Re: Problem with vEdge ISR VPN0 and bringing it up in vManage

ahmad.rz · ‎06-16-2019

Hi, I have problem with my ISR4351 base on sd-wan ios xe : isr4300-ucmk9.16.11.1a.SPA.bin

I can't create vpn 0. I mean there no command start with vpn 0 or any vpn interface under config-transaction environment. also I think I should enbale hseck9 feature in licensing. "Show license feature" output is here:

Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: hseck9

-------------------------------------------

Also have problem with bringing up vedge in vmanage and errors is here:

Event Name : vbond-reject-vedge-connection
reason=ERR_BID_NOT_VERIFIED

is there anyone know how to handle it ?

Be quick and careful!

ekhabaro · ‎06-18-2019

It's not about licensing. Your VPN 0 on IOS-XE SDWAN is actually global routing table, so "vpn 0" configuration is not required.
You can find IOS-XE SDWAN configuration guide here: https://www.cisco.com/c/en/us/support/routers/sd-wan/products-installation-and-configuration-guides-list.html

If you configure device via CLI instead of vManage feature template, your basic configuration may look like below:

system
 system-ip             x.y.z.ABC
 overlay-id            1
 site-id               ABC
 control-session-pps   300
 no admin-tech-on-failure
 sp-organization-name  "YOUR ORGNAME HERE"
 organization-name     "YOUR SP ORGNAME HERE, for single tenant = org-name"
 console-baud-rate     9600
 vbond <vbond address> port 12346
!
vrf definition Mgmt-intf
 address-family ipv4
  exit-address-family
 !
 address-family ipv6
  exit-address-family
 !
!
ip route 0.0.0.0 0.0.0.0 <default-gw ISP1> 1
ip route 0.0.0.0 0.0.0.0 <default-gw ISP2> 1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 <default-gw for management network vpn 512 if needed >
interface GigabitEthernet0/0/0
 no shutdown
 arp timeout 1200
 ip address <ip address ISP1> <mask>
 ip redirects
 mtu 1500
 ip mtu    1500
exit
interface GigabitEthernet0/0/1
 no shutdown
 arp timeout 1200
 ip address <ip address ISP2> <mask>
 no ip redirects
 mtu 1500
 ip mtu    1500
exit
interface Vlan1
 vrf forwarding Mgmt-intf
 ip address <ip address management> <mask>
exit
interface Tunnel0
 no shutdown
 ip unnumbered GigabitEthernet0/0/0
 no ip redirects
 ipv6 unnumbered GigabitEthernet0/0/0
 no ipv6 redirects
 tunnel source GigabitEthernet0/0/0
 tunnel mode sdwan
exit
interface Tunnel1
 no shutdown
 ip unnumbered GigabitEthernet0/0/1
 no ip redirects
 ipv6 unnumbered GigabitEthernet0/0/1
 no ipv6 redirects
 tunnel source GigabitEthernet0/0/1
 tunnel mode sdwan
!
sdwan
 interface GigabitEthernet0/0/0
  tunnel-interface
   encapsulation ipsec weight 1
   color mpls
   no last-resort-circuit
   vmanage-connection-preference 5
   no allow-service all
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
  exit
!
 exit
 interface GigabitEthernet0/0/1
  tunnel-interface
   encapsulation ipsec weight 1
   color biz-internet
   no last-resort-circuit
   vmanage-connection-preference 5
   no allow-service all
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
  exit
 exit

For ISR4xxx/ASR1000 don't forget to replace "Vlan1" with "GigabitEthernet0":