Solved: SDWAN vBond not forwarding vSmart addresses to cEdge

millsy2000 · ‎04-10-2020

Hi,

I'm seeing an issue on boarding a CSR 1000v SDWAN image. I have applied the bootstrap configuration to the CSR and have successfully authenticated to vBond and vManage. What I am not seeing however is the control connections to vSmarts.

cedge-site4#show sdwan control connections

PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 10.0.10.141 12346 10.0.10.141 12346 mpls - up 0:10:37:27 0
vmanage dtls 1.1.1.140 100 0 10.0.10.140 12346 10.0.10.140 12346 mpls No up 0:10:37:24 0

It appears that the vBond is not sending the vEdge the vSmart addresses or vise versa, from a debug of the vBond I can see the following alert which looks related.

local7.debug: Apr 10 13:00:41 vedge VBOND[8438]: vbond_send_new_register_reply[2755]: %VDAEMON_DBG_MISC-1: Skipping vsmarts for peer authenticated with the token.

I have entered the request platform software sdwan vedge_cloud activate command on cEdge with values from vManage but with no result.

Just a note I have been successfully able to on-board vEdge's so it appears to be an issue with the steps taken for the CSR.

SDWAN Controller version 18.4.4

cEdge Version 16.12.02r

Any help appreciated.

Regards,

jay3 · ‎04-17-2020

Hi Missly2000,

I managed to figure out and resolve my problem.My challenge was that I was using Manual (Enterprise CA) for WAN edge certificate authorization so the WAN edge devices would successfully authenticate with vBond using the token but vManage would not update the serial number of the certificate.This would mean token authentication would succeed but the subsequent certificate authentication would fail. Apparently vBond will not send vSmart address with token authentication only hence the error message "Skipping vsmarts for peer authenticated with the token". I'm not sure if that's the way it should operate because this is my own observation and I haven't found any documentation to support it.The tricky part is that with token authentication only, the WAN edge devices becomes fully manageable on vManage making it seem like all is well. To resolve it, I switched WAN edge certificate authorization on vManage to Automated (vManage-signed), deleted the installed certificate using "clear installed-certificates" on the vEdge and re-issued "request vedge_cloud activate". Hope this helps!

View solution in original post

millsy2000 · ‎05-18-2020

Thanks for the response Jay.

I didn't have the exact same issue as you but you put me on the right track. I will summarize what I found below:

First issue was that the automatic certificate enrollment for the cEdge Cloud was not working because I did not have the Root CA Chain installed which included the vManage Certificate (It should be imported when you bootstrap the CSR however I must have missed including the cert).
Second issue was after I managed to get the cEdge cert install after importing the root cert there was an issue with the vBond again to recognizing some of the Cert attributes of the cEdge. Turns out this was a bug (sorry I lost the bug ID) but has been fixed in version 19.2.2.
Finally I tried the manual cert install but the serial number expected on the vManage was different to what was installed. I think there is a step that needs to be done on the Plug and Play portal where you can specify the SN of the c/vEdge, however at this point I got frustrated and simply upgraded.

View solution in original post

jay3 · ‎04-16-2020

Hi Missly2000,

I am facing the exact same challenge except that I am using vEdge-Cloud routers for my WAN edge.My debug shows the exact same error.I will update this when I make a breakthrough

Regards,

Jay

elesani · ‎04-16-2020

can you confirm if you have configured "Controller Group" under "System Feature Template"

if you have configured that and that is not matching with what is configured under your vSmart controller configuration, vBond will not advertise that vSmart controller

millsy2000 · ‎04-20-2020

Thanks for the reply elesani,

I have left the Controller Field unset within the System Template.

jay3 · ‎04-17-2020

Hi Missly2000,

I managed to figure out and resolve my problem.My challenge was that I was using Manual (Enterprise CA) for WAN edge certificate authorization so the WAN edge devices would successfully authenticate with vBond using the token but vManage would not update the serial number of the certificate.This would mean token authentication would succeed but the subsequent certificate authentication would fail. Apparently vBond will not send vSmart address with token authentication only hence the error message "Skipping vsmarts for peer authenticated with the token". I'm not sure if that's the way it should operate because this is my own observation and I haven't found any documentation to support it.The tricky part is that with token authentication only, the WAN edge devices becomes fully manageable on vManage making it seem like all is well. To resolve it, I switched WAN edge certificate authorization on vManage to Automated (vManage-signed), deleted the installed certificate using "clear installed-certificates" on the vEdge and re-issued "request vedge_cloud activate". Hope this helps!

millsy2000 · ‎05-18-2020

Thanks for the response Jay.

I didn't have the exact same issue as you but you put me on the right track. I will summarize what I found below:

First issue was that the automatic certificate enrollment for the cEdge Cloud was not working because I did not have the Root CA Chain installed which included the vManage Certificate (It should be imported when you bootstrap the CSR however I must have missed including the cert).
Second issue was after I managed to get the cEdge cert install after importing the root cert there was an issue with the vBond again to recognizing some of the Cert attributes of the cEdge. Turns out this was a bug (sorry I lost the bug ID) but has been fixed in version 19.2.2.
Finally I tried the manual cert install but the serial number expected on the vManage was different to what was installed. I think there is a step that needs to be done on the Plug and Play portal where you can specify the SN of the c/vEdge, however at this point I got frustrated and simply upgraded.

Christian Bottos · ‎11-12-2020

Hi,

I have the same problem as you, I am trying to follow your steps but I keep getting the same log in the vBond.

%VDAEMON_DBG_MISC-1: Skipping vsmarts for peer authenticated with the token.

Can you be more specific in your steps? The problem is that by deleting the certificate you cannot reissue "request the activation of vedge-cloud" because all the certificates in your vEdge are not valid

I'm using 20.1.12 version

Regards

CB