Solved: Re: Service VPN and OMP connectivity issue

nwekechampion · ‎05-27-2023

Hi Guys,

My service vpn in my case "vpn 10" is unable to ping any network outside its VPN.

Hence I am not able to ping neighboring VEDGES WAN IP and form OMP neighborship with it.

I cant even ping VPN 0's gateway as exit. So basically my overlay is not working on the vedges.

Vsmart picks up the overlays though Am I missing something?

Below is my lab setup and some show configs attached

Happy to explain my architecture further

Kanan Huseynli · ‎05-28-2023

They both have same site-id, by default BFD is not established between the same site routers.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#SiteID

You can enable this by configuring " allow-same-site-tunnels" under system. However, if by design the sites are different, then you should use different site IDs.

By the way, I have seen only one default route in your VPN0 configuration. You should have default route for each transport (you have 2 interfaces in VPN0). Normally, one interface can not use another interface gateway to reach destination, that is the reason you have control connection to vSmart only over one interface (ge0/0). Add respective default gateway/route for ge0/1 also.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎05-28-2023

Hi,

it is normal, expected behavior. VPN is VRF i.e different routing table and used for segmentation. You can't do communication between different VRFs, unless you do route-leaking.

You can do leaking, between global (VPN0) and service VPN (for example, VPN10) or between two different service VPN (VPN 10 and 20).

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/routing/ios-xe-17/routing-book-xe/m-routing-leaking-for-service-sharing.html

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

nwekechampion · ‎05-28-2023

Thanks for your reply.
However the problem is I cannot seem to establish ipsec tunnel with neighboring vedge router.

Any clue why?

Kanan Huseynli · ‎05-28-2023

Hi,

share below outputs of routers:

show bfd sessions

show control local-properties

show control connections

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

nwekechampion · ‎05-28-2023

Hi @Kanan Huseynli ..

I get nothing on bfd:

++++ vedge2+++++++++++++++++
vedge2# show bfd sessions

vedge2# show control local-properties
personality vedge
sp-organization-name champ-sdwan
organization-name champ-sdwan
root-ca-chain-status Installed

certificate-status Installed
certificate-validity Valid
certificate-not-valid-before May 27 18:18:41 2023 GMT
certificate-not-valid-after May 24 18:18:41 2033 GMT

dns-name 10.1.0.2
site-id 2
domain-id 1
protocol dtls
tls-port 0
system-ip 172.16.1.2
chassis-num/unique-id 02a5baa4-4cd9-4554-b3fc-e439e5897686
serial-num A24E39E9
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:17
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:00:28
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 10.1.0.2 12346

number-active-wan-interfaces 2

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 192.168.0.172 12346 192.168.0.172 :: 12346 1/1 biz-internet up 2 no/yes/no No/No 0:00:00:01 0:09:59:12 N 5
ge0/1 192.168.14.172 12346 192.168.14.172 :: 12346 0/0 public-internet up 2 no/yes/no No/No 0:00:00:03 0:00:00:00 N 5

vedge2# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 172.16.1.103 1 1 10.1.0.3 12446 10.1.0.3 12446 biz-internet No up 0:14:02:25 0
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 biz-internet - up 0:14:02:26 0
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet - connect 0
vmanage dtls 172.16.1.101 1 0 10.1.0.1 12646 10.1.0.1 12646 biz-internet No up 0:14:02:25 0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++Vedge1++++++++++++++++++

vedge1# sh bfd sess

vedge1# show control local-properties
personality vedge
sp-organization-name champ-sdwan
organization-name champ-sdwan
root-ca-chain-status Installed

certificate-status Installed
certificate-validity Valid
certificate-not-valid-before May 26 11:26:16 2023 GMT
certificate-not-valid-after May 23 11:26:16 2033 GMT

dns-name 10.1.0.2
site-id 2
domain-id 1
protocol dtls
tls-port 0
system-ip 172.16.1.1
chassis-num/unique-id ab9c5a5d-21d4-f65d-3e4d-98c24a4b8394
serial-num E7586B65
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:00:08
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 10.1.0.2 12346

number-active-wan-interfaces 2

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 192.168.0.171 12346 192.168.0.171 :: 12346 1/1 biz-internet up 2 no/yes/no No/No 0:00:00:06 0:09:42:17 N 5
ge0/1 192.168.14.171 12386 192.168.14.171 :: 12386 0/0 public-internet up 2 no/yes/no No/No 0:00:00:02 0:00:00:00 N 5

vedge1# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 172.16.1.103 1 1 10.1.0.3 12446 10.1.0.3 12446 biz-internet No up 0:14:18:10 0
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 biz-internet - up 0:14:18:10 0
vmanage dtls 172.16.1.101 1 0 10.1.0.1 12446 10.1.0.1 12446 biz-internet No up 0:14:18:10 0

Thanks

Kanan Huseynli · ‎05-28-2023

They both have same site-id, by default BFD is not established between the same site routers.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#SiteID

You can enable this by configuring " allow-same-site-tunnels" under system. However, if by design the sites are different, then you should use different site IDs.

By the way, I have seen only one default route in your VPN0 configuration. You should have default route for each transport (you have 2 interfaces in VPN0). Normally, one interface can not use another interface gateway to reach destination, that is the reason you have control connection to vSmart only over one interface (ge0/0). Add respective default gateway/route for ge0/1 also.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

nwekechampion · ‎06-01-2023

Fixed my problem.

Thank you.

I enabled default routes for all transports

I also enabled ==> "allow same site tunnels" .. this did the trick.

Thanks again.

nwekechampion · ‎05-28-2023

vpn 0
interface ge0/0
ip address 192.168.0.171/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/1
ip address 192.168.14.171/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 192.168.0.254
ip route 0.0.0.0/0 192.168.14.1
ip route 10.1.0.0/24 192.168.0.116
ip route 10.1.0.0/24 192.168.14.108

Here is the problem below, I do not seem to be able to ping any interface off my LAn interface

Literally drops at the edge

Also, VPN0 routes table not showing omp routes

vpn10 showing omp routes but cannot ping

Kanan Huseynli · ‎05-28-2023

When you ping it goes via VPN0 (global table in cEdge).

You should mention service VPN, use

ping vpn 10 [destination address] or ping vrf 10 [destination address] on vEdge or cEdge, respectively.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.