Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
1
Replies

SD-Wan Edge routers onboarding issue

R Manjunatha
Level 3
Level 3

‎03-03-2023 06:21 AM

Hi,

I onboarded a couple of edge routers and some of them have not installed root-certificate and control connections are not there for Vsamrt

RManjunatha_0-1677852760533.png

RManjunatha_1-1677853153001.png

 

vEdge20# show control connections-history
Legend for Errors
ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vmanage for device.
BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassis-number entry in ZTP.
BIDNTPR - Board ID not Initialized. OPERDOWN - Interface went oper down.
BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out.
BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer.
CERTEXPRD - Certificate Expired RXTRDWN - Received Teardown.
CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signature from Board ID failed.
CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present.
CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to create new SSL context.
DCONFAIL - DTLS connection failure. STNMODETD - Teardown extra vBond in STUN server mode.
DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP changed.
DHSTMO - DTLS HandShake Timeout. SYSPRCH - System property changed
DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure.
DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure.
DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to send challenge to BoardID.
DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Message type or Bad Register msg.
DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello from Unauthenticated peer.
HAFAIL - SSL Handshake failure. VBDEST - vDaemon process terminated.
IP_TOS - Socket Options failure. VECRTREV - vEdge Certification revoked.
LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certificate revoked.
MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Timed out.
MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out.
NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Timed out.
NOERR - No Error. VS_TMO - Peer vSmart Timed out.
NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extra vManage.
NEWVBNOVMNG- New vBond with no vMng connections. XTVSTRDN - Teardown extra vSmart.
NTPRVMINT - Not preferred interface to vManage. STENTRY - Delete same tloc stale entry.
HWCERTREN - Hardware vEdge Enterprise Cert Renewed HWCERTREV - Hardware vEdge Enterprise Cert Revoked.
EMBARGOFAIL - Embargo check failed

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT ORGANIZATION DOWNTIME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 192.168.50.106 12346 192.168.50.106 12346 biz-internet up RXTRDWN VECRTREV 0 2023-03-03T13:15:55+0000
vmanage dtls 100.1.1.104 1 0 192.168.50.104 13046 192.168.50.104 13046 biz-internet up RXTRDWN VECRTREV 0 2023-03-03T13:15:55+0000

(END)

vEdge20# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 192.168.50.106 12346 192.168.50.106 12346 viptela sdwan biz-internet - up 0:00:55:34 0
vmanage dtls 100.1.1.104 1 0 192.168.50.104 13046 192.168.50.104 13046 viptela sdwan biz-internet No up 0:00:55:33 0

vEdge20#

 

vEdge20# show certificate installed

Installed device certificates
-----------------------------

vEdge20#

 

vEdge20# show control local-properties
personality vedge
sp-organization-name viptela sdwan
organization-name viptela sdwan
root-ca-chain-status Installed

certificate-status Not-Installed
certificate-validity Not Applicable
certificate-not-valid-before Not Applicable
certificate-not-valid-after Not Applicable

dns-name 192.168.50.106
site-id 20
domain-id 1
protocol dtls
tls-port 0
system-ip 118.1.20.20
chassis-num/unique-id 1dc0b5cb-aab8-6b33-0883-ec603bc62c48
serial-num No certificate installed
subject-serial-num N/A
token 0aa3861aba644e5ba5486147e0bf1078
keygen-interval 1:00:00:00
retry-interval 0:00:00:15
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:01:09:50
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 192.168.50.106 12346

number-active-wan-interfaces 2


NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 0.0.0.0 0 0.0.0.0 :: 0 0/0 default down 2 no/yes/no No/No 0:01:51:47 0:10:08:12 N 5
ge0/1 118.1.2.1 12366 118.1.2.1 :: 12366 0/1 biz-internet up 2 no/yes/no No/No 0:00:00:09 0:10:52:29 N 5

(END)

 

vEdge20# show certificate signing-request
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UECxMNdmlwdGVsYSBzZHdhbjEUMBIG
A1UEChMLVmlwdGVsYSBMTEMxQTA/BgNVBAMTOHZlZGdlLTFkYzBiNWNiLWFhYjgt
NmIzMy0wODgzLWVjNjAzYmM2MmM0OC0wLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAndOxO7+TBnvC7OeMFdT7MlN4Zv/3zw6YAQjAYD+jAWJkEtKkw22T
QVSHuQ5cbjRPoAY5+TzqJqAlhdai/+HssTDfwpUUJo2+9Sd2fXyuTzzGzqoZvCwX
nzVivaLUDkHSr7q1DYzxwMuDQ6KdHYznbemiMIRinSaxDCHWkukzJSM9WuZNBvZM
iyvMXFuyp8+NiWCNqMVGzLEkJVHXbH/EWkk9t52yROvgLfYIDxfRYTF1evrgxVYy
WDyfsyJ0MfZIUV8rIn5tI/XTz+sQ/KZ95CHLjkfXHDXF/vTz1l16oY9CnOmuFpOx
gG2TBhIY6Efebl3IJdZBhFeddBDgFcLDCwIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSbtLKFCuwuxZZzZMEXNGQknl67sDANBgkq
hkiG9w0BAQsFAAOCAQEATThyYZNCBc1+QMvCbKsuRiCfVX6/rlS0DFiJl8xsKKUT
vk8SBcVPmqXssr1K2X7tgLcupw017x1gt2I25V5zeGX/mFJF6fUmfjUGkfmz30Kk
feUU2PygEznU6s5oKKhKc1dhrkE8vSieFnuR+N+h7eLFVy98WkE/GMnJHRw+3Aut
f89l6BXd9pOahBtmcEpEsYFPQsHlWSeazIZzcaJYZauSe1fOv4DedBMHS9Ko4P+v
Ttrioir7I8qpVp/DFf7NPjllWuIJFxXlvIBpLpd+zz0vdXRmLeDJXXiv0FIgPIwe
SXntEx6pb4ZJ6wqXZ+/an9u4e0I4ZoecsXbfaQH9VA==
-----END CERTIFICATE REQUEST-----

 

Labels:
0 Helpful
1 Reply 1

Kanan Huseynli
VIP
VIP

‎03-07-2023 03:18 PM

Hi,

what option do you use for virtual device - router certification? It shows that CSR is generated, but cert is not installed.

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents