08-30-2019 10:18 AM
Hello,
I'm setting up a lab and encountered the following issue: after adding vbond and successfully applying a certificate and template to it I tried to do the same with vSmart. But vSmart does not accept the cert because it does not have a correct enterp. root certificate ("show cert root" confirmed). For some reason vManage does not push root cert to vSmart the same way it did with vBond.
-vManage vBond and vSmart are all on public IPs and able to reach each other
- I updated vSmart to 18.4.3 and configured from a scratch with the same result
vSmart ver 18.4.3
vManage ver 18.4.1
vBond ver 18.3.7
Does anyone have any suggestions?
Regards,
Dan
Solved! Go to Solution.
09-04-2019 05:53 AM
Found a solution.
Although vManage was able to communicate to vSmart something was off and it was not able to put enterprise root certificate.
It went well the moment I did:
conf t
omp
shutdown
vpn 0
int eth0
no tunnel-interface
commit and-quit
(not sure which one, omp or tunnel-int, was the cause of the issue)
The problem was that i followed closely Viptela documentation and for some reason the initial configuration they ask to configure did not allow enterp. root cert to be installed
Regards,
Dan
08-30-2019 10:53 PM
I faced a similar issue back in the days once, but worked for me second time I tried, just readded the vSmart on vManage, I am running Platform Version: 19.1.0 for vManage in my Lab and works like a charm for me. Upgrade may be?
Thanks
08-31-2019 06:47 AM
Your vManage version is lower than the the vSmart. Just upgrade and check.
Thanks,
Srikanth
09-03-2019 11:41 AM
I updated vManage,vBond and vSmart to 19.2.0 - still no ent. root on vSmart
Re-added vSmart a few times - still no ent. root on vSmart
-tried to use "request root-cert-chain install tftp://x.x.x.x/rootCA.pem" command but it does not work ("must match pattern" syntax error - I don't know whats wrong with that)
-tried to use request download command - no luck
-tried to copy rootca.pem using vshell - wget and tftp commands - no luck - vshell does not download properly ( tftp server is reachable and confirmed, connectivity confirmed)
Not sure what to do at this point, I'm not going to type in rootca.pem manually using VIM but I can't put the file to the vSmart at this time.
09-03-2019 09:47 PM
vManage can directly push the enterprise root CA to other controllers once added in the vManage.
What is your controllers certificate setting on the vManage?
Thanks,
Srikath
09-03-2019 09:51 PM
I would suggest you to have a look at below section of the free training.
Cisco SD-WAN Controllers Bring up
-vManage Install
-vManage Transport Config
-Root-CA installation
-vManage install signed certificate
-vManage Sync Root Certificate
-vManage System Config
-vBond Initial Config
-vSmart Initial Config
-Add vBond and vSmart to vManage
-Certificate Install and Control Plane
-Review of Cisco SD-WAN Controller Bring up
https://learnedze.com/free-cisco-sd-wan-training/
Thanks,
Srikanth
08-07-2021 09:12 AM
I had a the same problem and I solved it this way:
- copied the CA certificate from my PC to the vSmart via SCP (the certificate will be copied in the home of your user on the vSmart. You can list the content of the directory going in vshell
- installed it with the command request root-cert-chain install /home/admin/ROOT_CA.cert.pem
- installed the vSmart certificate with the command request certificate install /home/admin/vsmart.crt (the vSmar certificate was copied by the vManage during the attampt to add the vSmart)
09-04-2019 05:53 AM
Found a solution.
Although vManage was able to communicate to vSmart something was off and it was not able to put enterprise root certificate.
It went well the moment I did:
conf t
omp
shutdown
vpn 0
int eth0
no tunnel-interface
commit and-quit
(not sure which one, omp or tunnel-int, was the cause of the issue)
The problem was that i followed closely Viptela documentation and for some reason the initial configuration they ask to configure did not allow enterp. root cert to be installed
Regards,
Dan
07-24-2024 08:52 PM
People still facing the issue follow the steps in the attached link. While configuring Vsmart make sure to add the field sp-organization-name which should be the same as organization-name under systems only on Vsmart.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide