cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3665
Views
0
Helpful
7
Replies

vSmart does not get enterprise root certificate from vManage

daniellsaccount
Level 1
Level 1

Hello,

 

I'm setting up a lab and encountered the following issue: after adding vbond and successfully applying a certificate and template to it I tried to do the same with vSmart. But vSmart does not accept the cert because it does not have a correct enterp. root certificate ("show cert root" confirmed).  For some reason vManage does not push root cert to vSmart the same way it did with vBond.

 

-vManage vBond and vSmart are all on public IPs and able to reach each other

- I updated vSmart to 18.4.3 and configured from a scratch with the same result

 

vSmart ver 18.4.3

vManage ver 18.4.1

vBond ver 18.3.7

 

Does anyone have any suggestions?

 

Regards,

 

Dan

1 Accepted Solution

Accepted Solutions

daniellsaccount
Level 1
Level 1

Found a solution.

 

Although vManage was able to communicate to vSmart something was off and it was not able to put enterprise root certificate.

 

It went well the moment I did:

conf t

omp

shutdown

vpn 0

int eth0

no tunnel-interface

commit and-quit

(not sure which one, omp or tunnel-int, was the cause of the issue)

 

The problem was that i followed closely Viptela documentation and for some reason the initial configuration they ask to configure did not allow enterp. root cert to be installed

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/06Deploy_the_vSmart_Controller/03Configure_the_vSmart_Controller

 

Regards,

 

Dan

 

 

View solution in original post

7 Replies 7

TusharGaba0848
Level 1
Level 1

I faced a similar issue back in the days once, but worked for me second time I tried, just readded the vSmart on vManage, I am running Platform Version: 19.1.0 for vManage in my Lab and works like a charm for me. Upgrade may be?

 

Thanks

Your vManage version is lower than the the vSmart. Just upgrade and check.

 

Thanks,

Srikanth

daniellsaccount
Level 1
Level 1

I updated vManage,vBond and vSmart to 19.2.0  - still no ent. root on vSmart

Re-added vSmart a few times - still no ent. root on vSmart

 

-tried to use "request root-cert-chain install tftp://x.x.x.x/rootCA.pem" command  but it does not work ("must match pattern" syntax error - I don't know whats wrong with that)

-tried to use request download command - no luck

-tried to copy rootca.pem using vshell -   wget and tftp commands - no luck - vshell does not download properly ( tftp server is reachable and confirmed, connectivity confirmed)

Not sure what to do at this point, I'm not going to type in rootca.pem manually using VIM but I can't put the file to the vSmart at this time.

 

vManage can directly push the enterprise root CA to other controllers once added in the vManage.

What is your controllers certificate setting on the vManage?

 

Thanks,

Srikath

I would suggest you to have a look at below section of the free training.

Cisco SD-WAN Controllers Bring up
-vManage Install
-vManage Transport Config
-Root-CA installation
-vManage install signed certificate
-vManage Sync Root Certificate
-vManage System Config
-vBond Initial Config
-vSmart Initial Config
-Add vBond and vSmart to vManage
-Certificate Install and Control Plane
-Review of Cisco SD-WAN Controller Bring up

https://learnedze.com/free-cisco-sd-wan-training/

 

Thanks,

Srikanth

I had a the same problem and I solved it this way:

- copied the CA certificate from my PC to the vSmart via SCP (the certificate will be copied in the home of your user on the vSmart. You can list the content of the directory going in vshell

- installed it with the command request root-cert-chain install /home/admin/ROOT_CA.cert.pem

- installed the vSmart certificate with the command request certificate install /home/admin/vsmart.crt (the vSmar certificate was copied by the vManage during the attampt to add the vSmart)

daniellsaccount
Level 1
Level 1

Found a solution.

 

Although vManage was able to communicate to vSmart something was off and it was not able to put enterprise root certificate.

 

It went well the moment I did:

conf t

omp

shutdown

vpn 0

int eth0

no tunnel-interface

commit and-quit

(not sure which one, omp or tunnel-int, was the cause of the issue)

 

The problem was that i followed closely Viptela documentation and for some reason the initial configuration they ask to configure did not allow enterp. root cert to be installed

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/06Deploy_the_vSmart_Controller/03Configure_the_vSmart_Controller

 

Regards,

 

Dan

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: