Solved: Control Connection Auth Fail Reason ERR_BID_NOT_VERIFIED IOS-XE SD-WAN

Tyche · ‎04-11-2020

I am trying to manually on-board a CSR router (IOS-XE 16.12.3)

I am running my controllers (18.4.3) on premise (proof of concept lab).

The certificate gets installed by Vmanage on the CSR but vBond refuses to authenticate the connection from the CSR:

local7.info: Apr 11 17:53:31 vbond VBOND[2630]: %Viptela-vbond-vbond_0-6-INFO-1400002: Notification: 4/11/2020 17:53:31 vbond-reject-vedge-connection severity-level:major host-name:"vbond" system-ip:1.1.1.3 uuid:"CSR-69363B06-057A-ADC2-5732-69D3841487C3" organization-name:"poc_sdwan" sp-organization-name:"poc_sdwan" reason:"ERR_BID_NOT_VERIFIED"

local7.info: Apr 11 17:53:31 vbond VBOND[2630]: %Viptela-vbond-vbond_0-6-INFO-1400002: Notification: 4/11/2020 17:53:31 control-connection-auth-fail severity-level:major host-name:"vbond" system-ip:1.1.1.3 personality:vbond peer-type:vedge peer-system-ip::: local-system-ip:1.1.1.3 local-color:default reason:"ERR_BID_NOT_VERIFIED"

1) The serial number matches between the CSR router and vbond:

vbond# show orchestrator valid-vedges

CHASSIS NUMBER SERIAL NUMBER VALIDITY ORG
-------------------------------------------------------------------------------------------------
444A759D-4D0F-3101-3782-F525AD189F0F CCD1C03F valid poc_sdwan
CF157AAE-0560-1760-32C3-D84C9EDAA996 8B2C5CCA valid poc_sdwan
CSR-69363B06-057A-ADC2-5732-69D3841487C3 BFDDD9D0 valid poc_sdwan


Router#show sdwan control local-properties | include chassis-num|serial-num
chassis-num/unique-id CSR-69363B06-057A-ADC2-5732-69D3841487C3
serial-num BFDDD9D0

Troubleshooting steps taken from:

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214509-troubleshoot-control-connections.html

"If the serial number is not present on the controllers for a given device, you will see that control connections fail. [...]

"When you troubleshoot such a problem, ensure that the correct serial number and device model was configured and provisioned on PnP portal (software.cisco.com) and vManage"

2) I should not be affected by bug CSCvp75927 which gives the same error message:

a) I am running version 18.4.4, this bug is in 19.x

b) I am not getting the additional error message:
Peer's Certificate validation Failed (expected Viptela) got "xxxx"

https://community.cisco.com/t5/sd-wan/unable-to-bring-up-vedge/td-p/4014780

! Verification

I have activated the following debugs:

vbond# sh debug
debugs vbond events low
debugs vbond misc low
debugs vbond confd low
debugs vbond packets low
debugs vbond hello low
debugs vbond error low
debugs iked events low
debugs iked misc low
debugs iked confd low
debugs iked error low

I can only see:

vbond# show log vdebug | i expected
local7.debug: Apr 5 17:59:28 vedge stray: ./run: line 599: [: : integer expression expected
local7.debug: Apr 5 17:59:28 vedge stray: ./run: line 599: [: : integer expression expected

3) I have tried deploying from template by putting the device in vManage mode, instead of CLI mode.

I get the same error message.

4) I do not have problem onboarding vEdgeCloud devices.

David Aicher · ‎04-14-2020

the sdwan controller image and IOS-XE sdwan images are tied together. 18.4.x was tied to 16.10.x. the CSR1kv did not see support until 16.12.x for sdwan. this version is tied to controller image of 19.2

note the compatibility matrix here

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-16-10-18-4/sd-wan-rel-notes-xe-16-10-18-4.html#concept_rcn_g2s_g3b

csr1kv is also not listed as a supported device until the release notes for 16.12

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-16-12/ios-xe-sd-wan-re-notes-16-12.html

I don't believe the csr is supported on the controllers you are running.

View solution in original post

David Aicher · ‎04-14-2020

the sdwan controller image and IOS-XE sdwan images are tied together. 18.4.x was tied to 16.10.x. the CSR1kv did not see support until 16.12.x for sdwan. this version is tied to controller image of 19.2

note the compatibility matrix here

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-16-10-18-4/sd-wan-rel-notes-xe-16-10-18-4.html#concept_rcn_g2s_g3b

csr1kv is also not listed as a supported device until the release notes for 16.12

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-16-12/ios-xe-sd-wan-re-notes-16-12.html

I don't believe the csr is supported on the controllers you are running.

Tyche · ‎04-15-2020

Many thanks for pointing out !

I chose the software based on the certification requirements:

CCIE Enterprise Infrastructure Equipment and Software List

[...]


Virtual machines
• Cisco CSR 1000v Series Cloud Services Routers with Cisco IOS XE SD-WAN Release 16.12
• Cisco IOSv with Cisco IOS Software Release 15.8
• Cisco IOSv-L2 with Cisco IOS Software Release 15.2
• Cisco SD-WAN (vManage, vBond, vSmart, vEdge) Software Release 18.4
• Cisco DNA Center Release 1.3.1

https://learningnetwork.cisco.com/docs/DOC-36509

The document is offline at the moment.

I will wait to see what the update is and act accordingly.

petoroland · ‎07-01-2023

I have just bumped into the exact same problem. I could find several blog and forum posts where were people complaining about the incopatible software versions in the official CCIE EI software list, but could not find any official answer to this question.

@Tyche Have you already cleared the lab exam? What was the exact SD-WAN version? Were there any cEdges invloved? Thanks in advance!