排除SD-WAN動態按需隧道故障
簡介
本文檔介紹在配置或檢查與SD-WAN動態按需隧道相關問題時可以使用的故障排除命令。
必備條件
採用元件
本檔案是根據以下組態參考、軟體和硬體版本撰寫的:
- vManage 20.9.3版
- 邊緣路由器ISR4K版本17.9.3
- 所有裝置都配置為根據官方文檔建立動態按需隧道
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
註:有關動態按需隧道配置,請參閱本文檔。
背景資訊
Cisco SD-WAN支援任意兩個Cisco SD-WAN分支裝置之間的動態按需隧道。僅當兩台裝置之間存在流量最佳化頻寬使用和裝置效能時,才會觸發這些隧道的設定。
工作案例
使用的拓撲
在正常運行方案中,按需隧道觸發條件包括:
- 無法建立分支之間的BFD會話,在show sdwan bfd sessions中甚至顯示為關閉
- 在終端之間傳送相關流量時,可能會觸發BFD會話
- 必須設定和確認基本動態按需隧道配置
觸發程式隨選通道啟用
- 最初,分支之間的BFD會話未啟動,只有從分支到集線器的會話處於啟動狀態,並且按需系統狀態在分支和OMP表中都顯示為非活動狀態,從集線器的備份路由設定為C、I、R,而從Spoke 2的路由設定為I、U、IA
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 2:13:14:35 6
Spoke 1#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes inactive -
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 C,I,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 I,U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 I,U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 I,U,IA installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 U,IA installed 10.10.10.2 private2 ipsec - None None -
Spoke 2#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.2 10.100.100.1 12366 ipsec 7 1000 0:11:10:01 1
Spoke 2#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
1 10.10.10.1 yes inactive -
- 要觸發按需隧道啟用,需要關注流量。在本示例中,使用ICMP流量,在傳送流量後,按需遠端系統的狀態從兩端的「非活動」狀態更改為「活動」狀態,並且OMP表中的目標字首從「中心」的C、I、R狀態更改為「分支2」的C、I、R狀態
Spoke 1#ping vrf 10 10.2.2.2 re 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/3/31 ms
Spoke 1#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes active 56
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 0:11:14:51 1
10.10.10.2 2 up default default 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:00:53 1----> BFD session established due of interest traffic and on-demand configuration
10.10.10.2 2 up blue blue 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:00:52 1
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 C,I,R installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 C,I,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 C,I,R installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 C,R installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 C,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 C,R installed 10.10.10.2 private2 ipsec - None None -
Spoke 2#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
1 10.10.10.1 yes active 53
Spoke 2#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.2 10.100.100.1 12366 ipsec 7 1000 0:11:14:56 1
10.10.10.1 2 up default default 10.10.10.2 10.11.11.1 12366 ipsec 7 1000 0:00:00:53 1----> BFD session established due of interest traffic and on-demand configuration
10.10.10.1 2 up blue blue 10.10.10.2 10.11.11.1 12366 ipsec 7 1000 0:00:00:52
- 在網輻間停止流量和空閒超時到期後,網輻間的BFD會話消失,按需狀態返回非活動狀態,路由從OMP表中的集線器返回到C、I、R備份路由狀態
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 0:11:19:11 1
Spoke 1#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes inactive -
Spoke 2#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.2 10.100.100.1 12366 ipsec 7 1000 0:11:19:11 1
Spoke 2#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
1 10.10.10.1 yes inactive -
常見問題場景
使用的拓撲
方案1:分支認為透過集線器的備份路徑無效且無法解析
症狀
- 無法訪問Spoke 2中的目標字首,可以看到來自集線器的備份路徑,但會將其視為無效/已解除安裝
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 U,IA installed 10.10.10.2 private1ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 U,IA installed 10.10.10.2 private2ipsec - None None -
192.168.0.2 71 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 U,IA installed 10.10.10.2 private1ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 U,IA installed 10.10.10.2 private2ipsec - None None -
疑難排解
- 檢查是否已建立指向分支的集線器BFD會話
Hub#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR. SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.2 2 up blue blue 10.10.10.100 10.12.12.2 12366 ipsec 7 1000 1:23:58:15 2
10.10.10.1 1 up default default 10.10.10.100 10.11.11.1 12366 ipsec 7 1000 1:23:59:12 6 - 檢查按需隧道策略,以確認所有站點都已根據其角色(中心或分支)包括在正確的站點清單中
- 使用命令show sdwan system on-demand確認分支中是否啟用了按需功能並且處於活動狀態
Spoke 1#show sdwan system on-demand
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-CFG(min)
-------------------------------------------------------------------------
1 10.10.10.1 yes active 10
Spoke 2#show sdwan system on-demand
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-CFG(min)
-------------------------------------------------------------------------
2 10.10.10.2 yes active 10 - 確認是否在中心站點中啟用流量工程服務(服務TE)。有用的命令可以是show sdwan run | 包括TE
hub#show sdwan run | inc TE
!
解決方案
- 在這種情況下,中心站點中未啟用服務TE。若要修正,請在集線器端進行設定:
hub#config-trans
hub(config)# sdwan
hub(config-vrf-global)# service TE vrf global
hub(config-vrf-global)# commit
- 檢查Spoke 1 OMP表中是否已更改,現在對於來自中心10.10.10.100的條目(生成利息流量之前),此路由為C、I、R,而對於來自Spoke 2 10.10.10.2的條目,此路由為C、I、R(生成利息流量時)。此外,使用命令show sdwan system on-demand remote-system <remote system ip>,檢查分支1和分支2之間的BFD會話,以及按需隧道是否已啟用(如果適用):
Before interest traffic
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 C,I,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 I,U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 I,U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 I,U,IA installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 U,IA installed 10.10.10.2 private2 ipsec - None None -
While interest traffic
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 C,I,R installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 C,I,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 C,I,R installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 C,R installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 C,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 C,R installed 10.10.10.2 private2 ipsec - None None -
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 1:23:58:15 2
10.10.10.2 2 up default default 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:01:50 2----> BFD session established due of on-demand tunnel configuration.
10.10.10.2 2 up blue blue 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:01:52 2
Spoke 1#show sdwan system on-demand remote-system system-ip 10.10.10.2
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes active 41 ------>on-demand tunnel established to spoke 2 10.10.10.2 due of interest traffic
方案2:分支之間的BFD會話保持開啟
症狀
- 在這種情況下,使用命令show sdwan system on-demand remote-system將遠端Spoke 2終端列於按需遠端終端中,且其狀態為「no on-demand」,即使不傳送任何興趣資料流,並且直接從Spoke 2獲取目標字首,Spoke 1和Spoke 2之間的BFD會話也會保持打開狀態
Spoke 1#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 no - -
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 1:23:58:15 3
10.10.10.2 2 up default default 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:18:53 4
10.10.10.2 2 up blue blue 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:18:52 3
Spoke 1#show sdwan omp route vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 73 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 74 1003 C,I,R installed 10.10.10.2 default ipsec - None None -
192.168.0.1 76 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 77 1003 C,I,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 79 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 80 1003 C,I,R installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 89 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 90 1003 C,R installed 10.10.10.2 default ipsec - None None -
192.168.0.2 92 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 93 1003 C,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 95 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 96 1003 C,R installed 10.10.10.2 private2 ipsec - None None -
疑難排解
- 檢查按需隧道策略,以確認所有站點都已根據其角色(中心或分支)包括在正確的站點清單中
viptela-policy:policy control-policy ondemand sequence 1 match route site-list Spokes prefix-list _AnyIpv4PrefixList ! action accept set tloc-action backup tloc-list hub ! ! ! default-action accept ! lists site-list Spokes site-id 1-2 ! tloc-list hub tloc 10.10.10.100 color blue encap ipsec tloc 10.10.10.100 color default encap ipsec tloc 10.10.10.100 color private1 encap ipsec tloc 10.10.10.100 color private2 encap ipsec ! prefix-list _AnyIpv4PrefixList ip-prefix 0.0.0.0/0 le 32 ! ! ! apply-policy site-list Spokes control-policy ondemand out ! ! - 使用show sdwan run命令檢查按需是否啟用 | inc在分支中按需提供和TE在集線器中透過命令show sdwan run啟用 | 包括TE
Spoke 1#show sdwan run | inc on-demand
on-demand enable
on-demand idle-timeout 10
Spoke 2#show sdwan run | inc on-demand
Spoke 2#
Hub#show sdwan run | inc TE
service TE vrf global
解決方案
- 在這種情況下,在Spoke 2中未啟用隨選功能。若要修正,請在Spoke 2端進行設定
Spoke 2#config-trans
Spoke 2(config)# system
Spoke 2(config-vrf-global)# on-demand enable
Spoke 2(config-vrf-global)# on-demand idle-timeout 10
Spoke 2(config-vrf-global)# commit
- 檢查Spoke 1 now Spoke 2中是否顯示為on-demand yes,並且OMP表已更改,並且現在對於來自中心10.10.10.100(生成興趣流量之前)而不是直接來自Spoke 2的條目,此路由為C、I、R
Spoke 1#show sdwan system on-demand remote-system
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes inactive -
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 C,I,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 I,U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 I,U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 I,U,IA installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 U,IA installed 10.10.10.2 private2 ipsec - None None -
- 生成利息流量時,來自Spoke 2 10.10.10.2條目的流量將獲得C、I、R。此外,使用命令show sdwan system on-demand remote-system <remote system ip>,檢查Spoke 1和Spoke 2之間的BFD會話是否已啟用,並檢查按需隧道是否已啟用
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 C,I,R installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 C,I,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 C,I,R installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 C,R installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 C,R installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 C,R installed 10.10.10.2 private2 ipsec - None None -
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 2:04:34:11 2
10.10.10.2 2 up default default 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:02:10 2----> BFD session established due of on-demand tunnel configuration.
10.10.10.2 2 up blue blue 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:02:08 2
Spoke 1#show sdwan system on-demand remote-system system-ip 10.10.10.2
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes active 41 ------>on-demand tunnel established to Spoke 2 10.10.10.2 due of interest traffic
方案3:網輻中沒有租用或安裝任何備用路由
症狀
- 在這種情況下,在OMP表中沒有源自Spoke 2的字首10.2.2.2/32的備份路由,只看到按需非活動條目。已確認分支中的按需配置和集線器中的TE
Spoke 1#show sdwan omp route vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 108 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.1 113 1003 U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 141 1003 U,IA installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 112 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.2 117 1003 U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 144 1003 U,IA installed 10.10.10.2 private2 ipsec - None None -
Spoke 1#show sdwan run | inc on-demand
on-demand enable
on-demand idle-timeout 10
Spoke 2#show sdwan run | inc on-demand
on-demand enable
on-demand idle-timeout 10
Hub#show sdwan run | inc TE
service TE vrf global
疑難排解
- 檢查按需集中策略,並確認所有分支是否都包含在正確的站點清單中
viptela-policy:policy
control-policy ondemand
sequence 1
match route
site-list Spokes
prefix-list _AnyIpv4PrefixList
!
action accept
set
tloc-action backup
tloc-list hub
!
!
!
default-action accept
!
lists
site-list Spokes
site-id 1
!
tloc-list hub
tloc 10.10.10.100 color blue encap ipsec
tloc 10.10.10.100 color default encap ipsec
tloc 10.10.10.100 color private1 encap ipsec
tloc 10.10.10.100 color private2 encap ipsec
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
!
apply-policy
site-list Spokes
control-policy ondemand out
!
解決方案
- 請注意,策略中的站點清單分支中缺少Spoke 2站點ID 2。將其包含在站點清單中後,備份路徑將正確安裝,當傳送關注流量時,會啟動按需隧道和分支之間的BFD會話。
Spokes site list from policy before
lists
site-list Spokes
site-id 1
!
Spokes site list from policy after
lists
site-list Spokes
site-id 1-2
!
Spoke 1#show sdwan omp routes vpn 10 10.2.2.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
BR-R -> border-router reoriginated
TGW-R -> transport-gateway reoriginated
AFFINITY
PATH ATTRIBUTE GROUP
TENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 10 10.2.2.2/32 192.168.0.1 61 1005 C,I,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 62 1003 I,U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.1 64 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 65 1003 I,U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.1 67 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.1 68 1003 I,U,IA installed 10.10.10.2 private2 ipsec - None None -
192.168.0.2 71 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 72 1003 U,IA installed 10.10.10.2 default ipsec - None None -
192.168.0.2 74 1005 C,R installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 75 1003 U,IA installed 10.10.10.2 private1 ipsec - None None -
192.168.0.2 77 1005 Inv,U installed 10.10.10.100 blue ipsec - None None -
192.168.0.2 78 1003 U,IA installed 10.10.10.2 private2 ipsec - None None -
Spoke 1#show sdwan bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.10.10.100 100 up blue blue 10.10.10.1 10.100.100.1 12366 ipsec 7 1000 2:07:01:43 6
10.10.10.2 2 up default default 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:00:56 2----> BFD session established due of on-demand tunnel configuration.
10.10.10.2 2 up blue blue 10.10.10.1 10.12.12.2 12366 ipsec 7 1000 0:00:00:56 2
Spoke 1#show sdwan system on-demand remote-system system-ip 10.10.10.2
SITE-ID SYSTEM-IP ON-DEMAND STATUS IDLE-TIMEOUT-EXPIRY(sec)
---------------------------------------------------------------------------
2 10.10.10.2 yes active 56 ------>on-demand tunnel established to Spoke 2 10.10.10.2 due of interest traffic
有用的命令
- show sdwan system on-demand
- show sdwan system on-demand remote-system
- show sdwan system on-demand remote-system system-ip <system ip>
- show sdwan run | 包括按需提供
- show sdwan run | 包括TE
- show sdwan ompo routes vpn <vpn number>
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
05-Oct-2023 |
初始版本 |
意見