Solved: Re: sd-wan vedge not onboarding

R Manjunatha · ‎07-21-2022

unable to the onboard vedge device and I installed the root CA and activate the chassis number as per the below output.

vEdge2# show control local-properties
personality vedge
sp-organization-name viptela sdwan
organization-name viptela sdwan
root-ca-chain-status Installed

certificate-status Not-Installed
certificate-validity Not Applicable
certificate-not-valid-before Not Applicable
certificate-not-valid-after Not Applicable

dns-name 100.1.1.4
site-id 2
domain-id 1
protocol dtls
tls-port 0
system-ip 118.1.2.22
chassis-num/unique-id 74df5205-d5d1-d688-bdb2-3d3848f853c1
serial-num No certificate installed
subject-serial-num N/A
token 79df74ff8a7e42a5bf7f508f82cd296b
keygen-interval 1:00:00:00
retry-interval 0:00:00:18
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:01:18:57
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 100.1.1.4 12346

number-active-wan-interfaces 2

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 0.0.0.0 0 0.0.0.0 :: 0 0/0 default down 2 no/yes/no No/No 0:01:24:32 0:10:35:27 N 5
ge0/1 118.1.2.1 12366 118.1.2.1 :: 12366 0/0 biz-internet up 2 no/yes/no No/No 0:00:00:22 0:11:51:03 N 5

vEdge2# show certificate installed

Installed device certificates
-----------------------------

vEdge2# show certificate root-ca-cert ?
Possible completions:
| <cr>
vEdge2# show certificate root-ca-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5325730668369230205 (0x49e8cbd3718d397d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, ST=KA, L=WH, O=viptela sdwan, OU=viptela sdwan, CN=RootCA/emailAddress=viptela@gmail.com
Validity
Not Before: Jul 21 16:28:00 2022 GMT
Not After : Jul 21 16:28:00 2032 GMT
Subject: C=IN, ST=KA, L=WH, O=viptela sdwan, OU=viptela sdwan, CN=RootCA/emailAddress=viptela@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:d8:e1:e3:54:29:dc:48:09:16:43:bb:9c:83:
44:83:fc:bb:5c:47:b9:d9:ec:d8:9f:73:58:72:4d:
a1:12:fc:a9:84:e2:7b:53:6e:3d:dd:76:b5:a7:26:
35:56:03:10:b6:dd:75:cf:00:aa:53:03:4d:de:a7:
a8:25:4b:30:4e:a9:1b:4b:ce:a5:68:9e:1f:5d:70:
23:72:2c:06:a4:a7:b8:ea:d0:15:ed:0e:16:ab:67:
d1:d1:de:ae:5b:68:07:7a:2a:66:68:a0:56:ef:35:
71:39:9a:ce:45:0f:b0:f0:1f:b2:32:71:41:8a:92:
50:04:f4:01:a2:86:fb:d1:dd:ca:fa:a4:08:c4:0d:
7a:19:3b:93:39:f7:24:51:d7:5d:1c:ad:b6:94:35:
6d:b0:2c:5f:56:ae:51:a4:9d:e2:16:1a:5a:fc:b3:
ae:5c:33:6a:23:28:01:43:ed:2e:80:d6:83:f8:16:
64:58:c1:de:a3:12:75:e8:e5:e2:9d:2f:78:8f:22:
79:75:96:9f:1a:ce:0b:50:da:51:a7:15:ff:05:59:
f7:f7:0b:6d:91:9a:a2:4f:21:a1:24:76:cc:96:6e:
b2:27:fb:18:86:7e:c1:18:05:d4:de:8a:55:57:ac:
81:40:13:ad:a0:f7:1d:3c:39:96:4d:f3:58:68:df:
b7:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
68:98:1E:5F:ED:FE:4F:AF:4D:73:8C:FD:17:01:30:0A:70:78:7D:56
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate
Signature Algorithm: sha256WithRSAEncryption
0d:c4:62:af:0b:b9:4e:a3:fd:fb:06:2b:7f:ed:aa:3a:02:f2:
e1:1c:a9:d5:c1:89:4c:f2:81:8b:b0:7b:40:7f:64:cd:e2:2d:
4b:98:9c:07:d1:8a:5a:ab:5c:c1:0c:97:96:58:5d:53:7b:8c:
f5:8d:4f:40:be:d3:57:8c:7f:61:4e:c7:f3:e1:14:f0:04:13:
80:68:b7:50:dc:2b:0d:b4:2e:e1:39:ca:d2:39:32:f2:2e:86:
e7:9d:bd:86:c0:34:ae:fe:35:1e:38:63:ef:57:28:ad:d0:cf:
bb:68:e5:d8:aa:b5:37:a2:7b:58:66:72:03:f1:df:7f:b9:74:
30:61:6c:1d:49:f1:b5:45:81:f3:f7:8d:3c:e1:94:67:a4:b4:
5f:b0:7d:be:e1:7e:d2:83:e9:6e:07:82:a6:e7:d4:dc:c1:cb:
de:5e:35:12:9a:28:e2:0f:c2:ac:7e:f1:cf:36:b3:21:1f:63:
36:85:d7:d9:e5:5f:71:b4:d2:c2:b5:37:66:3a:51:27:8a:20:
17:54:12:8c:b1:87:c6:5b:28:2b:87:eb:67:47:93:ff:45:c6:
4d:5d:5f:33:1f:9d:e6:a2:b8:a3:95:54:16:4d:0d:8b:47:7f:
da:4b:a5:9e:b0:68:72:59:c1:79:2b:8c:50:36:7a:59:3f:80:
7d:d6:89:4d
vEdge2#

vEdge2# sh run
system
host-name vEdge2
system-ip 118.1.2.22
site-id 2
admin-tech-on-failure
no route-consistency-check
organization-name "viptela sdwan"
vbond 100.1.1.4
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
usergroup tenantadmin
!
user admin
password $6$HYGq1VGWzvQkyH1I$jY1rUg/tvWQQgF4zNoDs9nNqlFsFgS8WxVXUBIFRCH6CJE0H.pnNDheOVwD/WIilAYVrBIbrLtyN0TbnhiA730
!
user ciscotacro
description CiscoTACReadOnly
group operator
status enabled
!
user ciscotacrw
description CiscoTACReadWrite
group netadmin
status enabled
!
!
logging
disk
enable
!
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
authentication-type ah-sha1-hmac sha1-hmac
!
!
vpn 0
interface ge0/0
ip dhcp-client
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/1
ip address 118.1.2.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 118.1.2.2
!
vpn 512
interface eth0
ip dhcp-client
ipv6 dhcp-client
no shutdown
!
!
(END)

R Manjunatha · ‎07-26-2022

Hi,

Hi

I finally found VEdge in my WAN edge list ...thank you very much for ur support.

best regards

View solution in original post

andresfr · ‎07-22-2022

Hi R Manjunatha,

Can you ping all the controllers? vBond, vSmart, vManage

Also, could you please share the following:

show control summary

show control connections

show control connections-history

show ip route vpn 0

Best regards,

R Manjunatha · ‎07-25-2022

Yes I can ping all the controllers as shown.

This is Vmange Ping

vEdge2# ping 100.1.1.2
Ping in VPN 0
PING 100.1.1.2 (100.1.1.2) 56(84) bytes of data.
64 bytes from 100.1.1.2: icmp_seq=1 ttl=62 time=21.1 ms
64 bytes from 100.1.1.2: icmp_seq=2 ttl=62 time=17.9 ms
64 bytes from 100.1.1.2: icmp_seq=3 ttl=62 time=14.0 ms
64 bytes from 100.1.1.2: icmp_seq=4 ttl=62 time=20.0 ms
^C
--- 100.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 14.019/18.268/21.101/2.702 ms

This Vsmart Ping

vEdge2# ping 100.1.1.3
Ping in VPN 0
PING 100.1.1.3 (100.1.1.3) 56(84) bytes of data.
64 bytes from 100.1.1.3: icmp_seq=1 ttl=62 time=14.8 ms
64 bytes from 100.1.1.3: icmp_seq=2 ttl=62 time=20.5 ms
64 bytes from 100.1.1.3: icmp_seq=3 ttl=62 time=15.9 ms
64 bytes from 100.1.1.3: icmp_seq=4 ttl=62 time=22.9 ms
^C
--- 100.1.1.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 14.875/18.566/22.938/3.299 ms

This is Vbond ping

vEdge2# ping 100.1.1.4
Ping in VPN 0
PING 100.1.1.4 (100.1.1.4) 56(84) bytes of data.
64 bytes from 100.1.1.4: icmp_seq=1 ttl=62 time=42.2 ms
64 bytes from 100.1.1.4: icmp_seq=2 ttl=62 time=26.1 ms
64 bytes from 100.1.1.4: icmp_seq=3 ttl=62 time=49.3 ms
64 bytes from 100.1.1.4: icmp_seq=4 ttl=62 time=45.3 ms
^C
--- 100.1.1.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 26.148/40.781/49.388/8.821 ms

vEdge2# show control summary
control summary 0
vbond_counts 0
vmanage_counts 0
vsmart_counts 0
valid_controller_counts 0
vEdge2# show control connections

vEdge2# show control connections-history
Legend for Errors
ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vmanage for device.
BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassis-number entry in ZTP.
BIDNTPR - Board ID not Initialized. OPERDOWN - Interface went oper down.
BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out.
BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer.
CERTEXPRD - Certificate Expired RXTRDWN - Received Teardown.
CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signature from Board ID failed.
CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present.
CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to create new SSL context.
DCONFAIL - DTLS connection failure. STNMODETD - Teardown extra vBond in STUN server mode.
DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP changed.
DHSTMO - DTLS HandShake Timeout. SYSPRCH - System property changed
DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure.
DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure.
DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to send challenge to BoardID.
DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Message type or Bad Register msg.
DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello from Unauthenticated peer.
HAFAIL - SSL Handshake failure. VBDEST - vDaemon process terminated.
IP_TOS - Socket Options failure. VECRTREV - vEdge Certification revoked.
LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certificate revoked.
MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Timed out.
MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out.
NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Timed out.
NOERR - No Error. VS_TMO - Peer vSmart Timed out.
NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extra vManage.
NEWVBNOVMNG- New vBond with no vMng connections. XTVSTRDN - Teardown extra vSmart.
NTPRVMINT - Not preferred interface to vManage. STENTRY - Delete same tloc stale entry.
HWCERTREN - Hardware vEdge Enterprise Cert Renewed HWCERTREV - Hardware vEdge Enterprise Cert Revoked.
EMBARGOFAIL - Embargo check failed

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 100.1.1.4 12346 100.1.1.4 12346 biz-internet challenge_resp RXTRDWN SERNTPRES 18 2022-07-25T11:51:16+0000
vbond dtls 0.0.0.0 0 0 100.1.1.4 12346 100.1.1.4 12346 biz-internet connect DCONFAIL NOERR 1 2022-07-25T11:43:57+0000

vEdge2# show ip route vpn 0
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive, L -> import

PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0 static - ge0/1 118.1.2.2 - - - - F,S
0 118.1.2.0/24 connected - ge0/1 - - - - - F,S
0 118.1.2.22/32 connected - system - - - - - F,S

vEdge2#

andresfr · ‎07-26-2022

Hey R,

Do you have access to the vBond?

Could you run the show orchestrator valid-vedge command and check the chassis number of the vEdge-cloud device? Is it showing in capital letters?

If so, try activating the vEdge cloud again using the chassis number as it appears in the vBond output.

Best regards,

R Manjunatha · ‎07-26-2022

Hi,

Hi

I finally found VEdge in my WAN edge list ...thank you very much for ur support.

best regards