cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

6375
Views
65
Helpful
46
Replies
Highlighted
Cisco Employee

Re: Viptela Vmanage

hi , I also encountered this problem, "failed to add device, network is unreachable"

have you solved this problem?

Highlighted
Beginner

Re: Viptela Vmanage

I turns out I was using the wrong VPN.  You aren't supposed to use the Mgmt VPN 512 for mgmt. :)  It has to be VPN 0.

Highlighted
Cisco Employee

Re: Viptela Vmanage

Did you allow sshd and netconf on vBond?

 

On vBond1:

vpn 0
  int ge0/0
    tunnel-interface
      allow-service sshd
      allow-service netconf
commit and-quit
Highlighted
Beginner

Re: Viptela Vmanage

Dear,
Please,
How did you solve it ?
As i stuck on this step, i can't install the certificate on the vManage manually.
i tried with open ssl and active directory but i couldn't solve it.
what did you use and what statistics you used ?
Thanks.

Beginner

Re: Viptela Vmanage

Well, actually we not "solve" the problem. We just realized what was the
cause of the problem in our case soon after the problem actually gone.
If You carefully follow the documentation for vEdge-cloud deployment all
should be fine but... Cisco never mentioned that for successful "ssl trust
relationship" the time should be in sync on both platform.
(Kinda basic but not everybody pay attention) So in our case problem gone
when the firewall settings for ntp was corrected. edge and vManage time
synced and certificate install process and edge registration start work as
expected.
Highlighted
Beginner

Re: Viptela Vmanage

this turned out to be my problem in activating the vedge-cloud as well. After configuring NTP, I was able to successfully add them to the network.

Highlighted
Beginner

Re: Viptela Vmanage

hey hi 

 

I'm also trying facing the same issue and literally struggling to do it. To install certificate, I generated a CSR for vmanage. But, I not sure about the detailed steps from (how to sign that CSR ---  to Install the cert in Vmanage). Could you please help me in providing the step-by-step process how you 

 

get the CSR signed and got the certificate 

how you create and load the root chain from your XCA into vManage

which tool you used

Any online link you referred 

 

Which I studied from your 'Re: Viptela Vmanage' discussion. Please guide me in this. Your help will be appreciated. 

Everyone's tags (1)
Highlighted
Beginner

Re: Viptela Vmanage

Hi this part was simple - I use WinSCP to copy root-chain certificate to
vManage
thrn using CLI i uninstall provided root-chain and clear the cert storage
after uninstall
then use request CLI command i ask to install root chain certifivate which
was copied using WinSCP

all next CSR i sign ahainst root CA using TinyCA linux utility
Highlighted
Beginner

Re: Viptela Vmanage

hey hi,

 

my concern is, how you create the root cert ??? Where it is located ? All I'm having now is the CSR which I generated from Vmanage. What are the next steps I need to follow with that CSR ? Please explain about this. 

Highlighted
Beginner

Re: Viptela Vmanage

Root cert is a file. You could store it anywhere You like.
To create Root Cert I use same TinyCA linux program which I use to sign CSR
Highlighted
Beginner

Re: Viptela Vmanage

thanks for the info. Can you suggest some other tools for windows ? root-cert needs to save as .pem file ??

Highlighted
Beginner

Re: Viptela Vmanage

Is this step 4 necessary? Install 'root chain' on the vManage controller?

 

It's not part of the steps:

https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Configuration/Generate_a_Certificate#Manually_Generate_a_Certificate

 

I'm receiving the same error when I try to install my private signed root certificate to vmanage, it gives the following message:

Failed to decrypt serial number from certificate

I have tried to import the root cert in two different formats (RAW and PKCS #7) but received the same error above

 

 

thanks

Ian

Highlighted
Beginner

Re: Viptela Vmanage

Hi David,
Please let know if Digicerts (of Symantec) if used from vManage to get automated signed certs for vBond and vSmart, will Symantec or Cisco charges additional money for the digicerts?
Highlighted
Cisco Employee

Re: Viptela Vmanage

Hello alihusainl19,

vManage automates the process of provisioning DigiCert certificated onto the other controllers (vBonds and vSmart) and onto itself as well. It does that by requesting the controllers to generate certificate sign request (CSR), forwarding this request to DigiCert, retrieving the signed certificate (once approved by the Cisco CloudOps team) and finally installing it back into controllers. DigiCert does charge for signed certificates, however, Cisco includes that charge in the cost of DNA subscription licensing, so customers do not have to pay anything directly to DigiCert.

Please note the following:

1. If you leverage Cisco hosted cloud controllers, the entire process above is fully automated and you don’t have to do anything
2. If you leverage on-prem controllers, your Cisco SE will guide you through the process. It is essentially the same thing, but you will need to click a few things in vManage GUI to initiate it for each controller. Of course, you will need to stand-up the controllers VMs in your data centers as well ☺
3. If you leverage on-prem controllers, you can use your private PKI infrastructure, if you have it. Please refer to the documentation on sdwan-docs.cisco.com for more details on that option. It’s a little more complex to do and requires more understanding how PKI works, but we have many customers who had done it, so no big deal.

Hope this helps.
David
@DavidKlebanov

Twitter: @DavidKlebanov
Highlighted
Beginner

Re: Viptela Vmanage

can you please suggest some other tools for windows ??? I'm also facing the same error like below while opting for Automated Symantec 

 

Unable to get response from signing server https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/enroll