SD-WAN router Public internet tunnel wont establish behind firewall

khaledbarakat5914 · ‎11-22-2023

We have the fallowing scenario:

- I have published all my sdwan controller to the public with 1:1 nat for each controller and placed them on DMZ zone.

- I have 2 Routers for testing each router have 4G modem connected to it (normal internet with a shared public ip address) these router where able to form control connection with SD-WAN controllers using public internet TLOC.

- The testing router were able to form tunnel between each other with no issue and testing using VRF 1 (VPN 1 ) as a service vpn to see traffic going between them

- I have a Router in the Datacenter behind a firewall (Same firewall that have controllers connected to it) and i have two public ISP connected to the firewall for internet connectivity , I have done the routing to establish internet connection for this router but i failed to establish control connection with controllers for some reason that i dont know.

- But i have a spare of public ip addresses and done some 1:1 natting for that router and was able to establish control connection.

- the only issue remain is that the public internet tunnel is not going up i have done everything on the firewall and allowed any any from wan to the router connection but with no luck.

Firewall : Sonicwall

There is something i am missing here or is my design approach wrong here for the datacenter router.

i have also done some testing when i connect to the router to a normal (4g internet modem ) i am able to form control connection and tunnel is going up with no issue

I have fallowed this guide by cisco:

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKRST-2559.pdf#xd_co_f=MzM1MmViZjgtZmYzMC00YTIxLWIyNTMtZGMzMjE5MTZlZWE4~

Option D.

MHM Cisco World · ‎11-22-2023

I think you need to allow

Ipsec udp 50

Ipsec udp 450p

And dtls port

Between vedge and vsmart vmanage vbond.

khaledbarakat5914 · ‎11-22-2023

Already allowed everything on both ends

MHM Cisco World · ‎11-22-2023

What dtls ports you allow?

khaledbarakat5914 · ‎11-22-2023

on the firewall side from DMZ to router i allowed all services and vice versa , from router to wan allowed everything and vice versa which is a security risk but for testing purposes i did it to check.

MHM Cisco World · ‎11-22-2023

Ok, do use use hostname or IP of vbons and vmanage

It can issue of dns

khaledbarakat5914 · ‎11-22-2023

We are using hostname but we have the hostname resolve to both private and public ip address of vbond (as per cisco document) as we have another mpls TLOC

Kanan Huseynli · ‎11-22-2023

Hi,

so, all controllers and that problematic router are behind the same firewall right?

Can you put NAT configuration for all of them?

And, what vBond IP you put in device configuration private or public (if DNS based to which hostname is resolved)?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

khaledbarakat5914 · ‎11-24-2023

Yes all in the same firewall,

Yes already have 1:1 nat for each controller and doing hairpin nat for communication between vmanage , vsmart wiht vond.

the issue is with the router that is connected to firewall itself internet tunnel is not going up for somereason

Kanan Huseynli · ‎11-24-2023

Do you have NAT hairpinning for router to controllers? vBond must see public IP of router if it exists.

source router_private, destination vbond_public
NAT
source router_public, destination vbond_private

it can be through PAT also, but then there will not be dataplane tunnel if there is remove site with PAT also. For DC/HQ routers basically 1:1 through firewall is needed.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

khaledbarakat5914 · ‎11-25-2023

Already done the 1:1 nat from router to vbond and other controllers , and thats the only way the control plane was established.

The thing is the dataplane tunnel wont go up for some reason beyond me.

anyway we are planning to move to the cloud soon so i think that might resolve the issue.

Kanan Huseynli · ‎11-25-2023

Can you share show sdwan control connections on that router?

And also,on vsmart:

show control connections | inc [router_system_IP]

show omp tlocs | inc [router_system_IP]

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

MHM Cisco World · ‎11-23-2023

After long search to get how we can solve this I get some updates for you

1-fw must have two dmz one have vbond and other have vsmart and vmanage

2-vbond use public ip of vsmart and vmanage (we nat public ip to private ip vsmart and vmanage)

3-vbond learn both private and public ip of vsmart and vmanage

4- edge point to vbond fqdn which resolve to public and private IP

5-edge connect to vsmart and vmanage public ip via internet

Edge connect to vsmart and vmanage private ip via mpls

Hope this help you in your issue

MHM

khaledbarakat5914 · ‎11-24-2023

Already done all of the above.

The only issue is with the tunnel it self in datacenter router with the other testing routers.

mpls tunnel is up and running with no issues.

MHM Cisco World · ‎11-24-2023

Are vbond connect to vsmart and vmanage via public or via private IP?