Re: physical interfaces cannot be used as tunnel interfaces - Cisco SD

Abdulrahman Saddoh · ‎07-10-2024

Hello,

I have a problem with tunnel interface, I cannot use the physical interface, and if I configure it, the tunnel will not work. 
While if I use Loopback, the tunnel works! Whether it is for data or control.



cEdge - Cisco Catalyst 8300 and 8200 

Thanks,

Torbjørn · ‎07-10-2024

Can you post the configuration for using the physical interface?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Abdulrahman Saddoh · ‎07-10-2024

Hi Torbjørn,

interface Tunnel1
ip unnumbered TenGigabitEthernet0/1/0
tunnel source TenGigabitEthernet0/1/0
tunnel mode sdwan

sdwan
interface TenGigabitEthernet0/1/0
tunnel-interface
encapsulation ipsec
color mpls restrict
allow-service all
allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
allow-service ospf
no allow-service stun
allow-service https
no allow-service snmp
no allow-service bfd

Abdulrahman Saddoh · ‎07-10-2024

Loopback as tunnel

interface Tunnel1
ip unnumbered Loopback0
tunnel source Loopback0
tunnel mode sdwan

sdwan
interface Loopback0
tunnel-interface
encapsulation ipsec
color mpls restrict
allow-service all
allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
allow-service ospf
no allow-service stun
allow-service https
no allow-service snmp
no allow-service bfd

MHM Cisco World · ‎07-10-2024

Ip unnumbered same as tunnel source? I dont run tunnel before with same config but I dont think this will work.

Add ip to tunnel any IP and check

MHM

Abdulrahman Saddoh · ‎07-10-2024

Hi,

Can you explain to me more please

Thanks,

MHM Cisco World · ‎07-10-2024

How many layers in sdwan two underlying and overlaying

By use tunnel ip unnumbered same as tunnel source how can router know this traffic for which layer.

MHM

Kanan Huseynli · ‎07-10-2024

Hi,

show run interface te0/1/0

show sdwan control local-properties

show sdwan control connections

share above outputs when tunnel is configured for physical interface

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Abdulrahman Saddoh · ‎07-10-2024

Hi Kanan,

KM4-cEdge02#show run interface TenGigabitEthernet 0/1/0
Building configuration...

Current configuration : 254 bytes
!
interface TenGigabitEthernet0/1/0
description MPLS Interface
ip address 192.168.103.101 255.255.255.252
no ip redirects
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1 area 0
load-interval 30
negotiation auto
arp timeout 1200
end

!

KM4-cEdge02#show sdwan control local-properties
personality vedge
sp-organization-name LITC
organization-name LITC
root-ca-chain-status Installed
root-ca-crl-status Not-Installed

certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Jan 19 10:16:06 2024 GMT
certificate-not-valid-after Aug 9 20:58:26 2099 GMT

enterprise-cert-status Not Applicable
enterprise-cert-validity Not Applicable
enterprise-cert-not-valid-before Not Applicable
enterprise-cert-not-valid-after Not Applicable

dns-name 10.251.1.232
site-id 16
domain-id 1
protocol dtls
tls-port 0
system-ip 10.0.0.101
enterprise-serial-num No certificate installed
token -NA-
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:00:07
embargo-check success
device-role edge-router
region-id-set N/A
number-vbond-peers 0
number-active-wan-interfaces 2

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAST SPI TIME NAT VM
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION REMAINING TYPE CON REG
STUN PRF IDs
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Loopback1 192.168.102.201 12406 192.168.102.201 :: 12406 1/1 default up 2 no/yes/no No/No 0:00:00:11 0:08:59:26 N 5 Default
TenGigabitEthernet0/1/0 192.168.103.101 12426 192.168.103.101 :: 12426 0/0 mpls up 2 yes/yes/no No/No 0:00:00:12 0:05:24:28 N 5 Default
!
KM4-cEdge02#sh sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 10.0.0.3 16 1 10.251.1.231 13046 10.251.1.231 13046 LITC default No up 1:03:01:58 0
vbond dtls 0.0.0.0 0 0 10.251.1.232 12346 10.251.1.232 12346 LITC default - up 1:03:02:01 0
vmanage dtls 10.0.0.1 16 0 10.251.1.230 13046 10.251.1.230 13046 LITC default No up 1:03:01:20 0

Abdulrahman Saddoh · ‎07-10-2024

using Loopback

KM4-cEdge02#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec UPTIME TRANSITIONS
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.0.0.103 17 up mpls mpls 192.168.102.101 192.168.102.103 12386 ipsec 7 1000 0:00:14:36 0
10.0.0.102 17 up mpls mpls 192.168.102.101 192.168.103.109 12406 ipsec 7 1000 0:00:14:32 0
10.0.0.102 17 up default default 192.168.102.201 192.168.102.202 12386 ipsec 7 1000 0:00:14:30 2
10.0.0.103 17 up default default 192.168.102.201 192.168.102.203 12426 ipsec 7 1000 0:06:53:32 2
10.0.0.105 18 up default default 192.168.102.201 192.168.102.205 12386 ipsec 7 1000 0:00:14:35 2
10.0.0.106 18 up default default 192.168.102.201 192.168.102.206 12346 ipsec 7 1000 0:00:14:36 0

KM4-cEdge02#show sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 10.0.0.3 16 1 10.251.1.231 13046 10.251.1.231 13046 LITC mpls No up 0:00:14:59 0
vsmart dtls 10.0.0.3 16 1 10.251.1.231 13046 10.251.1.231 13046 LITC default No up 1:03:18:55 0
vbond dtls 0.0.0.0 0 0 10.251.1.232 12346 10.251.1.232 12346 LITC mpls - up 0:00:15:01 0
vbond dtls 0.0.0.0 0 0 10.251.1.232 12346 10.251.1.232 12346 LITC default - up 1:03:18:58 0
vmanage dtls 10.0.0.1 16 0 10.251.1.230 13046 10.251.1.230 13046 LITC default No up 1:03:18:17 0

KM4-cEdge02#show sdwan control local-properties
personality vedge
sp-organization-name LITC
organization-name LITC
root-ca-chain-status Installed
root-ca-crl-status Not-Installed

certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Jan 19 10:16:06 2024 GMT
certificate-not-valid-after Aug 9 20:58:26 2099 GMT

enterprise-cert-status Not Applicable
enterprise-cert-validity Not Applicable
enterprise-cert-not-valid-before Not Applicable
enterprise-cert-not-valid-after Not Applicable

dns-name 10.251.1.232
site-id 16
domain-id 1
protocol dtls
tls-port 0
system-ip 10.0.0.101
token -NA-
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:15:30
embargo-check success
device-role edge-router
region-id-set N/A
number-vbond-peers 2

INDEX IP PORT
-----------------------------------------------------
0 10.251.1.232 12346
1 10.251.1.232 12346

number-active-wan-interfaces 2

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAST SPI TIME NAT VM
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION REMAINING TYPE CON REG
STUN PRF IDs
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Loopback1 192.168.102.201 12406 192.168.102.201 :: 12406 1/1 default up 2 no/yes/no No/No 0:00:00:04 0:08:40:32 N 5 Default
Loopback0 192.168.102.101 12386 192.168.102.101 :: 12386 1/0 mpls up 2 yes/yes/no No/No 0:00:00:14 0:11:44:34 N 5 Default

Kanan Huseynli · ‎07-10-2024

Are you sure that your controllers have route to this IP - 192.168.103.101 ? Looks like, you have underlay routing issue. Dont you have ospf prefix-suppression in configuration or ospf routing process?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

physical interfaces cannot be used as tunnel interfaces - Cisco SD-WAN