05-27-2023 10:35 PM
Hi Guys,
My service vpn in my case "vpn 10" is unable to ping any network outside its VPN.
Hence I am not able to ping neighboring VEDGES WAN IP and form OMP neighborship with it.
I cant even ping VPN 0's gateway as exit. So basically my overlay is not working on the vedges.
Vsmart picks up the overlays though Am I missing something?
Below is my lab setup and some show configs attached
Happy to explain my architecture further
Solved! Go to Solution.
05-28-2023 03:25 AM
They both have same site-id, by default BFD is not established between the same site routers.
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#SiteID
You can enable this by configuring " allow-same-site-tunnels" under system. However, if by design the sites are different, then you should use different site IDs.
By the way, I have seen only one default route in your VPN0 configuration. You should have default route for each transport (you have 2 interfaces in VPN0). Normally, one interface can not use another interface gateway to reach destination, that is the reason you have control connection to vSmart only over one interface (ge0/0). Add respective default gateway/route for ge0/1 also.
05-28-2023 12:29 AM
Hi,
it is normal, expected behavior. VPN is VRF i.e different routing table and used for segmentation. You can't do communication between different VRFs, unless you do route-leaking.
You can do leaking, between global (VPN0) and service VPN (for example, VPN10) or between two different service VPN (VPN 10 and 20).
05-28-2023 12:43 AM
05-28-2023 01:09 AM
Hi,
share below outputs of routers:
show bfd sessions
show control local-properties
show control connections
05-28-2023 02:07 AM
Hi @Kanan Huseynli ..
I get nothing on bfd:
++++ vedge2+++++++++++++++++
vedge2# show bfd sessions
vedge2# show control local-properties
personality vedge
sp-organization-name champ-sdwan
organization-name champ-sdwan
root-ca-chain-status Installed
certificate-status Installed
certificate-validity Valid
certificate-not-valid-before May 27 18:18:41 2023 GMT
certificate-not-valid-after May 24 18:18:41 2033 GMT
dns-name 10.1.0.2
site-id 2
domain-id 1
protocol dtls
tls-port 0
system-ip 172.16.1.2
chassis-num/unique-id 02a5baa4-4cd9-4554-b3fc-e439e5897686
serial-num A24E39E9
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:17
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:00:28
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1
INDEX IP PORT
-----------------------------------------------------
0 10.1.0.2 12346
number-active-wan-interfaces 2
NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type
RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 192.168.0.172 12346 192.168.0.172 :: 12346 1/1 biz-internet up 2 no/yes/no No/No 0:00:00:01 0:09:59:12 N 5
ge0/1 192.168.14.172 12346 192.168.14.172 :: 12346 0/0 public-internet up 2 no/yes/no No/No 0:00:00:03 0:00:00:00 N 5
vedge2# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 172.16.1.103 1 1 10.1.0.3 12446 10.1.0.3 12446 biz-internet No up 0:14:02:25 0
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 biz-internet - up 0:14:02:26 0
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet - connect 0
vmanage dtls 172.16.1.101 1 0 10.1.0.1 12646 10.1.0.1 12646 biz-internet No up 0:14:02:25 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++Vedge1++++++++++++++++++
vedge1# sh bfd sess
vedge1# show control local-properties
personality vedge
sp-organization-name champ-sdwan
organization-name champ-sdwan
root-ca-chain-status Installed
certificate-status Installed
certificate-validity Valid
certificate-not-valid-before May 26 11:26:16 2023 GMT
certificate-not-valid-after May 23 11:26:16 2033 GMT
dns-name 10.1.0.2
site-id 2
domain-id 1
protocol dtls
tls-port 0
system-ip 172.16.1.1
chassis-num/unique-id ab9c5a5d-21d4-f65d-3e4d-98c24a4b8394
serial-num E7586B65
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:00:08
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1
INDEX IP PORT
-----------------------------------------------------
0 10.1.0.2 12346
number-active-wan-interfaces 2
NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type
RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 192.168.0.171 12346 192.168.0.171 :: 12346 1/1 biz-internet up 2 no/yes/no No/No 0:00:00:06 0:09:42:17 N 5
ge0/1 192.168.14.171 12386 192.168.14.171 :: 12386 0/0 public-internet up 2 no/yes/no No/No 0:00:00:02 0:00:00:00 N 5
vedge1# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 172.16.1.103 1 1 10.1.0.3 12446 10.1.0.3 12446 biz-internet No up 0:14:18:10 0
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 biz-internet - up 0:14:18:10 0
vmanage dtls 172.16.1.101 1 0 10.1.0.1 12446 10.1.0.1 12446 biz-internet No up 0:14:18:10 0
Thanks
05-28-2023 03:25 AM
They both have same site-id, by default BFD is not established between the same site routers.
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#SiteID
You can enable this by configuring " allow-same-site-tunnels" under system. However, if by design the sites are different, then you should use different site IDs.
By the way, I have seen only one default route in your VPN0 configuration. You should have default route for each transport (you have 2 interfaces in VPN0). Normally, one interface can not use another interface gateway to reach destination, that is the reason you have control connection to vSmart only over one interface (ge0/0). Add respective default gateway/route for ge0/1 also.
06-01-2023 11:06 AM
Fixed my problem.
Thank you.
I enabled default routes for all transports
I also enabled ==> "allow same site tunnels" .. this did the trick.
Thanks again.
05-28-2023 05:29 AM
vpn 0
interface ge0/0
ip address 192.168.0.171/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/1
ip address 192.168.14.171/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 192.168.0.254
ip route 0.0.0.0/0 192.168.14.1
ip route 10.1.0.0/24 192.168.0.116
ip route 10.1.0.0/24 192.168.14.108
Here is the problem below, I do not seem to be able to ping any interface off my LAn interface
Literally drops at the edge
Also, VPN0 routes table not showing omp routes
vpn10 showing omp routes but cannot ping
05-28-2023 06:47 AM
When you ping it goes via VPN0 (global table in cEdge).
You should mention service VPN, use
ping vpn 10 [destination address] or ping vrf 10 [destination address] on vEdge or cEdge, respectively.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide