Cisco SD-WAN vEdge Troubleshooting
This is an overview of how to troubleshoot Cisco SD-WAN vEdge devices.
Time
Make sure the time is the same on all of your devices.
Controllers
Make sure your controllers are configured correctly first:
Cisco SD-WAN controller troubleshooting
vBond not accepting vEdge chassis number
This is one possible issue. It's easy to check and fix.
vEdge
On a vEdge router, use show control connection-history
to see if it's attempting to connect to vBond. This command also gives a legend with possible error messages:
vEdge1# show control connections-history Legend for Errors ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vmanage for device. BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassis-number entry in ZTP. BIDNTPR - Board ID not Initialized. OPERDOWN - Interface went oper down. BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out. BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer. CERTEXPRD - Certificate Expired RXTRDWN - Received Teardown. CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signature from Board ID failed. CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present. CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to create new SSL context. DCONFAIL - DTLS connection failure. STNMODETD - Teardown extra vBond in STUN server mode. DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP changed. DHSTMO - DTLS HandShake Timeout. SYSPRCH - System property changed DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure. DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure. DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to send challenge to BoardID. DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Message type or Bad Register msg. DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello from Unauthenticated peer. HAFAIL - SSL Handshake failure. VBDEST - vDaemon process terminated. IP_TOS - Socket Options failure. VECRTREV - vEdge Certification revoked. LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certificate revoked. MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Timed out. MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out. NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Timed out. NOERR - No Error. VS_TMO - Peer vSmart Timed out. NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extra vManage. NEWVBNOVMNG- New vBond with no vMng connections. XTVSTRDN - Teardown extra vSmart. NTPRVMINT - Not preferred interface to vManage. STENTRY - Delete same tloc stale entry. HWCERTREN - Hardware vEdge Enterprise Cert Renewed HWCERTREV - Hardware vEdge Enterprise Cert Revoked. EMBARGOFAIL - Embargo check failed PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 44 2022-10-26T11:36:16+0000 vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 49 2022-10-26T11:31:43+0000 vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 41 2022-10-26T11:24:37+0000 vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 17 2022-10-26T11:18:39+0000 vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 9 2022-10-26T11:16:05+0000
vBond
Check the whitelist on the vBond controller with show orchestrator valid-vedges
:
vBond1# show orchestrator valid-vedges orchestrator valid-vedges 82AC8968-DD99-4EE7-A14C-D1C39DC49D56 serial-number 85B3AB796BC025AE validity valid org nwl-lab-sdwan hardware-installed-serial-number N/A orchestrator valid-vedges 88920A4D-62D5-4AA1-A294-F9A0C7CE55FB serial-number 85B3AB796BC025B0 validity valid org nwl-lab-sdwan hardware-installed-serial-number N/A orchestrator valid-vedges 91F32D2B-60EB-4838-A971-84ED41C1F6BF serial-number 85B3AB796BC025B2 validity valid org nwl-lab-sdwan hardware-installed-serial-number N/A orchestrator valid-vedges C368C7D4-68F5-45FA-A2C6-2CC8BC1EB887 serial-number 85B3AB796BC025B1 validity valid org nwl-lab-sdwan hardware-installed-serial-number N/A
If you don't see the chassis number on the vBond controller, you can manually add it like this:
request vedge-cloud activate chassis-number 715FHJ9B-8D12-34E4-234B-58E5F5BD0786 token 7505cfac967c7ca0dd407caffb453462
Misc
You can try these commands to check the connection between your vEdge and the controller:
show control connections
show control connections-history
show control local-properties
If you need to troubleshoot connectivity in service VPNs, look here: