cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

1283
Views
0
Helpful
6
Replies
daniellsaccount
Beginner

vSmart does not get enterprise root certificate from vManage

Hello,

 

I'm setting up a lab and encountered the following issue: after adding vbond and successfully applying a certificate and template to it I tried to do the same with vSmart. But vSmart does not accept the cert because it does not have a correct enterp. root certificate ("show cert root" confirmed).  For some reason vManage does not push root cert to vSmart the same way it did with vBond.

 

-vManage vBond and vSmart are all on public IPs and able to reach each other

- I updated vSmart to 18.4.3 and configured from a scratch with the same result

 

vSmart ver 18.4.3

vManage ver 18.4.1

vBond ver 18.3.7

 

Does anyone have any suggestions?

 

Regards,

 

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
daniellsaccount
Beginner

Found a solution.

 

Although vManage was able to communicate to vSmart something was off and it was not able to put enterprise root certificate.

 

It went well the moment I did:

conf t

omp

shutdown

vpn 0

int eth0

no tunnel-interface

commit and-quit

(not sure which one, omp or tunnel-int, was the cause of the issue)

 

The problem was that i followed closely Viptela documentation and for some reason the initial configuration they ask to configure did not allow enterp. root cert to be installed

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/06Deploy_the_vSmart_Controller/03Configure_the_vSmart_Controller

 

Regards,

 

Dan

 

 

View solution in original post

6 REPLIES 6
TusharGaba0848
Beginner

I faced a similar issue back in the days once, but worked for me second time I tried, just readded the vSmart on vManage, I am running Platform Version: 19.1.0 for vManage in my Lab and works like a charm for me. Upgrade may be?

 

Thanks

Your vManage version is lower than the the vSmart. Just upgrade and check.

 

Thanks,

Srikanth

daniellsaccount
Beginner

I updated vManage,vBond and vSmart to 19.2.0  - still no ent. root on vSmart

Re-added vSmart a few times - still no ent. root on vSmart

 

-tried to use "request root-cert-chain install tftp://x.x.x.x/rootCA.pem" command  but it does not work ("must match pattern" syntax error - I don't know whats wrong with that)

-tried to use request download command - no luck

-tried to copy rootca.pem using vshell -   wget and tftp commands - no luck - vshell does not download properly ( tftp server is reachable and confirmed, connectivity confirmed)

Not sure what to do at this point, I'm not going to type in rootca.pem manually using VIM but I can't put the file to the vSmart at this time.

 

vManage can directly push the enterprise root CA to other controllers once added in the vManage.

What is your controllers certificate setting on the vManage?

 

Thanks,

Srikath

I would suggest you to have a look at below section of the free training.

Cisco SD-WAN Controllers Bring up
-vManage Install
-vManage Transport Config
-Root-CA installation
-vManage install signed certificate
-vManage Sync Root Certificate
-vManage System Config
-vBond Initial Config
-vSmart Initial Config
-Add vBond and vSmart to vManage
-Certificate Install and Control Plane
-Review of Cisco SD-WAN Controller Bring up

https://learnedze.com/free-cisco-sd-wan-training/

 

Thanks,

Srikanth

daniellsaccount
Beginner

Found a solution.

 

Although vManage was able to communicate to vSmart something was off and it was not able to put enterprise root certificate.

 

It went well the moment I did:

conf t

omp

shutdown

vpn 0

int eth0

no tunnel-interface

commit and-quit

(not sure which one, omp or tunnel-int, was the cause of the issue)

 

The problem was that i followed closely Viptela documentation and for some reason the initial configuration they ask to configure did not allow enterp. root cert to be installed

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/06Deploy_the_vSmart_Controller/03Configure_the_vSmart_Controller

 

Regards,

 

Dan

 

 

View solution in original post

Content for Community-Ad
This widget could not be displayed.