04-26-2023 04:07 AM
Hi,
I´ve build a lab enviroment for SD-WAN. My vEdge Router works fine, but I´ve also some CSR1000v and try to connect them
to my LAB. Everything works normal, but I´ve received an error message in vManage "certificate installation error".
I´ve read in an other articel, that I need to clean both sides, configure the CSR1000v without tunnel config, install the root certificate,
the add the tunnel config and connect the router to vManage (request platform software sdwan .....), but I´ve got the same result.
I´ve then installed the certificate manualy ( I use vManage as CA) but the control connection still didn´t want to come up.
In vManage the router is "reachable", so the IP connection is working....
show sdwan control connection-history -> DCONFAIL
So, what I can troubleshoot ?
Many Thanks !
04-26-2023 05:06 AM
Hi,
Share:
show sdwan running-config
show sdwan control local-properties
show sdwan control connections
show sdwan control connection-history
are controllers UP and in overlay? share show control connections from vmanage, for example.
04-26-2023 06:37 AM - last edited on 04-26-2023 07:43 AM by rupeshah
SJ-EDGE1#show sdwan running-config
system
system-ip 10.200.1.3
site-id 200
vManage# show control connections
PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION
REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vedge dtls 10.200.1.9 10.200.1.9 600 1 64.100.107.2 12346 64.100.107.2 12346 XXXXX biz-internet up 0:00:56:34
0 vsmart dtls 10.200.1.11 10.200.1.11 700 1 10.10.0.4 12346 10.10.0.4 12346 XXXXX default up 0:00:56:35
0 vbond dtls 10.200.1.12 10.200.1.12 0 0 10.10.0.3 12346 10.10.0.3 12346 XXXXX default up 0:00:56:51
1 vbond dtls 0.0.0.0 - 0 0 10.10.0.3 12346 10.10.0.3 12346 XXXXX default up 0:00:56:51
2 vedge dtls 10.200.1.2 10.200.1.2 100 1 64.100.102.2 12346 64.100.102.2 12346 XXXXX biz-internet up 0:00:56:40
2 vedge dtls 10.200.1.8 10.200.1.8 500 1 64.100.106.2 12346 64.100.106.2 12346 XXXXX biz-internet up 0:00:56:37
2 vbond dtls 0.0.0.0 - 0 0 10.10.0.3 12346 10.10.0.3 12346 XXXXX default up 0:00:56:52
3 vedge dtls 10.200.1.1 10.200.1.1 100 1 192.168.1.2 12346 192.168.1.2 12346 XXXXX default up 0:00:56:49
3 vedge dtls 10.200.1.3 10.200.1.3 200 1 192.168.3.2 12386 192.168.3.2 12386 XXXXX mpls up 0:00:56:49
3 vbond dtls 0.0.0.0 - 0 0 10.10.0.3 12346 10.10.0.3 12346 XXXXX default up 0:00:56:52
admin-tech-on-failure
organization-name XXXXX
vbond 10.10.0.3
!
memory free low-watermark processor 71489
no service tcp-small-servers
no service udp-small-servers
platform console serial
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
hostname SJ-EDGE1
username admin privilege 15 secret xxxx
no ip finger
no ip rcmd rcp-enable
no ip rcmd rsh-enable
no ip dhcp use class
ip route 0.0.0.0 0.0.0.0 192.168.3.1
no ip source-route
ip ssh version 2
no ip http server
ip http secure-server
SJ-EDGE1#show sdwan control local-properties
personality vedge
sp-organization-name XXXXX
organization-name XXXXX
root-ca-chain-status Installed
certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Apr 21 21:53:03 2023 GMT
certificate-not-valid-after Oct 11 21:53:03 2028 GMT
enterprise-cert-status Not-Applicable
enterprise-cert-validity Not Applicable
enterprise-cert-not-valid-before Not Applicable
enterprise-cert-not-valid-after Not Applicable
dns-name 10.10.0.3
site-id 200
domain-id 1
protocol dtls
tls-port 0
system-ip 10.200.1.3
chassis-num/unique-id CSR-xxxx
serial-num xxx
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:51:43
embargo-check success
number-vbond-peers 1
INDEX IP PORT
-----------------------------------------------------
0 10.10.0.3 12346
number-active-wan-interfaces 1
NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAST SPI TIME NAT VM
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION REMAINING TYPE CON
STUN PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GigabitEthernet1 192.168.3.2 12386 192.168.3.2 :: 12386 0/1 mpls up 2 no/yes/no No/No 0:00:00:10 0:00:00:00 N 5
SJ-EDGE1#show sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls - up 0:00:54:23 0
vmanage dtls 10.200.1.10 700 0 10.10.0.5 12646 10.10.0.5 12646 mpls No up 0:00:54:23 0
SJ-EDGE1#show sdwan control connection-history
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls connect DCONFAIL NOERR 4229 2023-04-26T14:39:02+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls connect DCONFAIL NOERR 1817 2023-04-26T14:36:09+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls connect DCONFAIL NOERR 1009 2023-04-26T14:33:17+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls connect DCONFAIL NOERR 5828 2023-04-26T14:31:39+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls connect DCONFAIL NOERR 5024 2023-04-26T14:22:23+0200
vmanage dtls 10.200.1.10 700 0 10.10.0.5 12646 10.10.0.5 12646 mpls up RXTRDWN VP_TMO 0 2023-04-22T15:07:41+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls tear_down VB_TMO NOERR 0 2023-04-22T15:07:40+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls challenge_resp RXTRDWN SERNTPRES 7 2023-04-22T01:06:36+0200
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls challenge_resp RXTRDWN BIDNTVRFD 37 2023-04-22T01:00:09+0200
04-26-2023 01:46 PM
SJ-EDGE1#show sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 10.10.0.3 12346 10.10.0.3 12346 mpls - up 0:00:54:23 0
vmanage dtls 10.200.1.10 700 0 10.10.0.5 12646 10.10.0.5 12646 mpls No up 0:00:54:23 0
You have UP/UP with vmanage and vbond, but there is no control connection with vsmart.
Clear control connections history and recheck. Also, re-push certificate serial file to controllers.
04-27-2023 04:16 AM
I´ve pushed the serial files several times to the controler.
control connections history bring no new output actually.
Ping to VSMARTS is ok....
Any other idea ?
04-27-2023 04:48 AM
what does "show sdwan valid-vsmart" show on vedge devices? Does device know about vsmarts?
04-27-2023 05:43 AM
04-27-2023 01:47 PM
So,
vedge does not know about vsmarts.
does vbond know them? share show orchestrator control-connections from vbond and show control connections from vsmart.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide