Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1680
Views
4
Helpful
13
Replies

Can two SD-WAN routers with same Global IP establish Tunnel Sesson?

Go to solution
yutashimamura2920
Level 1
Level 1

‎02-01-2024 11:14 AM

I have two SD-WAN routers in my office and I would like to establish a Tunnel Session with them.
The WAN IP of each SD-WAN Router is set to Private IP and NATed to the same Global IP by the FW.

Can two SD-WAN routers with the same Global IP establish a Tunnel Session with each other?
I tried to set up, but BFD session does not up.


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee

‎02-01-2024 12:05 PM

If the two devices are in the same site-id, BFD won't come by default.
The assumption is that they are in the same time and they can reach each other through LAN/Service side.
If you still would like to have a BFD session, need to allow-same-site-tunnels
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#r_allow_same_site_tunnels_6958.xml

HTH

View solution in original post

13 Replies 13

Go to solution
MHM Cisco World
VIP
VIP

‎02-01-2024 11:30 AM

You need to allow SDWAN between two routers in same site-id 

MHM

0 Helpful

Go to solution
yutashimamura2920
Level 1
Level 1

‎02-01-2024 11:58 AM

Thank you for your reply.
I assigned the different site-ID.

Here is the configuration.



Router1 
==================

ISR4331#show sdwan running-config
system
system-ip 10.10.10.2
domain-id 1
site-id 200
port-offset 0
admin-tech-on-failure
sp-organization-name CDCS-US-1A
organization-name "CDCS-US-1A-va-890a54cf - 738355"
no port-hop
vbond vbond-423750355.sdwan.cisco.com port 12346
!
memory free low-watermark processor 67460
service timestamps debug datetime msec
service timestamps log datetime msec
no service tcp-small-servers
no service udp-small-servers
platform qfp utilization monitor load 80
hostname ISR4331
username admin privilege 15 secret 5 $1$dY49$RQoPFDRuifFhpWsoOrdfN1
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no ip finger
no ip rcmd rcp-enable
no ip rcmd rsh-enable
ip dhcp pool PnPWebUI1
vrf 65500
dns-server 192.168.1.1
host 192.168.1.3 255.255.255.0
client-identifier 7765.6275.69
exit
no ip dhcp use class
ip tftp source-interface GigabitEthernet0
no ip http server
ip http secure-server
ip nat settings central-policy
ip nat settings gatekeeper-size 1024
interface GigabitEthernet0
no shutdown
vrf forwarding Mgmt-intf
negotiation auto
exit
interface GigabitEthernet0/0/0
no shutdown
ip address dhcp
negotiation auto
exit
interface GigabitEthernet0/0/1
no shutdown
negotiation auto
exit
interface GigabitEthernet0/0/2
no shutdown
negotiation auto
exit
interface Tunnel0
no shutdown
ip unnumbered GigabitEthernet0/0/0
tunnel source GigabitEthernet0/0/0
tunnel mode sdwan
exit
aaa authentication enable default enable
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
login on-success log
line aux 0
stopbits 1
!
line con 0
stopbits 1
!
line vty 0 4
transport input ssh
!
line vty 5 14
transport input ssh
!
sdwan
interface GigabitEthernet0/0/0
tunnel-interface
encapsulation ipsec weight 1
no border
color biz-internet
no last-resort-circuit
no low-bandwidth-link
no vbond-as-stun-server
vmanage-connection-preference 4
port-hop
carrier default
nat-refresh-interval 5
hello-interval 1000
hello-tolerance 12
no allow-service all
allow-service bgp
no allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
no allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
appqoe
no tcpopt enable
no dreopt enable
!
omp
no shutdown
graceful-restart
no as-dot-notation
address-family ipv4
advertise connected
advertise static
!
address-family ipv6
advertise connected
advertise static
!
!
!
licensing config enable false
licensing config privacy hostname false
licensing config privacy version false
licensing config utility utility-enable false
security
ipsec
integrity-type ip-udp-esp esp
!
!
sslproxy
no enable
rsa-key-modulus 2048
certificate-lifetime 730
eckey-type P256
ca-tp-label PROXY-SIGNING-CA
settings expired-certificate drop
settings untrusted-certificate drop
settings unknown-status drop
settings certificate-revocation-check none
settings unsupported-protocol-versions drop
settings unsupported-cipher-suites drop
settings failure-mode close
settings minimum-tls-ver TLSv1
dual-side optimization enable
!

ISR4331#$
===================

 

Router 2 
==============

C1111#show sdwan running-config
system
gps-location latitude 33.08785
gps-location longitude -96.81911
system-ip 10.10.10.1
domain-id 1
site-id 100
port-offset 0
admin-tech-on-failure
sp-organization-name CDCS-US-1A
organization-name "CDCS-US-1A-va-890a54cf - 738355"
no port-hop
vbond vbond-423750355.sdwan.cisco.com port 12346
!
memory free low-watermark processor 70154
call-home
contact-email-addr sch-smart-licensing@cisco.com
profile CiscoTAC-1
active
destination transport-method http
!
!
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
no service tcp-small-servers
no service udp-small-servers
platform qfp utilization monitor load 80
hostname C1111
username admin privilege 15 secret 5 $1$u0R6$/Y.Xma6khkNeUA1cgcxdB0
vrf definition 65500
address-family ipv4
exit-address-family
!
!
no ip finger
no ip rcmd rcp-enable
no ip rcmd rsh-enable
ip dhcp pool PnPWebUI1
vrf 65500
dns-server 192.168.1.1
host 192.168.1.3 255.255.255.0
client-identifier 7765.6275.69
exit
no ip dhcp use class
ip tftp source-interface GigabitEthernet0/0/0
ip http authentication local
ip http server
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip nat settings central-policy
ip nat settings gatekeeper-size 1024
vlan internal allocation policy ascending
interface GigabitEthernet0/0/0
description **** To Internet ****
no shutdown
ip address dhcp
ip dhcp client client-id ascii FGL2613LGYZ
negotiation auto
exit
interface GigabitEthernet0/0/1
no shutdown
negotiation auto
exit
interface GigabitEthernet0/1/0
no shutdown
exit
interface GigabitEthernet0/1/1
no shutdown
exit
interface GigabitEthernet0/1/2
no shutdown
exit
interface GigabitEthernet0/1/3
no shutdown
exit
interface GigabitEthernet0/1/4
no shutdown
exit
interface GigabitEthernet0/1/5
no shutdown
exit
interface GigabitEthernet0/1/6
no shutdown
exit
interface GigabitEthernet0/1/7
no shutdown
exit
interface Vlan1
no shutdown
vrf forwarding 65500
ip address 192.168.1.1 255.255.255.0
exit
interface Tunnel0
no shutdown
ip unnumbered GigabitEthernet0/0/0
tunnel source GigabitEthernet0/0/0
tunnel mode sdwan
exit
aaa authentication enable default enable
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
login on-success log
line con 0
speed 9600
stopbits 1
!
line vty 0 4
access-class ssh_acl in vrf-also
transport input ssh
!
line vty 5 80
access-class ssh_acl in vrf-also
transport input ssh
!
pnp profile pnp_redirection_profile
!
sdwan
interface GigabitEthernet0/0/0
tunnel-interface
encapsulation ipsec weight 1
no border
color biz-internet
no last-resort-circuit
no low-bandwidth-link
no vbond-as-stun-server
vmanage-connection-preference 4
port-hop
carrier default
nat-refresh-interval 5
hello-interval 1000
hello-tolerance 12
no allow-service all
allow-service bgp
no allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
no allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
appqoe
no tcpopt enable
no dreopt enable
!
omp
no shutdown
graceful-restart
no as-dot-notation
address-family ipv4
advertise connected
advertise static
!
address-family ipv6
advertise connected
advertise static
!
!
!
licensing config enable false
licensing config privacy hostname false
licensing config privacy version false
licensing config utility utility-enable false
security
ipsec
integrity-type ip-udp-esp esp
!
!

C1111#
=============================


C1111#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec UPTIME TRANSITIONS
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.2 200 down biz-internet biz-internet 192.168.7.56 4.71.14.110 12386 ipsec 7 1000 NA 0

C1111#



0 Helpful

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee
In response to yutashimamura2920

‎02-01-2024 12:50 PM

Make sure you have underlay reachability.
You can check, for example: by pinging the transport IP
0 Helpful

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee

‎02-01-2024 12:05 PM

If the two devices are in the same site-id, BFD won't come by default.
The assumption is that they are in the same time and they can reach each other through LAN/Service side.
If you still would like to have a BFD session, need to allow-same-site-tunnels
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#r_allow_same_site_tunnels_6958.xml

HTH

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎02-01-2024 12:33 PM

@yutashimamura2920 

Same Site-ID is a no-go by default,so If you still would like to have a BFD session, need to allow-same-site-tunnels
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#r_allow_same_site_tunnels_6958.xml

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Go to solution
KDDI Purchasing Dept
Level 1
Level 1

‎02-01-2024 12:37 PM

Yes, I did not use same id...

0 Helpful

Go to solution
KDDI Purchasing Dept
Level 1
Level 1

‎02-01-2024 12:44 PM

One SD-WAN Router has 100 as Site-ID, another one is 200. So, it is not the problem of Site-ID.
Could someone check my configuration?

Go to solution
yutashimamura2920
Level 1
Level 1

‎02-01-2024 12:58 PM

Yes, Underlay reachability is Okay. I can ping from Router 1 WAN IP to Router 2 WAN IP.
I am happy could someone check my configuration.
Also, Can two SD-WAN routers with the same Global IP establish a Tunnel Session with each other?

0 Helpful

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee
In response to yutashimamura2920

‎02-01-2024 02:33 PM

Yes. Make sure you have the NAT enabled, on the transport (tunnel) interfaces.
Also, not sure, what kind of modem if any you have northbound.

We have found some issues with dinky modems not maintaining the unique flows from NAT perspective,
if the Edge devices sitting behind a modem.
i.e., they are not able to maintain unique flows.
We have it documented in our design guide.
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html?dtid=osscdc000283#FirewallPortConsiderations
If so, you need to configure port-offset

HTH.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to yutashimamura2920

‎02-01-2024 04:19 PM

Yes that what I looking for, 
the tunnel is build using public IP which is same in both routers not using private IP, 
can you share 
 show control connections-history <<- from both routers

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP

‎02-02-2024 12:21 AM

Design i a bit different.

You have two sites with two different site-ID, but both use DHCP for interface IP and it is private?

You say you can ping each other, do you test with private addresses?

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
yutashimamura2920
Level 1
Level 1

‎02-02-2024 10:11 AM

Guys

I changed site id 100 for both router and configure "allow-same-site-tunnels", then BFD session was up.
Thank you for your help.

 

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee
In response to yutashimamura2920

‎02-02-2024 10:24 AM

Good to hear that everything worked out !!
Good Luck on further testing !!
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card