Introduction

This document describes how to troubleshoot control connection issues when Controller and WAN Edge devices lose connectivity to vManage.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco Software-Defined Wide Area Network (SD-WAN)
• Certificates

Components Used

The information in this document is based on these software and hardware versions:

• vManage Version 20.6.3
• vBond Version 20.6.3
• vSmart Version 20.6.3
• vEdge Cloud 20.6.3

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Problem

All WAN Edge Routers, vBond and vSmart are unable to establish control connections with vManage. All the devices appear unreachable in the vManage dashboard, as shown in the image.

Solution

Scenario:  vBond rejects vManage  to form control connections  due to CRTREJSER and SERNTPRES.

1. From vBond CLI utilize the listed command to troubleshoot control connections.

 vbond# show orchestrator connections-history

PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT
INSTANCE TYPE PROTOCOL SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC  
   IP PORT REMOTE COLOR STATE ERROR ERROR COUNT ORGANIZATION DOWNTIME
---------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 0.0.0.0 - 0 0 X.X.X.X 12346 X.X.X.X 12346 default tear_down 
   CRTREJSER NOERR 850 X.X.X.X 2022-08-17T10:26:30+0500
0 unknown dtls - 0 0 :: 0 X.X.X.X  12646 default       tear_down         
   SERNTPRES/NOERR 759 X.X.X.X 2022-08-27T11:51:26+0800

These errors  CRTREJSER - Challenge response rejected by peer and  SERNTPRES - Serial Number not present appear when the serial number  is not present in  the controllers valid devices list.

2. You can verify the valid Controllers with these listed commands:

vManage and vSmart

show control {valid-vsmarts | valid-vedges | valid-vmanage-id}

vBond

show orchestrator {valid-vsmarts | valid-vedges | valid-vmanage-id} 

3. In order to check the chassis number and certificate serial number on the devices verify with this command:

show control local-properties | include "chassis-num|serial-num"

4. To solve the issue navigate to Configuration > Certificates > WAN Edge List and select Send to Controllers button and check if this solves the issue. Verify with the commands listed in previous step.

Note: If the step 4 does not solve the issue, it is possible to add a controller serial number manually. Consider that the vManage is the source of truth on this list so if we add a controller manually that is not present from vManage, as soon as control connections come up, it can remove the device again from the valid-vsmart list.

5. Use the command listed to add the serial number on the controllers in case that after you synchronize with Send to Controllers the Serial Number does not appears in controllers.

request controller add org-name <org-name> serial-num <serial number>

Other Possible Scenarios

For scenarios in which the certificate has been revoked, invalidated, or expired see Troubleshoot SD-WAN Control Connections.

Related Information

• Certificate Management - Cisco Systems
• Troubleshoot SD-WAN Control Connections - Cisco Systems
• Technical Support & Documentation - Cisco Systems