Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
2
Helpful
4
Replies

Can' download certificate in vBond but it worked in vmanage and vsmart

itzmesarah
Level 1
Level 1

‎03-15-2023 06:22 AM

Hello everyone,

I'm trying to work on a Sd wan lab, and I have installed the certificate on both v manage and v smart but I'm not able to do the same thing on v Bond even when I tried with the V shell then the Tftp -g -r PKI.ca 223.1.1.13 command I get timeout but when I put the same command on V smart it works. I really can't see the problem. I also can ping to the root a server. 

here's my config for the v bond. 

System
Host-name v Bond
System-Ip 10.100.0.11
Site-id 100
Admin-tech-on-failure
No route-consistency-check
organization-name lab
V bond 223.1.1.11 local
!
!
Vpn 0
Interface ge0/0
Ip address 223.1.1.11/24.
Tunnel-interface
Encapsulation IPsec
allow-service all.
!
No shutdown
!
Ip route 0.0.0.0/0 223.1.1.1
!

 

0 Helpful
4 Replies 4

Octavian Szolga
Level 4
Level 4

‎03-22-2023 12:54 AM - edited ‎03-22-2023 12:54 AM

Hi,

Not sure what you're trying to manually download root CA on vBond, becase as far as I remeber it should happen automatically when you add vBond to vManage.

Please check the following how to - https://community.cisco.com/t5/networking-knowledge-base/sd-wan-controller-setup-guide-on-prem-non-cloud-managed/ta-p/3921360

BR,

Octavian

 

0 Helpful

Kanan Huseynli
VIP
VIP

‎03-22-2023 04:50 AM

Hi,

tunnel interface hardcodes interface for overlay i.e only limited traffic allowed on interface which is configured tunnel.

Even if you mention allow-service all it allows specific ones. You may remove tunnel interface config under physical interface and try again, then re-enable.

But normally, if you need to add root CA (for example enterprise CA), then you may try creating file in linux shell (vshell) with "vi" linux command and copy-paste certificate file (begin--end certificate). And when you add vbond (or vsmart) to vManage remove tunnel configuration add device and then reenable tunnel interface via CLI.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Ricky Sandhu
Level 3
Level 3

‎11-16-2023 09:02 PM

I am having the exact same issue as OP.  Studying for CCIE LAB and running topology in eve-ng. I was able to tftp the cert using tftp -g -r PKI.ca 200.1.1.1 command on both vManage and vSmart but on vBond I get a time out even though I see activity on my PKI server (ios router, debug tftp events/packets)

I already tried removing the tunnel interface under the physical one, I can ping 200.1.1.1 but TFTP still times out.

@itzmesarah were you ever able to get this solved?

Ricky Sandhu
Level 3
Level 3
In response to Ricky Sandhu

‎11-21-2023 03:30 AM

I researched and found a way to push the root cert to vBond from vManage using SCP.  This worked for me and my vBond was able to get a certificate.  Posting it here in case someone finds this useful.  Here is the link to Cisco article with more details on this 

https://www.cisco.com/c/en/us/support/docs/routers/vedge-router/217948-transfer-files-between-a-vedge-and-vmana.html  

On your vManage CLI, type the command below (Note you must have all the underlay connectivity configured before you can proceed).

request execute vpn 0 scp /home/admin/cert.ca admin@<vBondIP>:/home/admin/

Customers Also Viewed These Support Documents