Re: reason for BIDNTVRFD - it is not clear what should be doing

imortada · ‎04-11-2023

R1835-sdwan-ib#sh sdwan control connection-history
Legend for Errors
ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vmanage for device.
BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassis-number entry in ZTP.
BIDNTPR - Board ID not Initialized. OPERDOWN - Interface went oper down.
BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out.
BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer.
CERTEXPRD - Certificate Expired RXTRDWN - Received Teardown.
CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signature from Board ID failed.
CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present.
CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to create new SSL context.
DCONFAIL - DTLS connection failure. STNMODETD - Teardown extra vBond in STUN server mode.
DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP changed.
DHSTMO - DTLS HandShake Timeout. SYSPRCH - System property changed
DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure.
DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure.
DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to send challenge to BoardID.
DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Message type or Bad Register msg.
DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello from Unauthenticated peer.
HAFAIL - SSL Handshake failure. VBDEST - vDaemon process terminated.
IP_TOS - Socket Options failure. VECRTREV - vEdge Certification revoked.
LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certificate revoked.
MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Timed out.
MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out.
NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Timed out.
NOERR - No Error. VS_TMO - Peer vSmart Timed out.
NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extra vManage.
NEWVBNOVMNG- New vBond with no vMng connections. XTVSTRDN - Teardown extra vSmart.
NTPRVMINT - Not preferred interface to vManage. STENTRY - Delete same tloc stale entry.
HWCERTREN - Hardware vEdge Enterprise Cert Renewed HWCERTREV - Hardware vEdge Enterprise Cert Revoked.
EMBARGOFAIL - Embargo check failed REGIDMIS - Region ID set mismatch.
REGIDCHG - Region ID config update CRTVERCRLFL - Fail to verify Peer Certificate Due to CRL.
RESTRQFAIL - Rest request failed. PSEV6DISC - Pseudo v6 interface disconnect.

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT ORGANIZATION DOWNTIME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 172.27.167.86 12346 172.27.167.86 12346 public-internet challenge_resp RXTRDWN BIDNTVRFD 158 2023-04-11T19:32:56+0000

R1835-sdwan-ib#

svemulap@cisco.com · ‎04-11-2023

Typically, you see this issue, when if the serial number is not present on the controllers for a given device.
Then the control connection fails.

It can be verified with 'show controllers [valid-vsmarts | valid-vedges] outputs.

https://community.cisco.com/t5/networking-knowledge-base/sd-wan-routers-troubleshoot-control-connections/ta-p/3813237
... covers this.

Also, check CCO Link @:
https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214509-troubleshoot-control-connections.html

HTH

imortada · ‎04-11-2023

Verified all the info listed and it looks good. not sure what could be the issue.

imortada · ‎04-11-2023

Kanan Huseynli · ‎04-12-2023

Hi,

on vbond check for valid-vedge list by "show orchestrator valid-vedges", do you see chassis id and serial in the list?

Try to re-push certificate list to controllers in controllers configuration>certificates>controllers section

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

imortada · ‎04-13-2023

I did all that, but didn't help

Kanan Huseynli · ‎04-13-2023

Hi,

what is settings for hardware certificate authorization in vmanage? What is validity time for router certificate, does time match on vbond?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

imortada · ‎04-13-2023

Yes, the clock is within a min different. The certs are valid from April 6 2023 till April 5 2024
Thx
Ibrahim

Kanan Huseynli · ‎04-13-2023

what is settings for hardware certificate authorization in vmanage?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

imortada · ‎04-13-2023

can we meet now?

here is the CA cert which is the same on controllers and devise.

Kanan Huseynli · ‎04-13-2023

No, it is 01-18 AM for me ) not suitable time for webex call.

where is CA? Share screen for certification settings (from administration -> setting)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

imortada · ‎04-13-2023

Sorry man, didn’t know