11-22-2023 11:07 AM
We have the fallowing scenario:
- I have published all my sdwan controller to the public with 1:1 nat for each controller and placed them on DMZ zone.
- I have 2 Routers for testing each router have 4G modem connected to it (normal internet with a shared public ip address) these router where able to form control connection with SD-WAN controllers using public internet TLOC.
- The testing router were able to form tunnel between each other with no issue and testing using VRF 1 (VPN 1 ) as a service vpn to see traffic going between them
- I have a Router in the Datacenter behind a firewall (Same firewall that have controllers connected to it) and i have two public ISP connected to the firewall for internet connectivity , I have done the routing to establish internet connection for this router but i failed to establish control connection with controllers for some reason that i dont know.
- But i have a spare of public ip addresses and done some 1:1 natting for that router and was able to establish control connection.
- the only issue remain is that the public internet tunnel is not going up i have done everything on the firewall and allowed any any from wan to the router connection but with no luck.
Firewall : Sonicwall
There is something i am missing here or is my design approach wrong here for the datacenter router.
i have also done some testing when i connect to the router to a normal (4g internet modem ) i am able to form control connection and tunnel is going up with no issue
I have fallowed this guide by cisco:
Option D.
11-22-2023 11:13 AM
I think you need to allow
Ipsec udp 50
Ipsec udp 450p
And dtls port
Between vedge and vsmart vmanage vbond.
11-22-2023 11:23 AM
Already allowed everything on both ends
11-22-2023 11:27 AM
What dtls ports you allow?
11-22-2023 11:29 AM
on the firewall side from DMZ to router i allowed all services and vice versa , from router to wan allowed everything and vice versa which is a security risk but for testing purposes i did it to check.
11-22-2023 11:38 AM
Ok, do use use hostname or IP of vbons and vmanage
It can issue of dns
11-22-2023 11:42 AM
We are using hostname but we have the hostname resolve to both private and public ip address of vbond (as per cisco document) as we have another mpls TLOC
11-22-2023 12:13 PM
Hi,
so, all controllers and that problematic router are behind the same firewall right?
Can you put NAT configuration for all of them?
And, what vBond IP you put in device configuration private or public (if DNS based to which hostname is resolved)?
11-24-2023 04:19 AM
Yes all in the same firewall,
Yes already have 1:1 nat for each controller and doing hairpin nat for communication between vmanage , vsmart wiht vond.
the issue is with the router that is connected to firewall itself internet tunnel is not going up for somereason
11-24-2023 12:13 PM - edited 11-24-2023 12:19 PM
Do you have NAT hairpinning for router to controllers? vBond must see public IP of router if it exists.
source router_private, destination vbond_public
NAT
source router_public, destination vbond_private
it can be through PAT also, but then there will not be dataplane tunnel if there is remove site with PAT also. For DC/HQ routers basically 1:1 through firewall is needed.
11-25-2023 02:00 AM
Already done the 1:1 nat from router to vbond and other controllers , and thats the only way the control plane was established.
The thing is the dataplane tunnel wont go up for some reason beyond me.
anyway we are planning to move to the cloud soon so i think that might resolve the issue.
11-25-2023 02:17 AM
Can you share show sdwan control connections on that router?
And also,on vsmart:
show control connections | inc [router_system_IP]
show omp tlocs | inc [router_system_IP]
11-23-2023 10:47 AM
After long search to get how we can solve this I get some updates for you
1-fw must have two dmz one have vbond and other have vsmart and vmanage
2-vbond use public ip of vsmart and vmanage (we nat public ip to private ip vsmart and vmanage)
3-vbond learn both private and public ip of vsmart and vmanage
4- edge point to vbond fqdn which resolve to public and private IP
5-edge connect to vsmart and vmanage public ip via internet
Edge connect to vsmart and vmanage private ip via mpls
Hope this help you in your issue
MHM
11-24-2023 04:20 AM
Already done all of the above.
The only issue is with the tunnel it self in datacenter router with the other testing routers.
mpls tunnel is up and running with no issues.
11-24-2023 06:38 AM
Are vbond connect to vsmart and vmanage via public or via private IP?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide