Solved: Re: vEdge won't connect to vManage

btjtaylor · ‎06-05-2021

Hi all

I've been trying to get an SD-WAN lab running but i'm finding it very challenging,

I've been following this guide:

SD-WAN Lab – Part 3 – vEdge Devices - Routerflow

I've got the 3 controllers up (vmanage,vbond and vsmart) and they appear to be working OK

I've added my first vEdge router in but it won't connect.

I have imported the root CA (generated all of this on the vmanage) and added it in.

Following the troubleshooting guide here:

"show control connections" shows 1 of 2 states

either:

vedge# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 11.0.25.5 12346 11.0.25.5 12346 BT_SDWAN_LAB default - challenge_resp 0

or blank

show control local-properties:

vedge# show control local-properties
personality vedge
sp-organization-name BT_SDWAN_LAB
organization-name BT_SDWAN_LAB
root-ca-chain-status Installed

certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Jun 05 22:00:04 2021 GMT
certificate-not-valid-after Jun 03 22:00:04 2031 GMT

dns-name 11.0.25.5
site-id 3
domain-id 1
protocol dtls
tls-port 0
system-ip 10.13.13.13
chassis-num/unique-id a390ff4e-6524-fc46-e04e-6978a71ee8db
serial-num 259BD7A3
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:16
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped FALSE
time-since-last-port-hop 0:00:00:00
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 11.0.25.5 12346

number-active-wan-interfaces 1

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/0 100.64.213.13 12346 100.64.213.13 :: 12346 0/0 default up 2 no/yes/no No/No 0:00:00:02 0:11:50:45 N 5

Any ideas? I just cant figure it out and have rebuilt the lab 3 times now

Kanan Huseynli · ‎06-07-2021

Hi,

looks like vbond cant verify.

Ensure that CA of vedge's certificate is in root CA list of vbond. Ensure that organization-name of certificate matches org-name configured on vbond. Ensure that cert is valid by clock time of vbond.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

james.buchanan1 · ‎06-06-2021

Hello,

Have you attached a device template to the device in vManage? That's essential for the device to come up.

Thanks,

James

Kanan Huseynli · ‎06-06-2021

Hi,

it is not related to template. In order to attach template, you need to have router in overlay. But it isn't.

Do "show control connections-history" on both vbond and vedge and copy /paste here.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

btjtaylor · ‎06-06-2021

vedge# show control connections-history
Legend for Errors
ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vma nage for device.
BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassi s-number entry in ZTP.
BIDNTPR - Board ID not Initialized. OPERDOWN - Interface wen t oper down.
BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out.
BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer.
CERTEXPRD - Certificate Expired RXTRDWN - Received Tear down.
CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signatur e from Board ID failed.
CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present.
CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to cr eate new SSL context.
DCONFAIL - DTLS connection failure. STNMODETD - Teardown extr a vBond in STUN server mode.
DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP cha nged.
DHSTMO - DTLS HandShake Timeout. SYSPRCH - System proper ty changed
DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure.
DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure.
DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to sen d challenge to BoardID.
DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Messa ge type or Bad Register msg.
DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello fr om Unauthenticated peer.
HAFAIL - SSL Handshake failure. VBDEST - vDaemon proce ss terminated.
IP_TOS - Socket Options failure. VECRTREV - vEdge Certifi cation revoked.
LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certif icate revoked.
MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Ti med out.
MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out.
NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Ti med out.
NOERR - No Error. VS_TMO - Peer vSmart T imed out.
NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extr a vManage.
NEWVBNOVMNG- New vBond with no vMng connections. XTVSTRDN - Teardown extr a vSmart.
NTPRVMINT - Not preferred interface to vManage. STENTRY - Delete same tloc stale entry.
HWCERTREN - Hardware vEdge Enterprise Cert Renewed HWCERTREV - Hardware vEdg e Enterprise Cert Revoked.
EMBARGOFAIL - Embargo check failed

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT ORGANIZATION DOWNTIME
-------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------
vbond dtls 0.0.0.0 0 0 11.0.25.5 12346 11.0.25.5 12346 default tear_down VB_TMO NOERR 2240 2021-06-06T21:13:40+0000
vbond dtls 0.0.0.0 0 0 11.0.25.5 12346 11.0.25.5 12346 default up RXTRDWN VECRTREV 0 2021-06-05T22:00:13+0000
vmanage dtls 10.4.4.4 100 0 11.0.24.4 12746 11.0.24.4 12746 default up RXTRDWN VECRTREV 0 2021-06-05T22:00:12+0000
vbond dtls 0.0.0.0 0 0 11.0.25.5 12346 11.0.25.5 12346 default challenge_resp RXTRDWN SERNTPRES 0 2021-06-05T21:59:31+0000

svemulap@cisco.com · ‎06-06-2021

Hi BTJTaylor:

Seeing VB_TMO and VECRTREV errors in control connections-history.
There could be different reasons for this.
Take a look at: https://community.cisco.com/t5/networking-documents/sd-wan-routers-troubleshoot-control-connections/ta-p/3813237

Hope it helps to narrow down the issue.

- Shankar

Kanan Huseynli · ‎06-07-2021

Hi,

looks like vbond cant verify.

Ensure that CA of vedge's certificate is in root CA list of vbond. Ensure that organization-name of certificate matches org-name configured on vbond. Ensure that cert is valid by clock time of vbond.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

btjtaylor · ‎06-08-2021

Thanks for the replies everyone,

I installed the root CA certificate to the vbond as follows:

request root-cert-chain install /home/admin/ROOTCA.pem

I also fixed my NTP setup (was using the wrong VPN) so all clocks are fully synchronised

The control connection is now up!

vedge# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 10.6.6.6 100 1 11.0.26.6 12446 11.0.26.6 12446 BT_SDWAN_LAB default No up 0:00:13:45 0
vbond dtls 0.0.0.0 0 0 11.0.25.5 12346 11.0.25.5 12346 BT_SDWAN_LAB default - up 0:09:07:49 0
vmanage dtls 10.4.4.4 100 0 11.0.24.4 12646 11.0.24.4 12646 BT_SDWAN_LAB default No up 0:09:07:49 0

I thought that the root cert was installed as part of the certificate install process in vmanage but I guess not

Thanks all.. big learning curve for me all of this

svemulap@cisco.com · ‎06-08-2021

Good to hear, BtjTaylor, that everything is working.