IOS-XE SDWAN - BIDNTVRFD (Peer Board ID Cert not verified.)

rudimocnik · ‎10-25-2019

Hi

I have an ASR 1002-HX running 16.10.3a SDWAN image. The certificates are issued by my CA and I've installed the root certificate onto the ASR with this command

request platform software sdwan root-cert-chain install bootflash:ca.crt

the configuration has also been done manually.

Everything seems ok on the ASR side but the vBond would fail to authenticate the ASR Board ID Cert. Note the screenshot below (or the screenshot attached):

PEER     PEER     PEER             SITE        DOMAIN PEER             PRIVATE  PEER             PUBLIC                                   LOCAL      REMOTE     REPEAT               
TYPE     PROTOCOL SYSTEM IP        ID          ID     PRIVATE IP       PORT     PUBLIC IP        PORT    LOCAL COLOR      STATE           ERROR      ERROR      COUNT DOWNTIME       
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond    dtls     -                0           0      10.229.4.43      12346    10.229.4.43      12346   private1         challenge_resp  RXTRDWN    BIDNTVRFD  6     2019-10-25T13:58:28+0000
vbond    dtls     -                0           0      10.229.4.43      12346    10.229.4.43      12346   private1         connect         DCONFAIL   NOERR      1     2019-10-25T13:53:05+0000
vbond    dtls     -                0           0      10.229.4.43      12346    10.229.4.43      12346   private1         tear_down       DISTLOC    NOERR      0     2019-10-25T13:52:33+0000

Note this is the Serial and SUDI (Cert serial) of the ASR

SlotID   PID                    SN                      UDI
--------------------------------------------------------------------------------
*        ASR1002-HX            JAE202107PG     ASR1002-HX:JAE202107PG

ASR1002_HX-1#show crypto pki certificates CISCO_IDEVID_SUDI
Certificate
  Status: Available
  Certificate Serial Number (hex): 00DBFCD6
  Certificate Usage: General Purpose
  Issuer: 
    cn=ACT2 SUDI CA
    o=Cisco
  Subject:
    Name: ASR1002-HX
    Serial Number: PID:ASR1002-HX SN:JAE202107PG
    cn=ASR1002-HX
    ou=ACT-2 Lite SUDI
    o=Cisco
    serialNumber=PID:ASR1002-HX SN:JAE202107PG
  Validity Date: 
    start date: 03:46:34 UTC Jun 10 2016
    end   date: 03:46:34 UTC Jun 10 2026
  Associated Trustpoints: CISCO_IDEVID_SUDI

The numbers marked in red above have been used to provision PnP and where pushed to controllers via vManage. See vBond output bellow.

vbond# show orchestrator valid-vedges

CHASSIS NUMBER                        SERIAL NUMBER                     VALIDITY  ORG  
---------------------------------------------------------------------------------------
AE5DCE9E-99F8-6811-4E1E-A7B5C1D43231  36ff53c80e74bf107f2f1ec95099f1b8  valid     SRC  
AEACAC9D-B733-4123-ACD8-8CCCC43702E7  a16de99334f89c6577898597ee4fd570  valid     SRC  
ASR1002-HX-JAE202107PG                00DBFCD6                          valid     SRC  
ASR1002-HX-JAE22340EL4                JAE22340EL4                       valid     SRC

The above is the output from the vBond as a proof that it indeed knows the ASR that is trying to authenticate. Am I using the wrong numbers? I've read that SUDI and Chassis numbers are not always as in my case.

Any ideas?

Rud

rudimocnik · ‎10-28-2019

Ok so I found the solution. This is very strange.

check these two outputs:

ASR1002_HX-1#sh sdwan control local-properties             
personality                  vedge
sp-organization-name         SRC
organization-name            SRC
certificate-status           Installed
root-ca-chain-status         Installed

certificate-validity         Valid
certificate-not-valid-before Jun 10 03:46:34 2016 GMT
certificate-not-valid-after  Jun 10 03:46:34 2026 GMT

dns-name                     10.229.4.43
site-id                      1
domain-id                    1
protocol                     dtls
tls-port                     0
system-ip                    10.255.255.10
chassis-num/unique-id        ASR1002-HX-JAE202107PG
serial-num                   DBFCD6
keygen-interval              1:00:00:00
retry-interval               0:00:00:17
no-activity-exp-interval     0:00:00:12
dns-cache-ttl                0:00:02:00
port-hopped                  FALSE
time-since-last-port-hop     0:00:00:00
number-vbond-peers           1

ASR1002_HX-1#show crypto pki certificates CISCO_IDEVID_SUDI
Certificate
  Status: Available
  Certificate Serial Number (hex): 00DBFCD6
  Certificate Usage: General Purpose
  Issuer: 
    cn=ACT2 SUDI CA
    o=Cisco
  Subject:
    Name: ASR1002-HX
    Serial Number: PID:ASR1002-HX SN:JAE202107PG
    cn=ASR1002-HX
    ou=ACT-2 Lite SUDI
    o=Cisco
    serialNumber=PID:ASR1002-HX SN:JAE202107PG
  Validity Date: 
    start date: 03:46:34 UTC Jun 10 2016
    end   date: 03:46:34 UTC Jun 10 2026
  Associated Trustpoints: CISCO_IDEVID_SUDI

I believe the two Serial numbers should be the SAME. The license file I uploaded to the vManage had the 00DBFCD6 certificate serial number as per instructions in here. However that number lead me to the control connection error described above. When I check the local-properties there was this very similar number but was missing the leading two zeros. So I fixed the information on the PnP portal and reinstalled the license file to the vManage with the DBFCD6. This time the ASR successfully built control connections and joined the overlay.

Hopefully Cisco can elaborate on this.

I have another ASR with leading zeros in the certificate that I will try to join tomorrow. However on this one there is no discrepancy in the serial number shown in the two commands. Hence both have the leading zeros in them.

ASR1002_HX-2#sh sdwan control local-properties             
personality                  vedge
sp-organization-name          
organization-name             
certificate-status           Installed
root-ca-chain-status         Installed

certificate-validity         Valid
certificate-not-valid-before Aug 28 07:30:08 2018 GMT
certificate-not-valid-after  May 14 20:25:41 2029 GMT

dns-name                     
site-id                      0
domain-id                    1
protocol                     dtls
tls-port                     0
system-ip                    0.0.0.0
chassis-num/unique-id        ASR1002-HX-JAE22340EL4
serial-num                   02EE2DAF
keygen-interval              1:00:00:00
retry-interval               0:00:00:18
no-activity-exp-interval     0:00:00:12
dns-cache-ttl                0:00:02:00
port-hopped                  FALSE
time-since-last-port-hop     0:00:00:00
number-vbond-peers           0
number-active-wan-interfaces 0

ASR1002_HX-2#show crypto pki certificates CISCO_IDEVID_SUDI
Certificate
  Status: Available
  Certificate Serial Number (hex): 02EE2DAF
  Certificate Usage: General Purpose
  Issuer: 
    cn=ACT2 SUDI CA
    o=Cisco
  Subject:
    Name: ASR1002-HX
    Serial Number: PID:ASR1002-HX SN:JAE22340EL4
    cn=ASR1002-HX
    ou=ACT-2 Lite SUDI
    o=Cisco
    serialNumber=PID:ASR1002-HX SN:JAE22340EL4
  Validity Date: 
    start date: 07:30:08 UTC Aug 28 2018
    end   date: 20:25:41 UTC May 14 2029
  Associated Trustpoints: CISCO_IDEVID_SUDI

Alan_4 · ‎12-29-2019

your reply saved me alot of hassle, appreciate it!

hsood · ‎01-06-2020

Hi Rud,

Cisco is already aware of the issue and glad you were able to figure it out.

Just for everybody's reference :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq45302

Please mark this post as closed.

Regards,

Hitesh Sood