cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2940
Views
2
Helpful
2
Replies

SDWAN can't verify VEdge

we tried to add new vedge router to the SD-wan network and there is a problem with DTLS connection.

and kindly note that:

Vedge router can reach the controllers (Vsmart,Vbond and Vmanage) through ping
Vedge router exists in smart account and in the device list of the Vmanage controller
Vedge router exists in the vbond valid edge after we did #show orchestrator valid-vedge (as per the attached image)
The CA root certificate installed and valid and we use the same certificate that exist on controllers
Vedge router is running IOS 16.10.3a.
We upgrade the IOS to 16.12.4 and the problem still exist
When we did #show sdwan control connection-history we found the following output

Manyal-RTR2#show sdwan control connection-history
Legend for Errors
ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vmanage for device.
BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassis-number entry in ZTP.
BIDNTPR - Board ID not Initialized. OPERDOWN - Interface went oper down.
BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out.
BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer.
CERTEXPRD - Certificate Expired RXTRDWN - Received Teardown.
CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signature from Board ID failed.
CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present.
CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to create new SSL context.
DCONFAIL - DTLS connection failure. STNMODETD - Teardown extra vBond in STUN server mode.
DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP changed.
DHSTMO - DTLS HandShake Timeout. SYSPRCH - System property changed
DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure.
DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure.
DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to send challenge to BoardID.
DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Message type or Bad Register msg.
DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello from Unauthenticated peer.
HAFAIL - SSL Handshake failure. VBDEST - vDaemon process terminated.
IP_TOS - Socket Options failure. VECRTREV - vEdge Certification revoked.
LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certificate revoked.
MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Timed out.
MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out.
NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Timed out.
NOERR - No Error. VS_TMO - Peer vSmart Timed out.
NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extra vManage.
NTPRVMINT - Not preferred interface to vManage. XTVSTRDN - Teardown extra vSmart.
STENTRY - Delete same tloc stale entry.

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls - 0 0 10.100.117.101 12346 10.100.117.101 12346 mpls challenge_resp RXTRDWN BIDNTVRFD 26 2020-10-13T13:42:09+0200

2 Replies 2

Lei Tian
Cisco Employee
Cisco Employee

Hello,

 

Is there FW between wan edge router and controllers? If there is, make sure the FW allows the required ports. Make sure the same root cert is installed on controllers and wan edge router. Also make sure time is in sync. 

 

HTH,

Lei Tian

Hi,

firewall should not be a case.

BIDNTVRFD error means vbond can't verify router.

Do checks:

organization name should match (also check sp-organization name).

Recheck vedge valid list in vbond.

NTP time for cert validation.

Root CA of vbond's certificate should be in the list of vedge's root CAs.

Root CA of vedge's certificate should be in the list of vbond's root CAs.

 

HTH,

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Review Cisco Networking for a $25 gift card