Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8132
Views
10
Helpful
6
Replies

How to generate a CSR for a vEdge cloud router? Manual certificate installation

Go to solution
Alfonso Lopez
Cisco Employee
Cisco Employee

‎07-30-2019 10:23 AM - edited ‎07-31-2019 02:34 AM

Hi,

I´m building a Viptela lab and managed to deploy all the controllers (vManage, vSmart and vBond), added them to the overlay network and installed valid certificates in them.

However, after importing a .viptela file with several authorized vEdge cloud devices, I can´t get them to "talk" to the vManage.
I've entered all system bootstrap config into the vEdge router (organization name, vBond IP, system IP, etc.), installed the same root CA certificate chain that I also installed in the controllers.
However, after issuing the "request vedge-cloud activate chassis-number xxx-xxx-xxx token yyy-yyy-yyy" command, and then "show control connections" I do briefly see it attempting to contact the vBond, but then nothing.

Just for the record, from the vEdge I'm able to ping the vpn0 address of the vBond and the vManage.

If I go under Configuration -> Certificates and select the line of this vEdge router, at the three-dot menu on the right, the only option that I have is "View CSR", but obviusly there's no CSR. I don't have the Generate CSR option.

 

In this link, they tell you to first create a Bootstrap Configuration File (.cfg), but then they don't tell you what to do with it in order to generate the CSR that you need.

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07Deploy_the_vEdge_Routers/05Install_Signed_Certificates_on_vEdge_Cloud_Routers

Can anybody please tell me how to make a vEdge router be able to contact its vBond and hence vManage, when doing manual certificate installations?

 

Thank you.

 

Alfonso

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alfonso Lopez
Cisco Employee
Cisco Employee
In response to HashamM

‎08-01-2019 05:17 AM

Ok, this post pointed me into the right direction to find the solution:

https://community.cisco.com/t5/sd-wan/viptela-vedge-cloud-not-building-control-connections/m-p/3894311#M934

 

At the vBond I noticed that the "show orchestrator valid-vedge" was empty, which meant that even though the vManage knew about the vEdges, the vBond was obvlivious to them. I went to Configuration -> Certificates, then manually changed the Certificate status to 'Valid' at a couple of vEdges and then clicked on the red "Push to Controllers" button.


After that, the vEdge chassis number appeared at the vBond and the vManage automatically generated a CSR for the vdge, which I could then sign at my own CA and then manually install from the vManage GUI. This vEdge is now In Sync.

 

I repeated the process for a second vEdge, but made the mistake of using Automatic WAN Edge Cloud Certificate Authorization, so the wrong certificate (signed by the vManage) got installed at this second vEdg and, as a result, the vEdge was seen by the vManage, but was not "In Sync" because the certificate had been revoked. This could be seen with a "show control connections-history" at the vEdge. Then "RXTRDWN VECRTREV" appeared as LOCAL and ROMETE ERRORs respectively.

 

To fix it I decomissioned it from the vManage, uninstalled its certificate by issuing a new "request vedge-cloud activate" command with a wrog token id, and then issued the command again with the new token that was generated by the vManage after the decomission. The CSR was generated by the vManage, I signed it with my own CA, installed it and this time, the vEdge got "In Sync".

View solution in original post

0 Helpful
6 Replies 6

Go to solution
HashamM
Cisco Employee
Cisco Employee

‎07-30-2019 11:09 AM

Hi,

 

Make sure the system clock on devices have less than 120 seconds difference.

Try to use vManage as a CA for the vEdges. This way you dont have to generate the CSR and install the certificate on vEdge.

Go to solution
Alfonso Lopez
Cisco Employee
Cisco Employee
In response to HashamM

‎07-31-2019 02:31 AM - edited ‎07-31-2019 02:33 AM

Hi @HashamM ,

 

All vEdge, vBond and vManage are synhronized with the same NTP server and are in the same timezone. Their clocks look exactly the same.

By "use vManage as a CA", do you mean going to Administration -> Settings and set both "Controller Certificate Authorization" and "WAN Edge Cloud Certificate Authorization" to "Automated"?

Is there some sort of troubleshooting guide for this?

The official documents don't seem to be very detailed.

 

Thank you.

Alfonso

0 Helpful

Go to solution
Alfonso Lopez
Cisco Employee
Cisco Employee
In response to HashamM

‎08-01-2019 05:17 AM

Ok, this post pointed me into the right direction to find the solution:

https://community.cisco.com/t5/sd-wan/viptela-vedge-cloud-not-building-control-connections/m-p/3894311#M934

 

At the vBond I noticed that the "show orchestrator valid-vedge" was empty, which meant that even though the vManage knew about the vEdges, the vBond was obvlivious to them. I went to Configuration -> Certificates, then manually changed the Certificate status to 'Valid' at a couple of vEdges and then clicked on the red "Push to Controllers" button.


After that, the vEdge chassis number appeared at the vBond and the vManage automatically generated a CSR for the vdge, which I could then sign at my own CA and then manually install from the vManage GUI. This vEdge is now In Sync.

 

I repeated the process for a second vEdge, but made the mistake of using Automatic WAN Edge Cloud Certificate Authorization, so the wrong certificate (signed by the vManage) got installed at this second vEdg and, as a result, the vEdge was seen by the vManage, but was not "In Sync" because the certificate had been revoked. This could be seen with a "show control connections-history" at the vEdge. Then "RXTRDWN VECRTREV" appeared as LOCAL and ROMETE ERRORs respectively.

 

To fix it I decomissioned it from the vManage, uninstalled its certificate by issuing a new "request vedge-cloud activate" command with a wrog token id, and then issued the command again with the new token that was generated by the vManage after the decomission. The CSR was generated by the vManage, I signed it with my own CA, installed it and this time, the vEdge got "In Sync".

0 Helpful

Go to solution
Steven-Williams-83
Level 1
Level 1
In response to HashamM

‎09-20-2022 01:16 PM

"Try to use vManage as a CA for the vEdges. This way you dont have to generate the CSR and install the certificate on vEdge."

This is the golden goose right here! Unfortunately, not real world though. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents