Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
3
Helpful
9
Replies

DTLS Connection Failure (DCONFAIL) when you have two isp

dijix1990
VIP Alumni
VIP Alumni

‎10-07-2024 07:12 AM

Hi, can you share with you experience when you bump into error DCONFAIL? I suppose that my error connect with Firewall's provider, but I have two isp and it's too difficult to troubleshoot one of them, for example when I try to use tracert with source I can see that trace goes via both channels. 

My devices is isr4331/c8200

Labels:
9 Replies 9

Kanan Huseynli
VIP
VIP

‎10-07-2024 08:37 AM

Hi,

here design matters.

You say you have two ISPs, do you use PI addresses (your own scope) or PA addresses from one of or both ISPs?

Firewall connected to ISPs and router is behind firewall, right?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

dijix1990
VIP Alumni
VIP Alumni
In response to Kanan Huseynli

‎10-07-2024 08:50 AM

I have PA addresses and one of the ISPs has checkpoint FW (I knew about it when I first time bumped into problem like this, isp said they had problem on their checkpoint after changing palo alto) isp every time asks to show them

Ping to gw, trace to Google, telnet tcp port to problem ip address and etc, for legacy environment it's easy, just add new ip route /32 to testing host, for sdwan environment it's a little inconvenient

0 Helpful

MHM Cisco World
VIP
VIP

‎10-07-2024 08:40 AM

Did you open dtls port in FW?

MHM

0 Helpful

dijix1990
VIP Alumni
VIP Alumni
In response to MHM Cisco World

‎10-07-2024 08:41 AM

It's not my FW

MHM Cisco World
VIP
VIP
In response to dijix1990

‎10-07-2024 08:45 AM

Check this link

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214509-troubleshoot-control-connections.html

And I think you need to open sdwan ports in FW' ask admin do that.

MHM

0 Helpful

dijix1990
VIP Alumni
VIP Alumni
In response to MHM Cisco World

‎10-07-2024 08:57 AM

Of course I saw this guide, but when you have some channels it's not appropriate for troubleshooting by guide. It's ISP's FW and they asked to try use telnet port, traceroute etc. When I do telnet with source interface (second isp) I can see that part of traffic goes via first isp because of default gw and the same thing for traceroute with source interface,so for doing test properly I need to disable first isp and make some test like telnet, ping etc it's not convenient and I was thinking maybe I can do tests without disabling first isp

0 Helpful

ivances
Level 1
Level 1

‎10-07-2024 09:49 AM

Hi dijix1990.

Try this one: traceroute [IP SDWAN CONTROLLER] egress [INTERFACE OF THE ISP YOU WANT TO TEST] next-hop [IP OF YOUR NEXT HOP VIA ISP]

For example: traceroute 123.123.123.123 egress Gi1 next-hop 52.34.2.1

With the egress+next-hop command, you can bypass the routing table, disabling the ECMP on the global routing table.

dijix1990
VIP Alumni
VIP Alumni
In response to ivances

‎10-07-2024 06:04 PM - edited ‎10-08-2024 01:53 AM

Hi, yes it works! thanks

0 Helpful

ivances
Level 1
Level 1
In response to dijix1990

‎10-08-2024 02:36 AM

Perfect! Please, remember to vote my comment as useful

0 Helpful
Customers Also Viewed These Support Documents