排除SD-WAN控制连接故障
下载选项
已更新: 2023 年 1 月 18 日
文档 ID:214509
非歧视性语言
此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
关于此翻译
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
简介
本文档介绍导致控制连接出现问题的某些可能原因,以及如何解决这些问题。
背景信息
注意:本文档中介绍的大多数命令输出来自vEdge路由器。但是,对于运行Cisco IOS® XE SD-WAN软件的路由器,此方法相同。输入sdwan 关键字可在Cisco IOS XE SD-WAN软件上获得相同的输出。例如,show sdwan control connections 而非 show control connections .
在排除故障之前,请确保有问题的WAN边缘已正确配置。
此命令包括:
- 已安装的有效证书。
- 在
system 块下进行了以下配置: - System-IP
- 站点ID
- 组织名称
- vBond address
- 配置了Tunnel选项和IP地址的VPN 0传输接口。
- 在vEdge上正确配置的系统时钟以及与其他设备/控制器匹配的系统时钟:
show clock 命令可确认当前的时间设置。
输入 clock set 命令以在设备上设置正确时间。
对于前面提到的所有情况,请确保传输定位器(TLOC)已启用。可使用 show control local-properties 命令进行检查。
以下是有效输出的示例:
branch-vE1# show control local-properties personality vedge organization-name vIPtela Inc Regression certificate-status Installed root-ca-chain-status Installed certificate-validity Valid certificate-not-valid-before Sep 06 22:39:01 2018 GMT certificate-not-valid-after Sep 06 22:39:01 2019 GMT dns-name vbond-dns-name.cisco.com site-id 10 domain-id 1 protocol dtls tls-port 0 system-ip 10.1.10.1 chassis-num/unique-id 66cb2a8b-2eeb-479b-83d0-0682b64d8190 serial-num 12345718 vsmart-list-version 0 keygen-interval 1:00:00:00 retry-interval 0:00:00:17 no-activity-exp-interval 0:00:00:12 dns-cache-ttl 0:00:02:00 port-hopped TRUE time-since-last-port-hop 20:16:24:43 number-vbond-peers 2 INDEX IP PORT ------------------------------- 0 10.3.25.25 12346 1 10.4.30.30 12346 number-active-wan-interfaces 2 PUBLIC PUBLIC PRIVATE PRIVATE RESTRICT/ LAST MAX SPI TIME LAST-RESORT INTERFACE IPv4 PORT IPv4 PORT VS/VM COLOR CARRIER STATE CONTROL CONNECTION CNTRL REMAINING INTERFACE --------------------------------------------------------------------------------------------------------------------------------------------- ge0/1 10.1.7.11 12346 10.1.7.11 12346 2/1 gold default up no/yes 0:00:00:16 2 0:07:33:55 No ge0/2 10.2.9.11 12366 10.2.9.11 12366 2/0 silver default up no/yes 0:00:00:12 2 0:07:35:16 No 在vEdge软件版本16.3及更高版本中,输出中还有几个附加字段:
number-vbond-peers 1 number-active-wan-interfaces 1
NAT TYPE: E -- indicates End-point independent mapping A -- indicates Address-port dependent mapping N -- indicates Not learned Note: Requires minimum two vbonds to learn the NAT type PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAST SPI TIME NAT VM INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION REMAINING TYPE CON STUN PRF ---------------------------------------------------------------------------------------------------------------------------------------------------- ge0/4 172.16.0.20 12386 192.168.0.20 2601:647:4380:ca75::c2 12386 2/1 public-internet up 2 no/yes/no No/Yes 0:10:34:16 0:03:03:26 E 5 问题情景
问题情景DTLS连接故障(DCONFAIL)
DTLS连接故障(DCONFAIL)这是控制连接不出现的常见问题之一。可能的原因包括防火墙或其他一些连接问题。
有可能是部分或所有数据包被丢弃/过滤到某个位置。文中给出了较大样本的实tcpdump 例。
- 无法到达下一跳(NH)路由器。
- 路由信息库(RIB)中未安装默认网关。
- 控制器中未打开数据报传输层安全(DTLS)端口。
可以使用以下show命令:
#Check that Next hop
show ip route vpn 0
#Check ARP table for Default GW
show arp
#Ping default GW
ping <...>
#Ping Google DNS
ping 8.8.8.8
#Ping vBond if ICMP is allowed on vBond
ping <vBond IP>
#Traceroute to vBond DNS
traceroute <...>遇到DTLS连接故障时,可在 show control connections-history 命令输出中看到它。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE ERROR ERROR COUNT DOWNTIME --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 vsmart tls 10.0.1.5 160000000 1 10.0.2.73 23456 10.0.2.73 23456 default trying DCONFAIL NOERR 10407 2019-04-07T22:03:45+0000当您使用tcpdump 时,如果大数据包未到达vEdge(例如在SD-WAN (vSmart)端,会发生这种情况:
tcpdump vpn 0 interface eth1 options "host 198.51.100.162 -n" 13:51:35.312109 IP 198.51.100.162.9536 > 172.18.10.130.12546: UDP, length 140 <<<< 1 (packet number) 13:51:35.312382 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 1024 <<< not reached vEdege 13:51:35.318654 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 1024 <<< not reached vEdege 13:51:35.318726 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 853 <<< not reached vEdege 13:51:36.318087 IP 198.51.100.162.9536 > 172.18.10.130.12546: UDP, length 140 <<<< 5 13:51:36.318185 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 79 <<<< 6 13:51:36.318233 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 1024 << not reached vEdege 13:51:36.318241 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 879 << not reached vEdege 13:51:36.318257 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 804 << not reached vEdege 13:51:36.318266 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 65 <<<< 10 13:51:36.318279 IP 172.18.10.130.12546 > 198.51.100.162.9536: UDP, length 25 <<<< 11 vEdge端的示例如下所示:
tcpdump vpn 0 interface ge0/1 options "host 203.0.113.147 -n"
13:51:35.250077 IP 198.51.100.162.12426 > 203.0.113.147.12746: UDP, length 140 <<<< 1 13:51:36.257490 IP 198.51.100.162.12426 > 203.0.113.147.12746: UDP, length 140 <<<< 5 13:51:36.325456 IP 203.0.113.147.12746 > 198.51.100.162.12426: UDP, length 79 <<<< 6 13:51:36.325483 IP 203.0.113.147.12746 > 198.51.100.162.12426: UDP, length 65 <<<< 10 13:51:36.325538 IP 203.0.113.147.12746 > 198.51.100.162.12426: UDP, length 25 <<<< 11 注意:在Cisco IOS XE SD-WAN软件中,您可以使用嵌入式数据包捕获(EPC)而不是 tcpdump。
您还可以使用 traceroute 或 nping 实用程序来生成具有不同数据包大小和差分服务代码点(DSCP)标记的流量,以检查连接,因为您的服务提供商可能会在传输更大的UDP数据包、分段的UDP数据包(尤其是UDP小分段)或标记为DSCP的数据包时遇到问题。以下是 nping 何时连接成功的示例。
从vSmart:
vSmart# tools nping vpn 0 198.51.100.162 options "--udp -p 12406 -g 12846 --source-ip 172.18.10.130 --df --data-length 555 --tos 192" Nping in VPN 0 Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2019-05-17 23:28 UTC SENT (0.0220s) UDP 172.18.10.130:12846 > 198.51.100.162:12406 ttl=64 id=16578 iplen=583 SENT (1.0240s) UDP 172.18.10.130:12846 > 198.51.100.162:12406 ttl=64 id=16578 iplen=583 vEdge的示例如下所示:
vEdge# tcpdump vpn 0 interface ge0/1 options "-n host 203.0.113.147 and udp" tcpdump -i ge0_1 -s 128 -n host 203.0.113.147 and udp in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_1, link-type EN10MB (Ethernet), capture size 128 bytes 18:29:43.492632 IP 203.0.113.147.12846 > 198.51.100.162.12406: UDP, length 555 18:29:44.494591 IP 203.0.113.147.12846 > 198.51.100.162.12406: UDP, length 555以下示例显示了在vSmart上使用 traceroute 命令(从vShell运行)实现的不成功连接:
vSmart$ traceroute 198.51.100.162 1400 -F -p 12406 -U -t 192 -n -m 20 traceroute to 198.51.100.162.162 (198.51.100.162.162), 20 hops max, 1400 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 10.65.14.177 0.435 ms 10.65.13.225 0.657 ms 0.302 ms 7 10.10.28.115 0.322 ms 10.93.28.127 0.349 ms 10.93.28.109 1.218 ms 8 * * * 9 * * * 10 * 10.10.114.192 4.619 ms * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 10.68.72.61 2.162 ms * * 17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *vEdge不接收从vSmart发送的数据包(仅接收某些其他流量或分段):
vEdge# tcpdump vpn 0 interface ge0/1 options "-n host 203.0.113.147 and udp" tcpdump -i ge0_1 -s 128 -n host 203.0.113.147 and udp in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_1, link-type EN10MB (Ethernet), capture size 128 bytes 18:16:30.232959 IP 203.0.113.147.12846 > 198.51.100.162.12386: UDP, length 65
18:16:30.232969 IP 203.0.113.147.12846 > 198.51.100.162.12386: UDP, length 25
18:16:33.399412 IP 203.0.113.147.12846 > 198.51.100.162.12386: UDP, length 16
18:16:34.225796 IP 198.51.100.162.12386 > 203.0.113.147.12846: UDP, length 140
18:16:38.406256 IP 203.0.113.147.12846 > 198.51.100.162.12386: UDP, length 16
18:16:43.413314 IP 203.0.113.147.12846 > 198.51.100.162.12386: UDP, length 16TLOC禁用(DISTLOC)
TLOC禁用(DISTLOC)触发TLOC禁用消息的原因可能如下:
- 清除控制连接。
- 更改TLOC的颜色。
- 更改系统IP。
更改系统块或show control connections-history命令输出中的隧道属性中提及的任何配置。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vmanage dtls 192.168.30.101 1 0 192.168.20.101 12346 192.168.20.101 12346 biz-internet tear_down DISTLOC NOERR 3 2019-06-01T14:43:11+0200 vsmart dtls 192.168.30.103 1 1 192.168.20.103 12346 192.168.20.103 12346 biz-internet tear_down DISTLOC NOERR 4 2019-06-01T14:43:11+0200 vbond dtls 0.0.0.0 0 0 192.168.20.102 12346 192.168.20.102 12346 biz-internet tear_down DISTLOC NOERR 4 2019-06-01T14:43:11+0200Board-ID not Initialized (BIDNTPR)
Board-ID not Initialized (BIDNTPR)在网络连接不断抖动的高度不稳定网络中,可以看到TXCHTOBD - failed to send a challenge to Board ID failed和/或RDSIGFBD - Read Signature from Board ID failed。此外,有时由于锁定问题,发送到board-id的质询失败,当发生这种情况时,重置board-ID并重试。这种情况并不经常发生,而且会延迟控制连接的形式。在更高版本中修复了此问题。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vbond dtls - 0 0 203.0.113.109 12346 203.0.113.109 12346 silver challenge TXCHTOBD NOERR 2 2019-05-22T05:53:47+0000 vbond dtls - 0 0 203.0.113.56 12346 203.0.113.56 12346 silver challenge TXCHTOBD NOERR 0 2019-05-21T09:50:41+0000 BDSGVERFL -主板ID签名故障
BDSGVERFL -主板ID签名故障这表示vEdge chassis-num/unique-id/serial number被vBond拒绝。出现这种情况时,请确认 show control local-properties 命令输出中显示的vEdge信息,然后将该输出与vBond上的 show orchestrator valid-vedges 进行比较。
如果vEdge的条目不存在,请确保您拥有:
- 已将vEdge添加到智能帐户。
- 已将该文件正确上传到vManage。
单击 Configuration > Certificates下的 Send to Controllers 。
如果存在,请检查valid-vEdge表中是否存在重复条目,并联系思科技术支持中心(TAC)进行进一步故障排除
停滞在“连接”状态:路由问题
停滞在“连接”状态:路由问题如果网络中存在路由问题,则不会建立控制连接。 确保RIB中存在具有正确NH/TLOC的有效路由。
示例包括:
- 在RIB中到vBond的更具体的路由指向NH/TLOC,而不用于建立控制连接。
- TLOC IP在上游服务提供商之间泄漏,从而导致路由错误。
输入以下命令进行验证:
show ip route
show ip routes vpn 0 <prefix/mask>
ping <vBond IP>查找IP前缀的距离值和协议。
vEdge尝试建立无成功的控制连接,或者与控制器的连接不断抖动。
使用 show control connections 和/或show sdwan control connections-history 命令进行验证。
vedge1# show control connections PEER PEER CONTROLLER PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vbond dtls 0.0.0.0 0 0 192.168.20.102 12346 192.168.20.102 12346 biz-internet - connect 0 套接字错误(LISFD)
套接字错误(LISFD)如果网络中存在重复的IP,则不会建立控制连接。您将看到LISFD - Listener Socket FD Error消息。其他原因也可能导致此问题,例如数据包损坏、RESET、TLS与DTLS端口上的vEdge和控制器不匹配、FW端口未打开等。
最常见的原因是传输IP重复。检查连通性并确保地址唯一。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vbond dtls - 0 0 203.0.113.21 12346 203.0.113.21 12346 default up LISFD NOERR 0 2019-04-30T15:46:25+0000 对等体超时问题(VM_TMO)
对等体超时问题(VM_TMO)当vEdge无法访问相关控制器时,会触发对等超时条件。
在本例中,它捕获avManage Timeout msg (peer VM_TMO)。其他包括对等体vBond、vSmart和/或vEdge超时(VB_TMO, VP_TMO, VS_TMO)。
作为故障排除的一部分,请确保您与控制器具有连接。对有关IP地址使用互联网控制消息协议(ICMP)traceroute 和/或命令。存在大量流量丢弃的情况(丢失率较高)。快速 ping 并确保它是良好的。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vmanage tls 10.0.1.3 3 0 10.0.2.42 23456 203.0.113.124 23456 default tear_down VM_TMO NOERR 21 2019-04-30T15:59:24+0000此外,检查 show control connections-history detail 命令输出以查看TX/RX控制统计信息,查看计数器中是否存在任何重大差异。注意输出中RX和TX hello数据包编号之间的差异。
---------------------------------------------------------------------------------------- LOCAL-COLOR- biz-internet SYSTEM-IP- 192.168.30.103 PEER-PERSONALITY- vsmart ---------------------------------------------------------------------------------------- site-id 1 domain-id 1 protocol dtls private-ip 192.168.20.103 private-port 12346 public-ip 192.168.20.103 public-port 12346 UUID/chassis-number 4fc4bf2c-f170-46ac-b217-16fb150fef1d state tear_down [Local Err: ERR_DISABLE_TLOC] [Remote Err: NO_ERROR] downtime 2019-06-01T14:52:49+0200 repeat count 5 previous downtime 2019-06-01T14:43:11+0200 Tx Statistics- -------------- hello 597 connects 0 registers 0 register-replies 0 challenge 0 challenge-response 1 challenge-ack 0 teardown 1 teardown-all 0 vmanage-to-peer 0 register-to-vmanage 0 Rx Statistics- -------------- hello 553 connects 0 registers 0 register-replies 0 challenge 1 challenge-response 0 challenge-ack 1 teardown 0 vmanage-to-peer 0 register-to-vmanage 0序列号不存在(CRTREJSER、BIDNTVRFD)
序列号不存在(CRTREJSER、BIDNTVRFD)如果给定设备的控制器上不存在序列号,则控制连接失败。
它可以通过 show controllers [ valid-vsmarts | valid-vedges ] 输出进行验证并在大多数时间进行固定。从vManage选项卡导航至按 Configuration > Certificates > Send to Controllers or Send to vBond 钮。在vBond上,选中 show orchestrator valid-vedges / show orchestrator valid-vsmarts。
在vBond的日志中,您会理智地观察到这些消息 ERR_BID_NOT_VERIFIED:
messages:local7 info: Dec 21 01:13:31 vBond-1 VBOND[1677]: %Viptela-vBond-1-vbond_0-6-INFO-1400002: Notification: 12/21/2018 1:13:31 vbond-reject-vedge-connection severit y-level:major host-name:"vBond-1" system-ip:10.0.1.11 uuid:"11OG301234567" organization-name:"Example_Orgname" sp-organization-name:"Example_Orgname"" reason:"ERR_BID_NOT_VERIFIED"当您排除此类故障时,请确保在PnP门户(software.cisco.com)和vManage上配置并调配了正确的序列号和设备型号。
要检查机箱号和证书序列号,可以在vEdge路由器上使用以下命令:
vEdge1# show control local-properties | include "chassis-num|serial-num" chassis-num/unique-id 11OG528180107 serial-num 1001247E在运行Cisco IOS XE SD-WAN软件的路由器上,输入以下命令:
cEdge1#show sdwan control local-properties | include chassis-num|serial-num chassis-num/unique-id C1111-4PLTEEA-FGL223911LK serial-num 016E9999或此命令:
Router#show crypto pki certificates CISCO_IDEVID_SUDI | s ^Certificate Certificate Status: Available Certificate Serial Number (hex): 016E9999 Certificate Usage: General Purpose Issuer: o=Cisco cn=High Assurance SUDI CA Subject: Name: C1111-4PLTEEA Serial Number: PID:C1111-4PLTEEA SN:FGL223911LK cn=C1111-4PLTEEA ou=ACT-2 Lite SUDI o=Cisco serialNumber=PID:C1111-4PLTEEA SN:FGL223911LK Validity Date: start date: 15:33:46 UTC Sep 27 2018 end date: 20:58:26 UTC Aug 9 2099 Associated Trustpoints: CISCO_IDEVID_SUDI有关vEdge/vSmart的问题
有关vEdge/vSmart的问题下面是vEdge/vSmart在 show control connections-history 命令输出中的错误显示方式:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vbond dtls 0.0.0.0 0 0 192.168.0.231 12346 192.168.0.231 12346 biz-internet challenge_resp RXTRDWN BIDNTVRFD 0 2019-06-01T16:40:16+0200在 show orchestrator connections-history 命令输出中的vBond上:
PEER PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE LOCAL/REMOTE COUNT DOWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 unknown dtls - 0 0 :: 0 192.168.10.234 12346 default tear_down BIDNTVRFD/NOERR 1 2019-06-01T18:44:34+0200此外,vBond上的设备序列号不在有效的vEdge列表中:
vbond1# show orchestrator valid-vedges | i 11OG528180107有关控制器问题
有关控制器问题如果控制器之间的串行文件不匹配,则vBond上的本地错误为不存在序列号与为vSmarts/vManage吊销的证书的序列号。
在vBond:
PEER PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE LOCAL/REMOTE COUNT DOWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 unknown dtls - 0 0 :: 0 192.168.0.229 12346 default tear_down SERNTPRES/NOERR 2 2019-06-01T19:04:51+0200vbond1# show orchestrator valid-vsmarts SERIAL NUMBER ORG ----------------------- 0A SAMPLE - ORGNAME 0B SAMPLE - ORGNAME 0C SAMPLE - ORGNAME 0D SAMPLE - ORGNAME在受影响的vSmart/vManage上:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE ERROR ERROR COUNT DOWNTIME --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 vbond dtls 0.0.0.0 0 0 192.168.0.231 12346 192.168.0.231 12346 default tear_down CRTREJSER NOERR 9 2019-06-01T19:06:32+0200vsmart# show control local-properties| i serial-num serial-num 0F此外,您还会在受影响的vSmart上看到有关vEdge的ORPTMO消息:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE ERROR ERROR COUNT DOWNTIME --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 unknown tls - 0 0 :: 0 192.168.10.238 54850 default tear_down ORPTMO NOERR 0 2019-06-01T19:18:16+0200 0 unknown tls - 0 0 :: 0 192.168.10.238 54850 default tear_down ORPTMO NOERR 0 2019-06-01T19:18:16+0200 0 unknown tls - 0 0 :: 0 198.51.100.100 55374 default tear_down ORPTMO NOERR 0 2019-06-01T19:18:05+0200 0 unknown tls - 0 0 :: 0 198.51.100.100 59076 default tear_down ORPTMO NOERR 0 2019-06-01T19:18:03+0200 0 unknown tls - 0 0 :: 0 192.168.10.240 53478 default tear_down ORPTMO NOERR 0 2019-06-01T19:18:02+0200在受vEdge影响的vSmart上,在 show control connections-history 输出中看到“SERNTPRES”错误:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vsmart tls 10.10.10.229 1 1 192.168.0.229 23456 192.168.0.229 23456 biz-internet tear_down SERNTPRES NOERR 29 2019-06-01T19:18:51+0200 vsmart tls 10.10.10.229 1 1 192.168.0.229 23456 192.168.0.229 23456 mpls tear_down SERNTPRES NOERR 29 2019-06-01T19:18:32+0200Chassis-Num/Unique-Id错误
Chassis-Num/Unique-Id错误如果在PnP门户上使用了错误的产品ID(型号),则可以看到相同错误“CRTREJSER/NOERR”的另一个示例。例如:
vbond# show orchestrator valid-vedges | include ASR1002 ASR1002-HX-DNA-JAE21050110 014EE30A valid Cisco SVC N1但是,实际设备模式有所不同(请注意,名称中没有“DNA”后缀):
ASR1k#show sdwan control local-properties | include chassis-num chassis-num/unique-id ASR1002-HX-JAE21050110组织不匹配(CTORGNMIS)
组织不匹配(CTORGNMIS)组织名称是启用控制连接的重要组件。对于指定的重叠,所有控制器和vEdge的组织名称必须匹配,才能建立控制连接。
如果不是,则会出现“证书组织名称不匹配”(Certificate Org. name mismatch)错误,如下所示:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vbond dtls - 0 0 203.0.113.197 12346 203.0.113.197 12346 biz-internet tear_down CTORGNMMIS NOERR 14 2019-04-08T00:26:19+0000 vbond dtls - 0 0 198.51.100.137 12346 198.51.100.137 12346 biz-internet tear_down CTORGNMMIS NOERR 13 2019-04-08T00:26:04+0000 vEdge/vSmart证书已吊销/无效(VSCRTREV/CRTVERFL)
vEdge/vSmart证书已吊销/无效(VSCRTREV/CRTVERFL)如果证书在控制器上被吊销,或者vEdge序列号失效,则会分别显示vSmart或vEdge认证吊销消息。
以下是vSmart证书撤销消息的示例输出。这是在vSmart上撤销的证书:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE ERROR ERROR COUNT DOWNTIME --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 vbond dtls 0.0.0.0 0 0 192.168.0.231 12346 192.168.0.231 12346 default up RXTRDWN VSCRTREV 0 2019-06-01T18:13:22+0200 1 vbond dtls 0.0.0.0 0 0 192.168.0.231 12346 192.168.0.231 12346 default up RXTRDWN VSCRTREV 0 2019-06-01T18:13:22+0200同样,在同一重叠中的另一个vSmart上,它看到的证书被撤销的vSmart如下所示:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE ERROR ERROR COUNT DOWNTIME --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 vsmart tls 10.10.10.229 1 1 192.168.0.229 23456 192.168.0.229 23456 default tear_down VSCRTREV NOERR 0 2019-06-01T18:13:24+0200下面是vBond如何看待这个问题的:
PEER PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC REPEAT INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE LOCAL/REMOTE COUNT DOWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 vsmart dtls 10.10.10.229 1 1 192.168.0.229 12346 192.168.0.229 12346 default tear_down VSCRTREV/NOERR 0 2019-06-01T18:13:14+0200认证验证失败是在安装了根证书的情况下无法验证证书时:
1. 使用 show clock 命令检查时间。它必须至少在vBond证书有效范围内(请用 show orchestrator local-properties 命令检查)。
2. 这可能是由于vEdge上的根证书损坏引起的。
然后,vEdge路由器上的 show control connections-history 命令显示类似输出:
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vbond dtls - 0 0 203.0.113.82 12346 203.0.113.82 12346 default tear_down CRTVERFL NOERR 32 2018-11-16T23:58:22+0000 vbond dtls - 0 0 203.0.113.81 12346 203.0.113.81 12346 default tear_down CRTVERFL NOERR 31 2018-11-16T23:58:03+0000 在这种情况下,vEdge无法同时验证控制器证书。要解决此问题,可以重新安装根证书链。在使用Symantec Certificate Authority的情况下,可以从只读文件系统复制根证书链:
vEdge1# vshell vEdge1:~$ cp /rootfs ro/usr/share/viptela/root-ca-sha1-sha2.crt /home/admin/ vEdge1:~$ exit exit vEdge1# request root-cert-chain install /home/admin/root-ca-sha1-sha2.crt Uploading root-ca-cert-chain via VPN 0 Copying ... /home/admin/root-ca-sha1-sha2.crt via VPN 0 Installing the new root certificate chain Successfully installed the root certificate chainvManage中未附加vEdge模板
vManage中未附加vEdge模板如果设备未在vManage上附加模板,则在启动设备时,会显示该 NOVMCFG - No Config in vManage for device 消息。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT D OWNTIME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------- vmanage dtls 10.0.1.1 1 0 10.0.2.80 12546 203.0.113.128 12546 default up RXTRDWN NOVMCFG 35 2 019-02-26T12:23:52+0000 瞬态条件(DISCVBD、SYSIPCHNG)
瞬态条件(DISCVBD、SYSIPCHNG)以下是控制连接抖动的一些临时情况。此类设备包括:
- vEdge上的System-IP已更改。
- 到vBond的拆解消息(到vBond的控制连接是临时的)。
PEER PEER PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC LOCAL REMOTE REPEAT TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE ERROR ERROR COUNT DOWNTIME ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ vmanage dtls 10.0.0.1 1 0 198.51.100.92 12646 198.51.100.92 12646 default tear_down SYSIPCHNG NOERR 0 2018-11-02T16:58:00+0000DNS故障
DNS故障当show control connection-history 命令中未发现连接尝试时,您可以按照以下步骤检查是否存在vBond的DNS解析故障:
- 对vBond的DNS地址执行ping操作。
ping vbond-dns-name.cisco.com
ping vbond-dns-name.cisco.com: Temporary failure in name resolution- 从源接口ping Google DNS (8.8.8.8),验证互联网的可达性。
ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:- 端口53上的DNS流量的嵌入式数据包捕获,用于检查已发送和已接收的DNS流量。
monitor capture mycap interface <interface that forms control>
monitor capture mycap match ipv4 <source IP> <vBond IP>参考文档:嵌入式数据包捕获。
开始监控器捕获,让它运行几分钟,然后停止捕获。继续检查数据包捕获,查看是否发送和接收DNS查询。
相关信息
相关信息 修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
4.0 |
18-Jan-2023 |
重新认证 |
3.0 |
17-Oct-2022 |
添加了前提条件、“DNS故障”和“相关信息”部分 |
2.0 |
29-Apr-2022 |
添加了“BDSGVERFL -主板ID签名故障”部分,更新了IP地址,并编辑进行机器转换。 |
1.0 |
13-Jun-2019 |
初始版本 |
由思科工程师提供
- 尚卡尔·维穆拉帕利思科TAC工程师
- 尤金·哈巴罗夫思科TAC工程师
- 迪伦·威尔逊思科TAC工程师
反馈