Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2987
Views
5
Helpful
6
Replies

SDWAN vBond not forwarding vSmart addresses to cEdge

Go to solution
millsy2000
Level 1
Level 1

‎04-10-2020 04:49 PM

Hi,

 

I'm seeing an issue on boarding a CSR 1000v SDWAN image.  I have applied the bootstrap configuration to the CSR and have successfully authenticated to vBond and vManage. What I am not seeing however is the control connections to vSmarts.

 

cedge-site4#show sdwan control connections

PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 10.0.10.141 12346 10.0.10.141 12346 mpls - up 0:10:37:27 0
vmanage dtls 1.1.1.140 100 0 10.0.10.140 12346 10.0.10.140 12346 mpls No up 0:10:37:24 0

 

It appears that the vBond is not sending the vEdge the vSmart addresses or vise versa, from a debug of the vBond I can see the following alert which looks related. 

 

local7.debug: Apr 10 13:00:41 vedge VBOND[8438]: vbond_send_new_register_reply[2755]: %VDAEMON_DBG_MISC-1: Skipping vsmarts for peer authenticated with the token.

 

I have entered the request platform software sdwan vedge_cloud activate  command on cEdge with values from vManage but with no result. 

Just a note I have been successfully able to on-board vEdge's so it appears to be an issue with the steps taken for the CSR.

 

SDWAN Controller version 18.4.4

cEdge Version 16.12.02r

 

Any help appreciated.

Regards,

 

 

 

 

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jay3
Level 1
Level 1

‎04-17-2020 02:34 AM

Hi Missly2000,

I managed to figure out and resolve my problem.My challenge was that I was using Manual (Enterprise CA) for WAN edge certificate authorization so the WAN edge devices would successfully authenticate with vBond using the token but vManage would not update the serial number of the certificate.This would mean token authentication would succeed but the subsequent certificate authentication would fail. Apparently vBond will not send vSmart address with token authentication only hence the error message "Skipping vsmarts for peer authenticated with the token". I'm not sure if that's the way it should operate because this is my own observation and I haven't found any documentation to support it.The tricky part is that with token authentication only, the WAN edge devices becomes fully manageable on vManage making it seem like all is well. To resolve it, I switched WAN edge certificate authorization on vManage to Automated (vManage-signed), deleted the installed certificate using "clear installed-certificates" on the vEdge and re-issued "request vedge_cloud activate". Hope this helps!

View solution in original post

Go to solution
millsy2000
Level 1
Level 1
In response to jay3

‎05-18-2020 04:10 AM

Thanks for the response Jay. 

 

I didn't have the exact same issue as you but you put me on the right track. I will summarize what I found below:

  • First issue was that the automatic certificate enrollment for the cEdge Cloud was not working because I did not have the Root CA Chain installed which included the vManage Certificate (It should be imported when you bootstrap the CSR however I must have missed including the cert).
  • Second issue was after I managed to get the cEdge cert install after importing the root cert there was an issue with the vBond again to recognizing some of the Cert attributes of the cEdge. Turns out this was a bug (sorry I lost the bug ID) but has been fixed in version 19.2.2.
  • Finally I tried the manual cert install but the serial number expected on the vManage was different to what was installed. I think there is a step that needs to be done on the Plug and Play portal where you can specify the SN of the c/vEdge, however at this point I got frustrated and simply upgraded.

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jay3
Level 1
Level 1

‎04-16-2020 08:26 AM

Hi Missly2000,

I am facing the exact same challenge except that I am using vEdge-Cloud routers for my WAN edge.My debug shows the exact same error.I will update this when I make a breakthrough

Regards,

Jay

0 Helpful

Go to solution
elesani
Cisco Employee
Cisco Employee

‎04-16-2020 04:57 PM

can you confirm if you have configured "Controller Group" under "System Feature Template" 

if you have configured that and that is not matching with what is configured under your vSmart controller configuration, vBond will not advertise that vSmart controller

0 Helpful

Go to solution
millsy2000
Level 1
Level 1
In response to elesani

‎04-20-2020 07:19 PM

Thanks for the reply elesani,

I have left the Controller Field unset within the System Template.

 

image.png

0 Helpful

Go to solution
jay3
Level 1
Level 1

‎04-17-2020 02:34 AM

Hi Missly2000,

I managed to figure out and resolve my problem.My challenge was that I was using Manual (Enterprise CA) for WAN edge certificate authorization so the WAN edge devices would successfully authenticate with vBond using the token but vManage would not update the serial number of the certificate.This would mean token authentication would succeed but the subsequent certificate authentication would fail. Apparently vBond will not send vSmart address with token authentication only hence the error message "Skipping vsmarts for peer authenticated with the token". I'm not sure if that's the way it should operate because this is my own observation and I haven't found any documentation to support it.The tricky part is that with token authentication only, the WAN edge devices becomes fully manageable on vManage making it seem like all is well. To resolve it, I switched WAN edge certificate authorization on vManage to Automated (vManage-signed), deleted the installed certificate using "clear installed-certificates" on the vEdge and re-issued "request vedge_cloud activate". Hope this helps!

Go to solution
millsy2000
Level 1
Level 1
In response to jay3

‎05-18-2020 04:10 AM

Thanks for the response Jay. 

 

I didn't have the exact same issue as you but you put me on the right track. I will summarize what I found below:

  • First issue was that the automatic certificate enrollment for the cEdge Cloud was not working because I did not have the Root CA Chain installed which included the vManage Certificate (It should be imported when you bootstrap the CSR however I must have missed including the cert).
  • Second issue was after I managed to get the cEdge cert install after importing the root cert there was an issue with the vBond again to recognizing some of the Cert attributes of the cEdge. Turns out this was a bug (sorry I lost the bug ID) but has been fixed in version 19.2.2.
  • Finally I tried the manual cert install but the serial number expected on the vManage was different to what was installed. I think there is a step that needs to be done on the Plug and Play portal where you can specify the SN of the c/vEdge, however at this point I got frustrated and simply upgraded.

 

0 Helpful

Go to solution
Christian Bottos
Level 1
Level 1
In response to jay3

‎11-12-2020 06:48 PM

Hi,


I have the same problem as you, I am trying to follow your steps but I keep getting the same log in the vBond.


%VDAEMON_DBG_MISC-1: Skipping vsmarts for peer authenticated with the token.


Can you be more specific in your steps? The problem is that by deleting the certificate you cannot reissue "request the activation of vedge-cloud" because all the certificates in your vEdge are not valid


I'm using 20.1.12 version


Regards


CB

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card