Solved: Can two SD-WAN routers with same Global IP establish Tunnel Sesson?

yutashimamura2920 · ‎02-01-2024

I have two SD-WAN routers in my office and I would like to establish a Tunnel Session with them.
The WAN IP of each SD-WAN Router is set to Private IP and NATed to the same Global IP by the FW.

Can two SD-WAN routers with the same Global IP establish a Tunnel Session with each other?
I tried to set up, but BFD session does not up.

svemulap@cisco.com · ‎02-01-2024

If the two devices are in the same site-id, BFD won't come by default.
The assumption is that they are in the same time and they can reach each other through LAN/Service side.
If you still would like to have a BFD session, need to allow-same-site-tunnels
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#r_allow_same_site_tunnels_6958.xml

HTH

View solution in original post

MHM Cisco World · ‎02-01-2024

You need to allow SDWAN between two routers in same site-id

MHM

yutashimamura2920 · ‎02-01-2024

Thank you for your reply.
I assigned the different site-ID.

Here is the configuration.

Router1
==================

ISR4331#show sdwan running-config
system
system-ip 10.10.10.2
domain-id 1
site-id 200
port-offset 0
admin-tech-on-failure
sp-organization-name CDCS-US-1A
organization-name "CDCS-US-1A-va-890a54cf - 738355"
no port-hop
vbond vbond-423750355.sdwan.cisco.com port 12346
!
memory free low-watermark processor 67460
service timestamps debug datetime msec
service timestamps log datetime msec
no service tcp-small-servers
no service udp-small-servers
platform qfp utilization monitor load 80
hostname ISR4331
username admin privilege 15 secret 5 $1$dY49$RQoPFDRuifFhpWsoOrdfN1
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no ip finger
no ip rcmd rcp-enable
no ip rcmd rsh-enable
ip dhcp pool PnPWebUI1
vrf 65500
dns-server 192.168.1.1
host 192.168.1.3 255.255.255.0
client-identifier 7765.6275.69
exit
no ip dhcp use class
ip tftp source-interface GigabitEthernet0
no ip http server
ip http secure-server
ip nat settings central-policy
ip nat settings gatekeeper-size 1024
interface GigabitEthernet0
no shutdown
vrf forwarding Mgmt-intf
negotiation auto
exit
interface GigabitEthernet0/0/0
no shutdown
ip address dhcp
negotiation auto
exit
interface GigabitEthernet0/0/1
no shutdown
negotiation auto
exit
interface GigabitEthernet0/0/2
no shutdown
negotiation auto
exit
interface Tunnel0
no shutdown
ip unnumbered GigabitEthernet0/0/0
tunnel source GigabitEthernet0/0/0
tunnel mode sdwan
exit
aaa authentication enable default enable
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
login on-success log
line aux 0
stopbits 1
!
line con 0
stopbits 1
!
line vty 0 4
transport input ssh
!
line vty 5 14
transport input ssh
!
sdwan
interface GigabitEthernet0/0/0
tunnel-interface
encapsulation ipsec weight 1
no border
color biz-internet
no last-resort-circuit
no low-bandwidth-link
no vbond-as-stun-server
vmanage-connection-preference 4
port-hop
carrier default
nat-refresh-interval 5
hello-interval 1000
hello-tolerance 12
no allow-service all
allow-service bgp
no allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
no allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
appqoe
no tcpopt enable
no dreopt enable
!
omp
no shutdown
graceful-restart
no as-dot-notation
address-family ipv4
advertise connected
advertise static
!
address-family ipv6
advertise connected
advertise static
!
!
!
licensing config enable false
licensing config privacy hostname false
licensing config privacy version false
licensing config utility utility-enable false
security
ipsec
integrity-type ip-udp-esp esp
!
!
sslproxy
no enable
rsa-key-modulus 2048
certificate-lifetime 730
eckey-type P256
ca-tp-label PROXY-SIGNING-CA
settings expired-certificate drop
settings untrusted-certificate drop
settings unknown-status drop
settings certificate-revocation-check none
settings unsupported-protocol-versions drop
settings unsupported-cipher-suites drop
settings failure-mode close
settings minimum-tls-ver TLSv1
dual-side optimization enable
!

ISR4331#$
===================

Router 2
==============

C1111#show sdwan running-config
system
gps-location latitude 33.08785
gps-location longitude -96.81911
system-ip 10.10.10.1
domain-id 1
site-id 100
port-offset 0
admin-tech-on-failure
sp-organization-name CDCS-US-1A
organization-name "CDCS-US-1A-va-890a54cf - 738355"
no port-hop
vbond vbond-423750355.sdwan.cisco.com port 12346
!
memory free low-watermark processor 70154
call-home
contact-email-addr sch-smart-licensing@cisco.com
profile CiscoTAC-1
active
destination transport-method http
!
!
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
no service tcp-small-servers
no service udp-small-servers
platform qfp utilization monitor load 80
hostname C1111
username admin privilege 15 secret 5 $1$u0R6$/Y.Xma6khkNeUA1cgcxdB0
vrf definition 65500
address-family ipv4
exit-address-family
!
!
no ip finger
no ip rcmd rcp-enable
no ip rcmd rsh-enable
ip dhcp pool PnPWebUI1
vrf 65500
dns-server 192.168.1.1
host 192.168.1.3 255.255.255.0
client-identifier 7765.6275.69
exit
no ip dhcp use class
ip tftp source-interface GigabitEthernet0/0/0
ip http authentication local
ip http server
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip nat settings central-policy
ip nat settings gatekeeper-size 1024
vlan internal allocation policy ascending
interface GigabitEthernet0/0/0
description **** To Internet ****
no shutdown
ip address dhcp
ip dhcp client client-id ascii FGL2613LGYZ
negotiation auto
exit
interface GigabitEthernet0/0/1
no shutdown
negotiation auto
exit
interface GigabitEthernet0/1/0
no shutdown
exit
interface GigabitEthernet0/1/1
no shutdown
exit
interface GigabitEthernet0/1/2
no shutdown
exit
interface GigabitEthernet0/1/3
no shutdown
exit
interface GigabitEthernet0/1/4
no shutdown
exit
interface GigabitEthernet0/1/5
no shutdown
exit
interface GigabitEthernet0/1/6
no shutdown
exit
interface GigabitEthernet0/1/7
no shutdown
exit
interface Vlan1
no shutdown
vrf forwarding 65500
ip address 192.168.1.1 255.255.255.0
exit
interface Tunnel0
no shutdown
ip unnumbered GigabitEthernet0/0/0
tunnel source GigabitEthernet0/0/0
tunnel mode sdwan
exit
aaa authentication enable default enable
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
login on-success log
line con 0
speed 9600
stopbits 1
!
line vty 0 4
access-class ssh_acl in vrf-also
transport input ssh
!
line vty 5 80
access-class ssh_acl in vrf-also
transport input ssh
!
pnp profile pnp_redirection_profile
!
sdwan
interface GigabitEthernet0/0/0
tunnel-interface
encapsulation ipsec weight 1
no border
color biz-internet
no last-resort-circuit
no low-bandwidth-link
no vbond-as-stun-server
vmanage-connection-preference 4
port-hop
carrier default
nat-refresh-interval 5
hello-interval 1000
hello-tolerance 12
no allow-service all
allow-service bgp
no allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
no allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
appqoe
no tcpopt enable
no dreopt enable
!
omp
no shutdown
graceful-restart
no as-dot-notation
address-family ipv4
advertise connected
advertise static
!
address-family ipv6
advertise connected
advertise static
!
!
!
licensing config enable false
licensing config privacy hostname false
licensing config privacy version false
licensing config utility utility-enable false
security
ipsec
integrity-type ip-udp-esp esp
!
!

C1111#
=============================

C1111#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec UPTIME TRANSITIONS
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.2 200 down biz-internet biz-internet 192.168.7.56 4.71.14.110 12386 ipsec 7 1000 NA 0

C1111#

svemulap@cisco.com · ‎02-01-2024

Make sure you have underlay reachability.
You can check, for example: by pinging the transport IP

svemulap@cisco.com · ‎02-01-2024

If the two devices are in the same site-id, BFD won't come by default.
The assumption is that they are in the same time and they can reach each other through LAN/Service side.
If you still would like to have a BFD session, need to allow-same-site-tunnels
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#r_allow_same_site_tunnels_6958.xml

HTH

Ruben Cocheno · ‎02-01-2024

@yutashimamura2920

Same Site-ID is a no-go by default,so If you still would like to have a BFD session, need to allow-same-site-tunnels
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#r_allow_same_site_tunnels_6958.xml

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

KDDI Purchasing Dept · ‎02-01-2024

Yes, I did not use same id...

KDDI Purchasing Dept · ‎02-01-2024

One SD-WAN Router has 100 as Site-ID, another one is 200. So, it is not the problem of Site-ID.
Could someone check my configuration?

yutashimamura2920 · ‎02-01-2024

Yes, Underlay reachability is Okay. I can ping from Router 1 WAN IP to Router 2 WAN IP.
I am happy could someone check my configuration.
Also, Can two SD-WAN routers with the same Global IP establish a Tunnel Session with each other?

svemulap@cisco.com · ‎02-01-2024

Yes. Make sure you have the NAT enabled, on the transport (tunnel) interfaces.
Also, not sure, what kind of modem if any you have northbound.

We have found some issues with dinky modems not maintaining the unique flows from NAT perspective,
if the Edge devices sitting behind a modem.
i.e., they are not able to maintain unique flows.
We have it documented in our design guide.
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html?dtid=osscdc000283#FirewallPortConsiderations
If so, you need to configure port-offset

HTH.

MHM Cisco World · ‎02-01-2024

Yes that what I looking for,
the tunnel is build using public IP which is same in both routers not using private IP,
can you share
show control connections-history <<- from both routers

Kanan Huseynli · ‎02-02-2024

Design i a bit different.

You have two sites with two different site-ID, but both use DHCP for interface IP and it is private?

You say you can ping each other, do you test with private addresses?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

yutashimamura2920 · ‎02-02-2024

Guys

I changed site id 100 for both router and configure "allow-same-site-tunnels", then BFD session was up.
Thank you for your help.

svemulap@cisco.com · ‎02-02-2024

Good to hear that everything worked out !!
Good Luck on further testing !!