond VPN0 interface (by default is added) , but also add encapsulation ipsec , and allow-service all . then add the vBond to vManage (This will work because you allow-service all ) ,provision vBond certificate. DTLS tunnel now can be established between vManage and vBond .

Ali