Cisco SD-WAN vEdge Troubleshooting

This is an overview of how to troubleshoot Cisco SD-WAN vEdge devices.

Time

Make sure the time is the same on all of your devices:

Cisco SD-WAN clock command

Controllers

Make sure your controllers are configured correctly first:

Cisco SD-WAN controller troubleshooting

vBond not accepting vEdge chassis number

This is one possible issue. It's easy to check and fix.

vEdge

On a vEdge router, use show control connection-history to see if it's attempting to connect to vBond. This command also gives a legend with possible error messages:

vEdge1# show control connections-history
Legend for Errors
ACSRREJ - Challenge rejected by peer. NOVMCFG - No cfg in vmanage for device.
BDSGVERFL - Board ID Signature Verify Failure. NOZTPEN - No/Bad chassis-number entry in ZTP.
BIDNTPR - Board ID not Initialized. OPERDOWN - Interface went oper down.
BIDNTVRFD - Peer Board ID Cert not verified. ORPTMO - Server's peer timed out.
BIDSIG - Board ID signing failure. RMGSPR - Remove Global saved peer.
CERTEXPRD - Certificate Expired RXTRDWN - Received Teardown.
CRTREJSER - Challenge response rejected by peer. RDSIGFBD - Read Signature from Board ID failed.
CRTVERFL - Fail to verify Peer Certificate. SERNTPRES - Serial Number not present.
CTORGNMMIS - Certificate Org name mismatch. SSLNFAIL - Failure to create new SSL context.
DCONFAIL - DTLS connection failure. STNMODETD - Teardown extra vBond in STUN server mode.
DEVALC - Device memory Alloc failures. SYSIPCHNG - System-IP changed.
DHSTMO - DTLS HandShake Timeout. SYSPRCH - System property changed
DISCVBD - Disconnect vBond after register reply. TMRALC - Timer Object Memory Failure.
DISTLOC - TLOC Disabled. TUNALC - Tunnel Object Memory Failure.
DUPCLHELO - Recd a Dup Client Hello, Reset Gl Peer. TXCHTOBD - Failed to send challenge to BoardID.
DUPSER - Duplicate Serial Number. UNMSGBDRG - Unknown Message type or Bad Register msg.
DUPSYSIPDEL- Duplicate System IP. UNAUTHEL - Recd Hello from Unauthenticated peer.
HAFAIL - SSL Handshake failure. VBDEST - vDaemon process terminated.
IP_TOS - Socket Options failure. VECRTREV - vEdge Certification revoked.
LISFD - Listener Socket FD Error. VSCRTREV - vSmart Certificate revoked.
MGRTBLCKD - Migration blocked. Wait for local TMO. VB_TMO - Peer vBond Timed out.
MEMALCFL - Memory Allocation Failure. VM_TMO - Peer vManage Timed out.
NOACTVB - No Active vBond found to connect. VP_TMO - Peer vEdge Timed out.
NOERR - No Error. VS_TMO - Peer vSmart Timed out.
NOSLPRCRT - Unable to get peer's certificate. XTVMTRDN - Teardown extra vManage.
NEWVBNOVMNG- New vBond with no vMng connections. XTVSTRDN - Teardown extra vSmart.
NTPRVMINT - Not preferred interface to vManage. STENTRY - Delete same tloc stale entry.
HWCERTREN - Hardware vEdge Enterprise Cert Renewed HWCERTREV - Hardware vEdge Enterprise Cert Revoked.
EMBARGOFAIL - Embargo check failed

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 44 2022-10-26T11:36:16+0000
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 49 2022-10-26T11:31:43+0000
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 41 2022-10-26T11:24:37+0000
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 17 2022-10-26T11:18:39+0000
vbond dtls 0.0.0.0 0 0 10.1.0.2 12346 10.1.0.2 12346 public-internet connect DCONFAIL NOERR 9 2022-10-26T11:16:05+0000

vBond

Check the whitelist on the vBond controller with show orchestrator valid-vedges:

vBond1# show orchestrator valid-vedges  
orchestrator valid-vedges 82AC8968-DD99-4EE7-A14C-D1C39DC49D56
 serial-number                    85B3AB796BC025AE
 validity                         valid
 org                              nwl-lab-sdwan
 hardware-installed-serial-number N/A
orchestrator valid-vedges 88920A4D-62D5-4AA1-A294-F9A0C7CE55FB
 serial-number                    85B3AB796BC025B0
 validity                         valid
 org                              nwl-lab-sdwan
 hardware-installed-serial-number N/A
orchestrator valid-vedges 91F32D2B-60EB-4838-A971-84ED41C1F6BF
 serial-number                    85B3AB796BC025B2
 validity                         valid
 org                              nwl-lab-sdwan
 hardware-installed-serial-number N/A
orchestrator valid-vedges C368C7D4-68F5-45FA-A2C6-2CC8BC1EB887
 serial-number                    85B3AB796BC025B1
 validity                         valid
 org                              nwl-lab-sdwan
 hardware-installed-serial-number N/A

If you don't see the chassis number on the vBond controller, you can manually add it like this:

request vedge-cloud activate chassis-number 715FHJ9B-8D12-34E4-234B-58E5F5BD0786 token 7505cfac967c7ca0dd407caffb453462

Misc

You can try these commands to check the connection between your vEdge and the controller:

show control connections
show control connections-history
show control local-properties

If you need to troubleshoot connectivity in service VPNs, look here:

Cisco SD-WAN verify connectivity in Service VPN