Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
1
Helpful
4
Replies

It's Possible To Disable TLS in vManage or Controllers

Go to solution
ADC Lane
Level 1
Level 1

‎03-13-2023 07:55 AM - edited ‎03-13-2023 07:57 AM

Hi Team, 

Default, SDWAN devices use DTLS to encryt packet (vedge, vmanage, vmart, vbond). So if I use DTLS, TLS can be disabled  or TLS still available ? And i wonder that are there any way to disable TLS if i want ?

Thank you in advance !

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎03-13-2023 01:06 PM

Hi,

the reason is, vSmart can be configured for TLS, then between vSmart and vManage security protocol will be TLS (even though DTLS is configured on vManage). Thus, vManage needs to open respective ports in daemon.

I don't see any option to disable (totally) TLS or DTLS at OS level. If yuo have security concerns, block those ports on firewall level.

Below is ports used by SD-WAN elements:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#FirewallPortConsiderations

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

4 Replies 4

Go to solution
Kanan Huseynli
VIP
VIP

‎03-13-2023 08:12 AM - edited ‎03-13-2023 08:16 AM

Hi,

control connection to vBond (from vSmart/vManage/cEdge) is always DTLS based. vBond does not support TLS.

Based on configuration of vSmart and vManage, control connection from cEdge to them and between each other can be DTLS or TLS. In configuration it is either DTLS or TLS, there is no "both" option. But if one device is DTLS other device is TLS, then TLS is chosen between them.

This section of CVD describes in detail:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#ControlConnections

To disable TLS, just configure all vSmart and vManage to use DTLS under security configuration (template or CLI).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
ADC Lane
Level 1
Level 1

‎03-13-2023 08:32 AM

Hi @Kanan Huseynli ,

Default vSmart and vManage use DTLS, if I dont change DTLS to TLS, they will use DTLS and TLS is disabled, is it right ?

If its right, when I show port open in vmanage, TLS is still open ? I am confuse ....

ADCLane_0-1678721512273.png

 

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP

‎03-13-2023 01:06 PM

Hi,

the reason is, vSmart can be configured for TLS, then between vSmart and vManage security protocol will be TLS (even though DTLS is configured on vManage). Thus, vManage needs to open respective ports in daemon.

I don't see any option to disable (totally) TLS or DTLS at OS level. If yuo have security concerns, block those ports on firewall level.

Below is ports used by SD-WAN elements:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#FirewallPortConsiderations

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Go to solution
ADC Lane
Level 1
Level 1

‎03-13-2023 07:42 PM

@Kanan Huseynli Thank you so much ! I am appreciate it !

0 Helpful
Customers Also Viewed These Support Documents