Operations
Access the Software Upgrade Workflow
Feature Name |
Release Information |
Description |
---|---|---|
Software Upgrade Workflow |
Cisco IOS XE Catalyst SD-WAN Release 17.8.1a Cisco vManage Release 20.8.1 Cisco SD-WAN Release 20.8.1 |
You can now upgrade software images on edge devices using the Workflows menu in Cisco SD-WAN Manager. |
Schedule the Software Upgrade Workflow |
Cisco IOS XE Catalyst SD-WAN Release 17.9.1a Cisco vManage Release 20.9.1 Cisco SD-WAN Release 20.9.1 |
Upgrade the software of Cisco edge devices using a scheduler which helps in scheduling the upgrade process at your convenience. |
Software Upgrade Workflow Support for Additional Platforms |
Cisco vManage Release 20.9.1 |
Added support for Cisco Enterprise NFV Infrastructure Software (NFVIS) and Cisco Catalyst Cellular Gateways. |
Software Upgrade Scheduling Support for Additional Platforms |
Cisco vManage Release 20.10.1 |
Added support for software upgrade scheduling for Cisco Catalyst Cellular Gateways. |
Before You Begin
To check if there is an in-progress software upgrade workflow:
From the Cisco SD-WAN Manager toolbar, click the Task-list icon. Cisco SD-WAN Manager displays a list of all running tasks along with the total number of successes and failures.
Access the Software Upgrade Workflow
-
In the Cisco SD-WAN Manager menu, click .
Note
In the Cisco vManage Release 20.8.1, the Workflow Library is titled Launch Workflows.
-
Start a new software upgrade workflow:
.OR
Alternatively, resume an in-progress software upgrade workflow:
. -
Follow the on-screen instructions to start a new software upgrade workflow.
Note
Click Exit to exit from an in-progress software upgrade workflow. You can resume the in-progress workflow at your convenience.
![]() Note |
In a multi-node cluster setup, if the control connection switches to a different node during a device upgrade from Cisco SD-WAN Manager, the upgrade may be impacted due to NetConf session timeout. The device then establishes control connection to a different node. You need to re-trigger the upgrade activity. |
Verify the Status of the Software Upgrade Workflow
To check the software upgrade workflow status:
-
From the Cisco SD-WAN Manager toolbar, click the Task-list icon.
Cisco SD-WAN Manager displays a list of all running tasks along with the total number of successes and failures.
-
Click the + icon to view the details of a task.
Cisco SD-WAN Manager opens a pane displaying the status of the task and details of the device on which the task was performed.
ACL Log
Use the ACL Log screen to view logs for access lists (ACLs) configured on a router. Routers collect ACL logs every 10 minutes.
Set ACL Log Filters
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Click the Filter.
-
In the VPN field, choose the entity, for which you are collecting ACL logs, from the drop-down list. You can choose only one VPN.
-
Click Search to search for logs that match the filter criteria.
Cisco SD-WAN Manager displays a log of activities in table format.
Application Performance and Site Monitoring
![]() Note |
To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product. |
Feature Name |
Release Information |
Description |
---|---|---|
Application Performance and Site Monitoring |
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a Cisco vManage Release 20.10.1 |
You can monitor and optimize the application health and performance on all sites or a single site using Cisco SD-WAN Manager. |
Overview of Application Performance and Site Monitoring
The Application Health window displays the following:
-
All applications running in all sites: table view and heat map view.
-
All applications running at a specific site: table view and heat map view.
-
Single application running in all sites: table view and heat map view.
-
Single application running at a specific site: aggregated line chart and per path table view.
Applications Health Metrics
The applications health is calculated as follows:
Health |
QoE |
---|---|
Good |
QoE >= 8 |
Fair |
QoE 5~8 |
Poor |
QoE < 5 |
View Application Health in Table View
The Application Health window displays the following in table view:
-
All applications for all sites: A selected list of applications that are enabled using the performance monitoring feature or the CLI add-on template from all the sites.
-
All applications for a single site: A selected list of applications that are enabled using the performance monitoring feature or the CLI add-on template from a single site.
-
All the sites of a single application: All the sites of a selected application that is enabled using the performance monitoring feature or the CLI add-on template, sorted by the status in the health column.
In the table, the Health column shows the application health. Place the cursor over the icon in the column to display Good, Fair, or Poor health status. The health of the application is measured by QoE.
Click the application name to view further application specific details. For a single application on all sites, click a specific Site ID to navigate to single site monitoring.
Click the toggle button to switch to application heatmap view.
View Application Health in Heatmap View
The Application Health window displays the following in heatmap view:
-
All applications for all sites: A list of all applications health for different time selections.
-
All applications for a single site: A selected list of applications that are enabled using the performance monitoring feature or the CLI add-on template from a single site.
-
All the sites of a single application: A list of sites and health of each site at different time intervals for a single application.
In the heatmap view, the grid of colored squares displays the application health as Good, Fair, or Poor. You can hover over a square or click it to display the additional details of an application at a specific time and click View details to view specific application details. Click the time interval drop-down list to change the time interval.
Click the Toggle button to switch to the application table view.
Configure Application Performance and Site Monitoring Using Cisco Catalyst SD-WAN Manager
You can enable application performance and site monitoring using Cisco SD-WAN Manager by configuring Performance Monitoring under System Profile in a configuration group. Configure the parameters in Application Performance Monitoring tab to enable monitoring. For more information see, Performance Monitoring Feature Configuration.
The application performance and site monitoring feature needs NBAR to be enabled on all LAN interfaces for application recognition.
If Application-Aware Routing (AAR) policy is configured then NBAR is automatically enabled. If AAR policy is not configured, then NBAR must be enabled on all LAN interfaces using a CLI add-on template. Use the ip nbar protocol-discovery configuration to enable NBAR on all LAN interfaces.
All Sites and Single Site View
All Applications All Sites View
The default setting for the applications window is the all sites view. You can view information for all sites by clicking the All Sites button on the top of the page, and clicking the radio button next to All Sites.
The all sites view displays information for all applications of all sites for the last one hour.
In the table, the Health column shows the application health. Place the cursor over the icon in the column to display Good, Fair, or Poor health status. The health of the application is measured by Quality of Experience (QoE).
Click the toggle button to switch to the application heatmap view.
In the heatmap view, the grid of colored squares displays the application health as Good, Fair, or Poor. You can hover over a square or click it to display additional details of an application at a specific time and click View details to view specific application details. Click the time interval drop-down list to change the time interval.
All Applications Single Site View
You can also view the health of all the applications on a single site. To enter single site view, click the All Sites button on the top of the page, and click the radio button next to Single Site to select the site of interest.
Single Application All Site View
For a single application on all sites, click a specific Site ID to navigate to single site monitoring. Click the application name to view further application specific details.
Single Application Single Site View
For a single application on a single site, a line graph shows the application health over a period of time. Select the time from the drop-down list to select 1, 3, 6, 12, or 24 hours. The table displays a list of paths that has processed application traffic over a time period. Select individual paths and view the individual QoE lines on the line graph. At a time five paths can be selected, and five line charts are displayed. You can also drag the top handles to focus on a particular point in time. When you change the time, the table automatically refreshes to show the health information for that time interval.
Change the Device Rollback Timer
By default, when you attach a Cisco IOS XE Catalyst SD-WAN device to a configuration template, if the router is unable to successfully start after 5 minutes, it returns to, or rolls back to, the previous configuration. For a configuration that you have created from the CLI, you can change the device's rollback timer:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Device Templates, and choose a device template.
Note
In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.
-
Click …, and click Change Device Values.
The right pane displays the device's configuration, and the Config Preview tab is selected.
-
In the left pane, click the name of a device.
-
Click Configure Device Rollback Timer. The Configure Device Rollback Time pop up page is displayed.
-
From the Devices drop-down list, select a device.
-
To enable the rollback timer, in the Set Rollback slider drag the slider to the left to enable the rollback timer. When you do this, the slider changes in color from gray to green.
-
To disable the rollback timer, click Enable Rollback slider. When you disable the timer, the Password field dialog box appears. Enter the password that you used to log in to Cisco SD-WAN Manager.
-
In the Device Rollback Time slider, drag the slider to the desired value. The default time is 5 minutes. You can configure a time from 6 to 15 minutes.
-
To exclude a device from the rollback timer setting, click Add Exception and select the devices to exclude.
-
The table of the Configure Device Rollback Time dialog box lists all the devices to which you are attaching the template and their rollback time. To delete a configured rollback time, click the Trash icon of the device name.
-
Click Save.
-
Click Configure Devices to push the configuration to the devices. The Status column displays whether the configuration was successfully pushed. Click (+) to display details of the push operation.
Run Site-to-Site Speed Test
Before You Begin
Ensure that Data Stream is enabled under in Cisco SD-WAN Manager.
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
-
To choose a device, click the device name in the Hostname column.
-
Click Troubleshooting in the left pane.
-
In the Connectivity area, click Speed Test.
-
Specify the following:
-
Source Circuit: From the drop-down list, choose the color of the tunnel interface on the local device.
-
Destination Device: From the drop-down list, choose the remote device by its device name and system IP address.
-
Destination Circuit: From the drop-down list, choose the color of the tunnel interface on the remote device.
-
-
Click Start Test.
The speed test sends a single packet from the source to the destination and receives the acknowledgment from the destination.
The right pane shows the results of the speed test—circuit speed, download speed, and upload speed between the source and destination. The download speed shows the speed from the destination to the source, and the upload speed shows the speed from the source to the destination in Mbps. The configured downstream and upstream bandwidths for the circuit are also displayed.
When a speed test completes, the test results are added to the table in the lower part of the right pane.
From Cisco vManage Release 20.10.1, the Speed Test option is also accessible as follows:
-
On the … adjacent to the device name and choose Speed Test.
page, click -
On the … adjacent to the application name and choose Speed Test.
page, click -
On the Site Topology page, click a device name, and then click Speed Test in the right navigation pane.
Cluster Management
![]() Note |
To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product. |
Feature Name |
Release Information |
Description |
---|---|---|
Cisco SD-WAN Manager Persona-based Cluster Configuration |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco SD-WAN Release 20.6.1 Cisco vManage Release 20.6.1 |
You can add Cisco SD-WAN Manager servers to a cluster by identifying servers based on personas. A persona defines what services run on a server. |
A Cisco SD-WAN Manager cluster consists of at least three Cisco SD-WAN Manager servers. These servers manage the Cisco Catalyst SD-WAN edge devices in a network. Cisco SD-WAN Manager servers in a cluster perform specific functions based on the services that are running on them. In this way, a cluster distributes the workload among Cisco SD-WAN Manager servers while sharing information between these servers. For scaling recommendations, see Server Recommendations for your release in Cisco Catalyst SD-WAN Controller Compatibility Matrix and Server Recommendations.
Use the Cisco SD-WAN Manager cluster and perform related tasks.
window to create aFrom Cisco vManage Release 20.6.1, each Cisco SD-WAN Manager server has a persona. The persona is determined when the Cisco SD-WAN Manager server first boots up after Cisco SD-WAN Manager is installed and defines which services run on the server. The persona of a server lasts for the lifetime of the server and cannot be changed. A server must have a persona before it can be added to a cluster. For more information on personas, see Cisco Catalyst SD-WAN Manager Persona and Storage Device.
The role that a server has in a cluster depends on its persona. A Cisco SD-WAN Manager server can have any of the following personas:
-
Compute+Data: Includes all services that are required for Cisco SD-WAN Manager, including services that are used for the application, statistics, configuration, messaging, and coordination
-
Compute: Includes services that are used for the application, configuration, messaging, and coordination
-
Data: Includes services that are used for the application and statistics
Collect Device Statistics
Enable or disable the collection of statistics for devices in the overlay network. By default, the collection of statistics is enabled for all the devices in the overlay network.
-
From the Cisco SD-WAN Manager menu, choose .
-
To modify the settings for collecting device statistics, click Statistics Setting, and click Edit.
Tip
To view the configured settings, click View.
By default, for every group of statistics (such as Aggregated DPI and AppHosting), collection of statistics is enabled for all devices.
-
To enable the collection of a group of statistics for all devices, click Enable All for the particular group.
-
To disable the collection of a group of statistics for all devices, click Disable All for the particular group.
-
To enable the collection of a group of statistics for all devices only for consumption by Cisco SD-WAN Analytics, click vAnalytics only for the particular group.
-
To enable or disable the collection of a group of statistics for specific devices in the overlay network, click Custom for the particular group.
In the Select Devices dialog box, depending on whether statistics collection is enabled or disabled for a device, the device is listed among Enabled Devices or Disabled Devices respectively.
-
To enable statistics collection for one or more devices, choose the devices from Disabled Devices and move them to Enabled Devices.
Tip
To choose all Disabled Devices, click Select All.
-
To disable statistics collection for one or more devices, choose the devices from Enabled Devices and move them to Disabled Devices.
Tip
To choose all Enabled Devices, click Select All.
-
To save your selections, click Done.
To discard your selections, click Cancel.
-
-
To apply the modified settings, click Save.
To discard your changes, click Cancel.
To revert to the default settings, click Restore Factory Default.
Configure the Time Interval to Collect Device Statistics
-
From the Cisco SD-WAN Manager menu, choose .
-
To modify the time interval at which device statistics are collected, find Statistics Configuration and click Edit.
Tip
To view the configured time interval, click View.
-
Enter the desired Collection Interval in minutes.
-
Default value: 30 minutes
-
Minimum value: 5 minutes
-
Maximum value: 180 minutes
-
-
To apply the modified settings, click Save.
To discard your changes, click Cancel.
To revert to the default settings, click Restore Factory Default.
Create a Custom Banner
To create a custom banner that is displayed after you log in to the Cisco SD-WAN Manager:
-
From Banner, click Edit.
-
In Enable Banner, click Enabled.
-
In Banner Info, enter the text string for the login banner or click Select a File to download a file that contains the text string.
-
Click Save.
Create Customized VNF Image
Before you begin
-
Create a custom VM package along with image properties and bootstrap files (if needed) into a TAR archive file.
-
Tokenize custom variables and apply system variables that are passed with the bootstrap configuration files.
Ensure that the following custom packaging requirements are met:
-
Root disk image for a VNF–qcow2
-
Day-0 configuration files–system and tokenized custom variables
-
VM configuration–CPU, memory, disk, NICs
-
HA mode–If a VNF supports HA, specify Day-0 primary and secondary files, NICs for a HA link.
-
Additional Storage–If more storage is required, specify predefined disks (qcow2), storage volumes (NFVIS layer)
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . |
|||||||||||||||||||||||||||
Step 2 |
Click Add Custom VNF Package. |
|||||||||||||||||||||||||||
Step 3 |
Configure the VNF with the following VNF package properties and click Save.
|
|||||||||||||||||||||||||||
Step 4 |
To package a VM qcow2 image, click File Upload, and browse to choose a qcow2 image file. |
|||||||||||||||||||||||||||
Step 5 |
To choose a bootstrap configuration file for VNF, if any, click Day 0 Configuration and click File Upload to browse and choose the file.
|
|||||||||||||||||||||||||||
Step 6 |
To add a Day-0 configuration, click Add, and then click Save. The Day-0 configuration appears in the Day 0 Config File table. You can tokenize the bootstrap configuration variables with system and custom variables. To tokenize variables of a Day-0 configuration file, click View Configuration File next to the desired Day-0 configuration file. In the Day 0 configuration file dialog box, perform the following tasks:
|
|||||||||||||||||||||||||||
Step 7 |
To upload extra VM images, expand Advance Options, click Upload Image, and then browse to choose an extra qcow2 image file. Choose the root disk, Ephemeral disk 1, or Ephemeral disk 2, and click Add. The newly added VM image appears in the Upload Image table.
|
|||||||||||||||||||||||||||
Step 8 |
To add the storage information, expand Add Storage, and click Add volume. Provide the following storage information and click Add. The added storage details appear in the Add Storage table.
|
|||||||||||||||||||||||||||
Step 9 |
To add VNF image properties, expand Image Properties and enter the following image information.
|
|||||||||||||||||||||||||||
Step 10 |
To add VM resource requirements, expand Resource Requirements and enter the following information.
|
|||||||||||||||||||||||||||
Step 11 |
To add day-0 configuration drive options, expand Day 0 Configuration Drive options and enter the following information.
|
Customize the Monitor Overview Dashboard
Feature Name |
Release Information |
Description |
---|---|---|
Customizable Monitor Overview Dashboard in Cisco SD-WAN Manager |
Cisco vManage Release 20.9.1 |
You can customize the Monitor Overview dashboard. You can specify which dashlets to view and sort them based on your personal preferences. |
Time Filter in Monitor Overview and Monitor Security Dashboards in Cisco SD-WAN Manager |
Cisco vManage Release 20.10.1 |
You can filter the data on the Monitor Overview and Monitor Security dashboards for a specified time range. |
View Sites in Global Topology View |
Cisco vManage Release 20.11.1 |
You can view all sites or a single site in the global topology view for geographical regions worldwide by clicking the inverted-drop-shaped icon on the Monitor Overview dashboard. |
View Top Alarms |
Cisco vManage Release 20.11.1 | You can view alarm details for a single site on the Monitor Overview dashboard. Click View Details to open the window and view the alarm details. |
View WAN Edge Management |
Cisco vManage Release 20.11.1 |
You can view the WAN Edge Management dashlet on the Monitor Overview dashboard. |
Security Dashboard Enhancements |
Cisco IOS XE Catalyst SD-WAN Release 17.11.1a Cisco vManage Release 20.11.1 |
This feature enhances the security dashboard in Cisco SD-WAN Manager. The security dashboard introduces a Actions drop-down list that enables you to edit the security dashboard, reset the security dashboard, and view the SecureX ribbon in the security dashboard. Additionally, you can access the Cisco Talos portal from Cisco SD-WAN Manager. A hyperlink of the Cisco Talos portal is added to the security dashboard. |
Global Network View with Network-Wide Path Insight Integration |
Cisco Catalyst SD-WAN Manager Release 20.12.1 |
Network-Wide Path Insight is now integrated with the global network view. This feature also introduces enhancements to the geomap view by providing real-time monitoring of the health of each site. Global Topology View is now called as Global Network View in Cisco Catalyst SD-WAN Manager. |
Security Dashboard Enhancements |
Cisco Catalyst SD-WAN Manager Release 20.12.1 |
This feature enhances the security dashboard to provide greater flexibility while troubleshooting security threats down to a device level in Cisco Catalyst SD-WAN. |
Add a Dashlet
-
From the Cisco SD-WAN Manager menu, choose .
-
From the Actions drop-down list, choose Edit Dashboard.
-
Click Add Dashlet.
Note
The Add Dashlet option is available only if additional dashlets are available to be added. It is not available on the default dashboard.
-
Choose the dashlets that you want to add.
-
Click Add.
-
Click Save.
You can customize the following dashlets:
-
Transport Health
-
Site BFD Connectivity
-
Transport Interface Distribution
-
WAN Edge Inventory
-
Application-Aware Routing
Delete a Dashlet
-
From the Cisco SD-WAN Manager menu, choose .
-
From the Actions drop-down list, choose Edit Dashboard.
-
Click the Delete icon adjacent to the corresponding dashlet name.
-
To confirm the deletion of the dashlet, click Yes.
-
Click Save.
Rearrange Dashlets
-
From the Cisco SD-WAN Manager menu, choose .
-
From the Actions drop-down list, choose Edit Dashboard.
-
Drag and drop the dashlets according to your requirements.
-
Click Save.
Filter the Dashboard Data
Minimum release: Cisco vManage Release 20.10.1
You can view the data on the Monitor Overview and Monitor Security dashboards based on a specified time range. A time filter option is available on these dashboards. On the Monitor Overview dashboard, the time filter option is applicable to the following dashlets:
-
Site Health
-
Tunnel Health
-
WAN Edge Health
-
Application Health
-
Transport Health
-
Top Alarms
-
Top Applications
This feature is available in both single-tenant and multitenant deployments. In multitenant deployments, this feature is available only in the tenant dashboard.
Time filter values: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours, 7 days.
Only in the Transport Health dashlet, the data is available up to 7 days. In the Site Health, Tunnel Health, WAN Edge Health, Application Health, and Top Applications dashlets, the data is available up to 24 hours.
Default: 24 hours
To filter the data, do the following:
-
From the Cisco SD-WAN Manager menu, choose or .
-
From the time filter drop-down list, choose a value.
The dashlets display the data based on the chosen time.
You also can apply the time filter at the dashlet level. To do this, click View Details in the corresponding dashlet, and choose a time filter value in the right navigation pane. The time filter value applied at the dashboard level, and not at the dashlet level, is preserved after closing the navigation pane.
Restore Default Settings
-
From the Cisco SD-WAN Manager menu, choose .
-
From the Actions drop-down list, choose Reset to Default View.
-
Click Apply.
Decommission a Cloud Router
Decommissioning a cloud router (such as a Cisco Cloud Services Router 1000V) removes the device's serial number from Cisco SD-WAN Manager and generates a new token for the device. To do so:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click WAN Edge List, and select a cloud router.
-
Click …, and click Decommission WAN Edge.
-
To confirm the decommissioning of the router, click OK.
Delete a Software Image from the Repository
To delete a software image from the Cisco SD-WAN Manager software repository:
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . |
Step 2 |
For the desired software image, click ... and choose Delete. |
If a software image is being downloaded to a router, you cannot delete the image until the download process completes.
Determine the Status of Network Sites
A site is a particular physical location within the Cisco Catalyst SD-WAN overlay network, such as a branch office, a data center, or a campus. Each site is identified by a unique integer, called a site ID. Each device at a site is identified by the same site ID.
To determine the status of network sites:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the Site BFD Connectivity dashlet, which displays the state of data connections of a site. When a site has multiple edge devices, this dashlet displays the state of the entire site and not for individual devices. The Site BFD Connectivity dashlet displays three states:
-
Full WAN Connectivity: Total number of sites where all BFD sessions on all devices are in the up state.
-
Partial WAN Connectivity: Total number of sites where a TLOC or a tunnel is in the down state. These sites still have limited data plane connectivity.
-
No WAN Connectivity: Total number of sites where all BFD sessions on all devices are in the down state. These sites have no data plane connectivity.
-
-
For the desired row, click ... and choose Device Dashboard, SSH Terminal, or Real Time. You will be redirected to the appropriate window based on your selection.
Enable Reverse Proxy
Feature Name | Release Information | Description |
---|---|---|
Support for Reverse Proxy with Cisco IOS XE Catalyst SD-WAN devices and Cisco Catalyst SD-WAN Multitenancy |
Cisco IOS XE Release 17.6.1a Cisco SD-WAN Release 20.6.1 Cisco vManage Release 20.6.1 |
With this feature, you can deploy a reverse proxy in your overlay network between Cisco IOS XE Catalyst SD-WAN devices and Cisco SD-WAN Manager and Cisco SD-WAN Controllers. Also, this feature enables you to deploy a reverse proxy in both single-tenant and multitenant deployments that include Cisco vEdge devices or Cisco IOS XE Catalyst SD-WAN devices. In a multitenant deployment, the Service Provider manages reverse proxy and the associated configuration. |
In a standard overlay network, Cisco Catalyst SD-WAN edge devices initiate direct connections to the Cisco SD-WAN Controllers (Cisco SD-WAN Manager and Cisco SD-WAN Controllers) and exchange control plane information over these connections. The WAN edge devices are typically located in branch sites and connect to the Cisco SD-WAN Controllers over the internet. As a result, Cisco SD-WAN Manager and Cisco SD-WAN Controllers are also connected directly to the internet.
For security, or other reasons, you may not want the Cisco SD-WAN Controllers to have direct internet connections. In such a scenario, you can deploy a reverse proxy between the Cisco SD-WAN Controllers and the WAN edge devices. The reverse proxy acts as an intermediary to pass control traffic between the Cisco SD-WAN Controllers and the WAN edge devices. Instead of communicating directly with Cisco SD-WAN Manager and the Cisco SD-WAN Controllers, the WAN edge devices communicate with the reverse proxy, and the reverse proxy relays the traffic to and from Cisco SD-WAN Manager and Cisco SD-WAN Controllers.
The following figure illustrates a reverse proxy deployed between a WAN edge device and Cisco SD-WAN Manager and the Cisco SD-WAN Controllers.
![](/c/dam/en/us/td/i/500001-600000/520001-530000/520001-521000/520582.jpg)
You can deploy a reverse proxy in both single-tenant and multi-tenant Cisco Catalyst SD-WAN deployments.
Restrictions for Enabling Reverse Proxy Support
-
In a multitenant Cisco Catalyst SD-WAN overlay network, you can deploy a reverse proxy device with only a three-node Cisco SD-WAN Manager cluster. Deployment of the reverse proxy is only supported with a TLS-based control plane for Cisco SD-WAN Manager and Cisco SD-WAN Controllers.
-
You cannot deploy a reverse proxy with a Cisco vEdge 5000 router.
-
You cannot deploy a reverse proxy with IPv6 control connections.
Provision Certificates on the Reverse Proxy
Before exchanging traffic, the reverse proxy and the WAN edge devices must authenticate each other.
On the reverse proxy you must provision a certificate that is signed by the CA that has signed the certificate of the Cisco SD-WAN Controllers. This certificate is used by the reverse proxy to verify the WAN edge devices.
To generate a Certificate Signing Request (CSR) for the reverse proxy and have it signed by Cisco, do as follows:
-
Run the following command on the reverse proxy:
proxy$ openssl req -new -days 365 -newkey rsa:2048 -nodes -keyout Proxy.key -out Proxy.csr
When prompted, enter values as suggested in the following table:
Property Description Country Name (2 letter code) Any country code.
Example: US
State or Province Name Any state or province.
Example: CA
Locality Name Any locality.
Example: San Jose
Organization Name Use either "vIPtela Inc" or "Viptela LLC".
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.10.1a, you can use "Cisco Systems" string as the Organization Name for enterprise certificates.
Example: Viptela LLC
Organizational Unit Name Use the “organization” name configured on the overlay.
Example: cisco-sdwan-12345
Common Name Host name ending with “.viptela.com”.
Example: proxy.viptela.com
Email Address Use any valid email address.
Example: someone@example.com
-
Get the CSR signed by Cisco.
-
If you use Symantec/Digicert as the CA for the Cisco SD-WAN Controllers, open a case with Cisco TAC to sign the CSR.
-
If you use Cisco Public Key Infrastructure (PKI) as the CA for the Cisco SD-WAN Controllers, submit the CSR on the Cisco Network Plug and Play (PnP) application and retrieve the signed certificate.
-
Enable Reverse Proxy
-
From the Cisco SD-WAN Manager menu, choose .
-
For the Reverse Proxy setting, click Edit.
-
For Enable Reverse Proxy, click Enabled.
-
Click Save.
Configure Reverse Proxy Settings on Cisco SD-WAN Controllers
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Controllers.
-
For the desired Cisco SD-WAN Manager instance or Cisco SD-WAN Controller, click … and click Add Reverse Proxy.
The Add Reverse Proxy dialog box appears.
-
To map a private IP address and port number to a proxy IP address and port number, do as follows:
-
Click Add Reverse Proxy.
-
Enter the following details:
Private IP The private IP address is the IP address of the transport interface in VPN 0. Private Port This is the port used to establish the connections that handle control and traffic in the overlay network. The default port number is 12346. Proxy IP Proxy IP address to which private IP address must be mapped. Proxy Port Proxy port to which the private port must be mapped. -
If the Cisco SD-WAN Manager instance or Cisco SD-WAN Controller has multiple cores, repeat Step 4 a and Step 4 b for each core.
-
-
To delete a private IP address-port number to proxy IP address-port number mapping, find the mapping and click the trash icon.
-
To save the reverse proxy settings, click Add.
To discard the settings, click Cancel.
-
In the Security feature template attached to the Cisco SD-WAN Manager instance or Cisco SD-WAN Controller, choose TLS as the transport protocol.
After you configure reverse proxy settings on a Cisco SD-WAN Manager instance or a Cisco SD-WAN Controller, WAN edge devices in the overlay network are provisioned with a certificate for authentication with the reverse proxy.
-
When a reverse proxy is deployed, Cisco Catalyst SD-WAN Validator shares the details of the reverse proxy with the WAN edge devices.
-
On learning about the reverse proxy, a WAN edge device initiates the installation of a signed certificate from Cisco SD-WAN Manager.
-
After the certificate is installed, the WAN edge device uses the certificate for authentication with the reverse proxy and connects to the reverse proxy.
Disable Reverse Proxy
![]() Note |
Before you disable reverse proxy, delete any private IP address-port number to proxy IP address-port number mappings that you have configured for Cisco SD-WAN Manager instances and Cisco SD-WAN Controller. See Configure Reverse Proxy Settings on Cisco Catalyst SD-WAN Controllers for information about deleting the mappings. |
-
From the Cisco SD-WAN Manager menu, choose .
-
For the Reverse Proxy setting, click Edit.
-
For Enable Reverse Proxy, click Disabled.
-
Click Save.
Monitor Private and Proxy IP Addresses of Cisco SD-WAN Controllers and WAN Edge Devices
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Click on the hostname of a Cisco SD-WAN Manager instance, Cisco SD-WAN Controller, or a WAN edge device.
-
In the left pane, click Real Time.
-
From the Device Options drop-down list, choose Control Connections.
In the table that appears, the entries in the Private IP and Private Port columns are the private IP address and port number of the transport interface in VPN 0. The entries in the Public IP and Public Port columns are the proxy IP address and port number.
Monitor Reverse Proxy Using CLI
Example: Monitor Private and Proxy IP Address and Port Numbers of WAN Edge Devices on Cisco SD-WAN ControllersThe following is a sample output from the execution of the show control connections command on a Cisco SD-WAN Controller. In the command output, for a WAN edge device, the entries in the PEER PRIVATE IP and PEER PRIV PORT columns are the configured TLOC IP address and port number of the WAN edge interface. The entries in the PEER PUBLIC IP and PEER PUB PORT columns are the corresponding IP address and port number of the reverse proxy interface. The same command can also be executed on a Cisco SD-WAN Manager instance to obtain a similar output.
vsmart1# show control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION REMOTE COLOR STATE UPTIME
-------------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 172.16.1.2 0 0 10.1.1.2 12346 10.1.1.2 12346 EXAMPLE-ORG default up 53:08:18:50
0 vmanage tls 172.16.1.6 1 0 10.2.100.6 45689 10.2.100.6 45689 EXAMPLE-ORG default up 53:08:18:32
1 vedge tls 1.1.100.1 100 1 10.3.1.2 57853 10.2.100.1 53624 EXAMPLE-ORG biz-internet up 53:08:18:44
1 vedge tls 1.1.101.1 101 1 10.4.1.2 55411 10.2.100.1 53622 EXAMPLE-ORG biz-internet up 53:08:18:48
1 vbond dtls 172.16.1.2 0 0 10.1.1.2 12346 10.1.1.2 12346 EXAMPLE-ORG default up 53:08:18:51
vsmart1#
Example: View Mapping of SD-WAN Controller Private IP Address and Port Number to Proxy IP Address and Port Number on Cisco Catalyst SD-WAN ValidatorThe following is a sample output from the execution of the show orchestrator reverse-proxy-mapping command on a Cisco SD-WAN Validator. In the command output, the entries in the PROXY IP and PROXY PORT columns are the proxy IP address and port number. The entries in the PRIVATE IP and PRIVATE PORT columns are the private IP address and port number of the transport interface in VPN 0.
vbond# show orchestrator reverse-proxy-mapping
PRIVATE PROXY
UUID PRIVATE IP PORT PROXY IP PORT
-----------------------------------------------------------------------------
14c35ae4-69e3-41c5-a62f-725c839d25df 10.2.100.4 23456 10.2.1.10 23458
14c35ae4-69e3-41c5-a62f-725c839d25df 10.2.100.4 23556 10.2.1.10 23558
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 23456 10.2.1.10 23457
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 23556 10.2.1.10 23557
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 23656 10.2.1.10 23657
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 23756 10.2.1.10 23757
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 23856 10.2.1.10 23857
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 23956 10.2.1.10 23957
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 24056 10.2.1.10 24057
6c63e80a-8175-47de-a455-53a127ee70bd 10.2.100.6 24156 10.2.1.10 24157
vbond#
Example: View Mapping of SD-WAN Controller Private IP Address and Port Number to Proxy IP Address and Port Number on a WAN
Edge DeviceThe following is a sample output from the execution of the show sdwan control connections command on a Cisco IOS XE Catalyst SD-WAN device. In the command output, check the entry in the PROXY column for a Cisco SD-WAN Manager instance or a Cisco SD-WAN Controller. If the entry is Yes, the entries in the PEER PUBLIC IP and PEER PUBLIC PORT are the proxy IP address and port number.
Device# show sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart tls 172.16.1.4 1 1 10.2.100.4 23558 10.2.1.10 23558 EXAMPLE-ORG biz-internet Yes up 52:08:44:25 0
vbond dtls 0.0.0.0 0 0 10.1.1.2 12346 10.1.1.2 12346 EXAMPLE-ORG biz-internet - up 52:08:50:47 0
vmanage tls 172.16.1.6 1 0 10.2.100.6 23957 10.2.1.10 23957 EXAMPLE-ORG biz-internet Yes up 66:03:04:50 0
Device#
On a Cisco vEdge device, you can obtain a similar output by executing the command show control connections .
Example: View Signed Certificate Installed on a WAN Edge Device for Authentication with Reverse ProxyThe following is a sample output from the execution of the show sdwan certificate reverse-proxy command on a Cisco IOS XE Catalyst SD-WAN device.
Device# show sdwan certificate reverse-proxy
Reverse proxy certificate
------------------
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, CN = 6c63e80a-8175-47de-a455-53a127ee70bd, O = Viptela
Validity
Not Before: Jun 2 19:31:08 2021 GMT
Not After : May 27 19:31:08 2051 GMT
Subject: C = US, ST = California, CN = C8K-9AE4A5A8-4EB0-E6C1-1761-6E54E4985F78, O = ViptelaClient
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e2:45:49:53:3a:56:d4:b8:70:59:90:01:fb:b1:
44:e3:73:17:97:a3:e9:b7:55:44:d4:2d:dd:13:4a:
a8:ef:78:14:9d:bd:b5:69:de:c9:31:29:bd:8e:57:
09:f2:02:f8:3d:1d:1e:cb:a3:2e:94:c7:2e:61:ea:
e9:94:3b:28:8d:f7:06:12:56:f3:24:56:8c:4a:e7:
01:b1:2b:1b:cd:85:4f:8d:34:78:78:a1:26:17:2b:
a5:1b:2a:b6:dd:50:51:f8:2b:13:93:cd:a6:fd:f8:
71:95:c4:db:fc:a7:83:05:23:68:61:15:05:cc:aa:
60:af:09:ef:3e:ce:70:4d:dd:50:84:3c:9a:57:ce:
cb:15:84:3e:cd:b2:b6:30:ab:86:68:17:94:fa:9c:
1a:ab:28:96:68:8c:ef:c8:f7:00:8a:7a:01:ca:58:
84:b0:87:af:9a:f6:13:0f:aa:42:db:8b:cc:6e:ba:
c8:c1:48:d2:f4:d8:08:b1:b5:15:ca:36:80:98:47:
32:3a:df:54:35:fe:75:32:23:9f:b5:ed:65:41:99:
50:b9:0f:7a:a2:10:59:12:d8:3e:45:78:cb:dc:2a:
95:f2:72:02:1a:a6:75:06:87:52:4d:01:17:f2:62:
8c:40:ad:29:e4:75:17:04:65:a9:b9:6a:dd:30:95:
34:9b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
99:40:af:23:bb:cf:7d:59:e9:a5:83:78:37:02:76:83:79:02:
b3:5c:56:e8:c3:aa:fc:78:ef:07:23:f8:14:19:9c:a4:5d:88:
07:4d:6e:b8:0d:b5:af:fa:5c:f9:55:d0:60:94:d9:24:99:5e:
33:06:83:03:c3:73:c1:38:48:45:ba:6a:35:e6:e1:51:0e:92:
c3:a2:4a:a2:e1:2b:da:cd:0c:c3:17:ef:35:52:e1:6a:23:20:
af:99:95:a2:cb:99:a7:94:03:f3:78:99:bc:76:a3:0f:de:04:
7d:35:e1:dc:4d:47:79:f4:c8:4c:19:df:80:4c:4f:15:ab:f1:
61:a2:78:7a:2b:6e:98:f6:7b:8f:d6:55:44:16:79:e3:cd:51:
0e:27:fc:e6:4c:ff:bb:8f:2d:b0:ee:ed:98:63:e9:c9:cf:5f:
d7:b1:dd:7b:19:32:22:94:77:d5:bc:51:85:65:f3:e0:93:c7:
3c:79:fc:34:c7:9f:40:dc:b1:fc:6c:e5:3d:af:2d:77:b7:c3:
88:b3:89:7c:a6:1f:56:35:3b:35:66:0c:c8:05:b5:28:0b:98:
19:c7:b0:8e:dc:b7:3f:9d:c1:bb:69:f0:7d:20:95:b5:d1:f0:
06:35:b7:c4:64:ba:c4:95:31:4a:97:03:0f:04:54:6d:cb:50:
2f:31:02:59
Device#
On a Cisco vEdge device, you can obtain a similar output by executing the command show certificate reverse-proxy .
Enterprise Certificates
In Cisco IOS XE SD-WAN Release 16.11.1 and Cisco SD-WAN Release 19.1, enterprise certificates were introduced. Enterprise certificates replace the controller certificates authorization used previously.
![]() Note |
When using enterprise certificates for Cisco SD-WAN Controllers, ensure that you use root certificates with an RSA key that is at least 2048 bit. |
![]() Note |
For purposes of certificate management, the term controller is used to collectively refer to Cisco SD-WAN Manager, the Cisco Catalyst SD-WAN Controller, and the Cisco Catalyst SD-WAN Validator. |
![]() Note |
For more information about enterprise certificates, see the Cisco Catalyst SD-WAN Controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide. |
Use the Certificates page to manage certificates and authenticate WAN edge and controller devices in the overlay network.
Two components of the Cisco Catalyst SD-WAN solution provide device authentication:
-
Signed certificates are used to authenticate devices in the overlay network. Once authenticated, devices can establish secure sessions between each other. It is from Cisco SD-WAN Manager that you generate these certificates and install them on the controller devices—Cisco SD-WAN Manager, Cisco SD-WAN Validators, and Cisco SD-WAN Controllers.
-
The WAN edge authorized serial number file contains the serial numbers of all valid vEdge and WAN routers in your network. You receive this file from Cisco Catalyst SD-WAN, mark each router as valid or invalid, and then from Cisco SD-WAN Manager, send the file to the controller devices in the network.
Install the certificates and the WAN edge authorized serial number file on the controller devices to allow the Cisco Catalyst SD-WAN overlay network components to validate and authenticate each other and thus to allow the overlay network to become operational.
Generate Admin-Tech Files
Feature Name |
Release Information |
Description |
---|---|---|
Admin-Tech Enhancements |
Cisco IOS XE Catalyst SD-WAN Release 17.2.1r |
This feature enhances the admin-tech file to include show tech-support memory , show policy-firewall stats platform , and show sdwan confd-log netconf-trace commands in the admin-tech logs. The admin-tech tar file includes memory, platform, and operation details. |
Generate System Status Information for a Cisco SD-WAN Manager Cluster Using Admin Tech |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
You can collect system status information for a Cisco SD-WAN Manager cluster. Prior to this feature, Cisco Catalyst SD-WAN was only able to generate an admin-tech file for a single device. |
View Generated Admin-Tech Files at Any Time |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
You can view a list of generated admin-tech files and determine which files to copy from your device to Cisco SD-WAN Manager. You can then download the selected admin-tech files to your local device, or delete the downloaded admin-tech files from Cisco SD-WAN Manager, the device, or both. |
Additional Diagnostics Information Added to Admin-Tech File |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
You can access additional diagnostics information collected from the application server, the configuration database, the statistics database, and other internal services. |
Upload an Admin-Tech File to a TAC Case |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
You can upload an admin-tech file to a TAC case from Cisco SD-WAN Manager. |
Perform the following steps to generate admin-tech file.
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Generate Admin Tech for vManage to generate an admin-tech file for all the nodes in a Cisco SD-WAN Manager cluster.
-
For a single device, click . . . for the desired device and choose Generate Admin Tech.
-
In the Generate admin-tech File window, limit the contents of the admin-tech tar file if desired:
-
The Include Logs check box is checked by default. Uncheck this check box to omit any log files from the compressed tar file.
Note
The log files are stored in the /var/log/directory on the local device.
-
Check the Include Cores check box to include any core files.
Note
The core files are stored in the /var/crash directory on the local device.
-
Check the Include Tech check box to include any files related to device processes (daemons), memory details and operations.
-
-
Click Generate.
Cisco SD-WAN Manager creates the admin-tech file.
The file name has the format date-time-admin-tech.tar.gz.
![]() Note |
Starting from Cisco vManage Release 20.7.1, the admin-tech file includes additional diagnostics information collected from the application server, the configuration database, the statistics database, and other internal services. |
For more information on admin tech and technical support commands, see request admin-tech and show tech-support.
View Admin-Tech Files
You can perform any of the following operations after the admin-tech file is generated:
-
View the list of the generated admin-tech files.
-
Copy the selected admin-tech files from your device to Cisco SD-WAN Manager.
-
Download the selected admin-tech files to your local device.
-
Delete the selected admin-tech files from Cisco SD-WAN Manager, the device, or both.
-
From the Cisco SD-WAN Manager menu, choose .
-
For the desired device, click . . . and choose View Admin Tech List.
A tar file appears that contains the admin-tech contents of the device that you selected earlier. This file has a name similar to ip-address-hostname-20210602-032523-admin-tech.tar.gz, where the numeric fields are the date and the time.
You can view the list of the generated admin-tech files and decide which files that you want to copy to Cisco SD-WAN Manager.
-
Click the Copy icon to copy the admin-tech file from the device to Cisco SD-WAN Manager.
A hint appears letting you know that the file is being copied from the device to Cisco SD-WAN Manager.
-
After the file is copied from the device to Cisco SD-WAN Manager, you can click the Download icon to download the file to your local device.
You can view the admin-tech file size after the file is copied to Cisco SD-WAN Manager.
-
After the admin-tech file is successfully copied to Cisco SD-WAN Manager, you can click the Delete icon and choose which files to delete from Cisco SD-WAN Manager, the device, or both.
For more information on admin tech and technical support commands, see request admin-tech and show tech-support.
Upload an Admin-Tech File to a TAC Case
From Cisco vManage Release 20.7.1, Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, and Cisco SD-WAN Release 20.7.1, you can upload an admin-tech file directly from Cisco SD-WAN Manager when opening a TAC case.
Before You Begin
Ensure that you have generated admin-tech files from Cisco SD-WAN Manager.
Upload an Admin-Tech File to a TAC Case
Perform the following steps to upload an admin-tech file to a TAC case:
-
From the Cisco SD-WAN Manager menu, choose .
-
After you generate Admin-Tech files, click Show Admin Tech List.
The List of Admin-techs window is displayed.
-
From the list of Admin-tech files, select the admin-tech file and click Upload.
-
In the SR Number and Token fields, enter the details.
-
Choose the VPN from the VPN options. The options are VPN 0 and VPN 512.
-
Click Upload.
The selected admin-tech file is uploaded to the relevant service request.
How to Load a Custom Cisco SD-WAN Manager Application Server Logo
To change the Cisco SD-WAN Manager web application server logo and load a new custom logo, use the request nms application-server update-logo command.
The logo image is located in the upper left corner of all Cisco SD-WAN Manager web application server screens. You can load two files, a larger version, which is displayed on wider browser screens, and a smaller version, which is displayed when the screen size narrows. Both files must be PNG files located on the local device, and both must be 1 MB or smaller in size. For best resolution, it is recommended that the image for the large logo be 180 x 33 pixels, and for the small logo 30 x 33 pixels.
Log In to the Cisco Catalyst SD-WAN Manager Web Application Server
The Cisco SD-WAN Manager runs as a web application server through which you log in to a running Cisco SD-WAN Manager.
In an overlay network with a single Cisco SD-WAN Manager, to log in to the server, use HTTPS, and specify the IP address of the server. Enter a URL in the format https://ip-address:8443, where 8443 is the port number used by Cisco SD-WAN Manager. On the login page, enter a valid username and password, and then click Log In. You have five chances to enter the correct password. After the fifth incorrect attempt, you are locked out of the device, and you must wait for 15 minutes before attempting to log in again.
In an overlay network that has a cluster of Cisco SD-WAN Managers, the cluster allows you to log in to one of the Cisco SD-WAN Managers that is operating in the role of a web application server. Use HTTPS, specifying the IP address of one of the Cisco SD-WAN Managers, in the format https://ip-address:8443. The cluster software load-balances login sessions among the individual Cisco SD-WAN Managers that are acting as web application servers. You cannot control which of the individual Cisco SD-WAN Managers you log in to.
With a Cisco SD-WAN Manager cluster, if you enter invalid login credentials, it might take some time for you to see an invalid login error message, and the amount of time increases as the size of the cluster increases. This delay happens because each Cisco SD-WAN Manager attempts sequentially to validate the credentials. If none of the Cisco SD-WAN Manager servers validate you, only then do you see an invalid login error message.
To determine which Cisco SD-WAN Manager you are logged in to, look in the Cisco SD-WAN Manager toolbar, which is located at the top of the screen. To view more information about this particular Cisco SD-WAN Manager server, enter the name of the server in the Search filter of the .
Cisco vManage Release 20.6.x and earlier: To determine which Cisco SD-WAN Manager you are logged in to, look in the Cisco SD-WAN Manager toolbar, which is located at the top of the screen. To view more information about this particular Cisco SD-WAN Manager server, enter the name of the server in the Search filter of the .
Information about Monitoring Multicloud Services using Cisco vManage
Feature Name | Release Information | Release Information |
---|---|---|
Cisco SD-WAN Manager Support for Monitoring Multicloud Services |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
You now have four new views on the Cisco SD-WAN Manager UI that enable you to monitor your multicloud network. |
Monitoring MultiCloud Services for Real Time Data in Cisco SD-WAN Manager |
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a Cisco vManage Release 20.10.1 |
This feature provides enhancements to monitoring dashboard for all the Cloud and Interconnect connections. This feature also gives you the flexibility to specify which dashlets to view and sort them based on your preferences. |
This feature enables you to monitor Cisco SD-WAN connectivity to different cloud resources using the Cisco vManage UI. This feature introduces the following views in the UI using which you can visually monitor the approximate geographical locations of Edge devices, cloud types, and information about cloud sites and accounts for different cloud providers:
By default, the Monitor Overview dashboard displays all the available dashlets that help you monitor the different components and services of a Cisco SD-WAN overlay network. The customizable dashboard feature enables you to do the following:
-
Add dashlets
-
Delete dashlets
-
Rearrange dashlets
-
Restore default settings
![]() Note |
Starting from Cisco vManage Release 20.10.1, the Multicloud dashlets on the Monitor Overview dashboard are displayed as soon as the Cloud or Interconnect provider accounts are associated with Cisco vManage. |
Geographical View
The geographical view shows the approximate geographic locations of the Cisco Catalyst 8000V instances in multicloud deployments. The approximate locations are based on the publicly available information from the cloud and interconnect types. The locations are provided for the Google Cloud, AWS, and Azure cloud platforms as well as software-defined cloud interconnects.
To view the geographical locations of multicloud Cisco Catalyst 8000V instances:
-
From the Cisco vManage menu, choose
. -
On the map, click a Cisco Catalyst 8000V instance to see the cloud or interconnect type, site-id, and system-ip of that instance.
Cloud and Interconnect Dashboard
The cloud and interconnect dashboard displays a separate panel for each cloud instance and software-defined cloud interconnect. A pie chart shows the sites that are connected to the cloud or the software-defined cloud interconnect and their reachability. The sites are Cisco Catalyst SD-WAN devices of a particular site-id that have a BFD session to the cloud or interconnect Cisco Catalyst 8000V. Each cloud or interconnect panel also displays the following information:
-
Number of Cisco Catalyst SD-WAN edge devices
-
Registered multicloud accounts
-
Gateways
-
Tags
-
Host VPCs
-
Tunnels
-
VPN connections
To view information on the cloud and interconnect dashboard:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
To view information about the Cisco Catalyst SD-WAN edge devices, click the number of WAN Edges to see information about the Cisco Catalyst SD-WAN edge devices. The window that is displayed shows the health (aggregate of the CPU, memory, and hardware state), BFD status, configuration status, reachability, hostname, system IP, chassis number, cloud or interconnect gateway name, device model and version of the device.
-
From Devices window allows you to choose the fields to be displayed from the available options.
, when you click on the non-zero number of Cloud or Interconnect Edge devices, the page opens. The Filter criteria on the left pane of the -
To view the cloud or software-defined cloud interconnect gateway name, region, account name, health, and description of the all the gateways that are specific to a cloud type, click on the non-zero number of Cloud or Interconnect Gateways.
-
To view the details of Cloud or Interconnect Edge devices, click on the non-zero number of Cloud or Interconnect Edge.
-
To view the Connected Sites health, BFD status and site ID, click on the non-zero number of Connected Sites.
-
Cloud Gateway Summary View
![]() Note |
Geographical locations and traffic statistics are not available when the solution is branch connect-AWS. |
The cloud gateway summary view displays the following information:
-
Cloud type
-
Account name
-
Region
-
Cloud gateway devices
-
Associated branch devices—branch devices that have a BFD session set up with the cloud gateway devices.
-
Associated VPCs and vNETs—VPCs and vNETs that are mapped to a VPN that belongs to the same region as the cloud gateway.
-
Traffic statistics—tunnel statistics from the cloud gateway devices to the workload VPCs. When a device is selected, you can choose to view the following traffic statistics and also for the time duration listed:
-
Kbps
-
Packets
-
Octets
-
Errors
-
Drops
-
Pps
If no device is selected, an aggregation of statistics of all the devices in the cloud gateway is displayed.
-
To go to the cloud gateway summary view:
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose Cloud.
-
In the cloud gateway summary table, click the cloud gateway name for which you want to view the details. You can also view details about the connected sites on this page.
Interconnect Gateway Summary View
The interconnect gateway summary view displays the following information:
-
Cisco Catalyst SD-WAN edge device type
-
Account name
-
Region
-
Interconnect gateway devices
-
Associated branch devices
-
Interconnect connectivity
To go to the interconnect gateway summary view:
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose Interconnect.
-
Click the interconnect gateway name for which you want to view the details.
Manage Data Collection for Cisco Catalyst SD-WAN Telemetry
Feature Name |
Release Information |
Description |
---|---|---|
Manage Data Collection for Cisco Catalyst SD-WAN Telemetry |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco SD-WAN Release 20.6.1 Cisco vManage Release 20.6.1 |
This feature allows you to disable data collection for Cisco Catalyst SD-WAN telemetry using Cisco SD-WAN Manager. Data collection for telemetry is enabled by default. |
From Cisco vManage Release 20.6.1, Cisco SD-WAN Manager has a new option to enable or disable data collection for Cisco Catalyst SD-WAN telemetry from . Before this release, the Data Collection section only had the option to enable or disable data collection, and not data collection for Cisco Catalyst SD-WAN telemetry. The two options are described below:
Data Collection: This option is used to establish a connection to Cisco Catalyst SD-WAN Data Collection Service (DCS) hosted on the cloud. The connection from Cisco SD-WAN Manager to DCS is used to collect required data from the controllers and the network, for different features such as Cisco SD-WAN Analytics and Cisco Catalyst SD-WAN telemetry.
SD-WAN Telemetry Data Collection: This option is used to enable or disable telemetry data collection from the controllers and the network. It is enabled by default when Data Collection is enabled for Cisco Catalyst SD-WAN. For Cisco-provided cloud-hosted controllers, this option is enabled at the time of provisioning the controllers. For an on-premises controller, establishing the connection to Cisco Catalyst SD-WAN Data Collection Service (DCS) through the Data Collection setting is a mandatory prerequisite for enabling Cisco Catalyst SD-WAN telemetry.
Manage Service Groups
Feature Name |
Release Information |
Description |
---|---|---|
Support for Cisco VM Image Upload in qcow2 Format |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
You can now upload a virtual machine image to Cisco SD-WAN Manager in qcow2 format. Earlier, you could upload only a prepackaged image file in tar.gz format. |
Create Service Chain in a Service Group
Feature Name |
Release Information |
Feature Description |
---|---|---|
Monitor Service Chain Health |
Cisco IOS XE Catalyst SD-WAN Release 16.12.1b |
This feature lets you configure periodic checks on the service chain data path and reports the overall status. To enable service chain health monitoring, NFVIS version 3.12.1 or later should be installed on all CSP devices in a cluster. |
Procedure
From the Cisco SD-WAN Manager menu, choose |
Create Custom Service Chain
-
By including extra VNFs or add other VNF types.
-
By creating new VNF sequence that isn’t part of the predefined service chains.
Procedure
Step 1 |
Create a service group and service chains within the service group. See Create Service Chain in a Service Group. |
Step 2 |
In the Add Service Chain dialog box, enter the service chain name, description, bandwidth, input VLAN handoff, output VLAN handoff, monitoring health information of a service chain, and service chain configuration. Click Add. For the service chain configuration, choose Create Custom from the drop-down. An empty service chain in the design view window is available. |
Step 3 |
To add a VNF such as a router, load balancer, firewall, and others, click a VNF icon and drag the icon to its proper location within the service group box. After adding all required VNFs and forming the VNF service chain, configure each of the VNFs. Click a VNF in the service group box. The Configure VNF dialog box appears. Enter the following parameters: |
![]() Note |
You can customize a VNF sequence with only up to four VNFs in a service chain. |
Manage Software Repository
Feature Name |
Release Information |
Description |
---|---|---|
Software Upgrade Using a Remote Server |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
This feature enables you to register a remote server with Cisco SD-WAN Manager, and add locations of software images on the remote server to the Cisco SD-WAN Manager software repository. When you upgrade device or controller software, the device or controller can download the new software image from the remote server. |
Register Remote Server
Register a remote server with Cisco SD-WAN Manager so that you can add locations of software images on the remote server to the Cisco SD-WAN Manager software repository and upgrade device or controller software using these software images. In multitenant Cisco Catalyst SD-WAN deployment, only the provider can register a remote server and perform software upgrade using images on the remote server.
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Add Remote Server.
-
In the Add Remote Server slide-in page, configure the following:
Server Info -
Server Name: Enter a name for the server.
-
Server IP or DNS Name: Enter the IP address or the DNS name of the server.
-
Protocol: Choose HTTP or FTP.
-
Port: Enter the access port number.
Credentials -
User ID: Enter the user ID required to access the server. The username can contain only the following characters: a-z, 0-9, ., _, and -.
-
Password: Enter the password required to access the server. The password can contain only the following characters: a-z, A-Z, 0-9, _, *, ., +, =, %, and -.
Note
Special characters such as /, ?, :, @, and SPACE, which are used in URLs and are needed for proper parsing of fields so files can be fetched properly with the relevant protocol, are not supported in the username and the password. The use of the valid characters is supported starting from Cisco vManage Release 20.9.1.
Image Info -
Image Location Prefix: Enter the folder path where the uploaded images must be stored
-
VPN: Enter the VPN ID, either the transport VPN, management VPN, or service VPN
-
-
Click Add to add the remote server.
Manage Remote Server
-
From the Cisco SD-WAN Manager menu, choose .
-
For the desired remote server, click …
-
To view the remote server settings, click View Details.
-
To edit the remote server settings, click Edit. Edit any of the following settings as necessary and click Save.
Note
You cannot edit the remote server settings if you have added locations of any software images on the remote server to the Cisco SD-WAN Manager software repository. If you wish to edit the remote server settings, remove the software image entries from the software repository and then edit the settings.
Server Info -
Server Name: Enter a name for the server.
-
Server IP or DNS Name: Enter the IP address or the DNS name of the server.
-
Protocol: Choose HTTP or FTP.
-
Port: Enter the access port number.
Credentials -
User ID: Enter the user ID required to access the server. The username can contain only the following characters: a-z, 0-9, ., _, and -.
-
Password: Enter the password required to access the server. The password can contain only the following characters: a-z, A-Z, 0-9, _, *, ., +, =, %, and -.
Note
Special characters such as /, ?, :, @, and SPACE, which are used in URLs and are needed for proper parsing of fields so files can be fetched properly with the relevant protocol, are not supported in the username and the password. The use of the valid characters is supported starting from Cisco vManage Release 20.9.1.
Image Info -
Image Location Prefix: Enter the folder path where the uploaded images must be stored.
-
VPN: Enter the VPN ID, either the transport VPN, management VPN, or service VPN.
-
-
To delete the remote server, click Remove. Confirm that you wish to remove the remote server in the dialog box.
Note
Before deleting a remote server, remove any entries for software images on the remote server that you have added to the Cisco SD-WAN Manager software repository.
Add Software Images to Repository
Before you begin
Before you can upgrade the software on an edge device, Cisco Catalyst SD-WAN Controller, or Cisco SD-WAN Manager to a new software version, you need to add the software image to the Cisco SD-WAN Manager software repository. The repository allows you to store software images on the local Cisco SD-WAN Manager server and on a remote file server.
The Cisco SD-WAN Manager software repository allows you to store images in three ways:
-
On the local Cisco SD-WAN Manager server, to be downloaded over a control plane connection—Here, the software images are stored on the local Cisco SD-WAN Manager server, and they are downloaded to the Cisco Catalyst SD-WAN devices over a control plane connection. The receiving device generally throttles the amount of data traffic it can receive over a control plane connection, so for large files, the Cisco SD-WAN Manager server might not be able to monitor the software installation on the device even though it is proceeding correctly.
-
On the local Cisco SD-WAN Manager server, to be downloaded over an out-of-band connection—Here, the software images are stored on the local Cisco SD-WAN Manager server, and they are downloaded to the Cisco Catalyst SD-WAN devices over an out-of-band management connection. For this method to work, you specify the IP address of the out-of-band management interface when you copy the images to the software repository. This method is recommended when the software image files are large, because it bypasses any throttling that the device might perform and so the Cisco SD-WAN Manager server is able to monitor the software installation.
-
On a remote server—Here, the software images remain on a remote file server that is reachable through an FTP or HTTP URL. As part of the software upgrade process, the Cisco SD-WAN Manager server sends this URL to the Cisco Catalyst SD-WAN device, which then establishes a connection to the file server over which to download the software images.
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . |
Step 2 |
Click Add New Software. |
Step 3 |
Choose the location to store the software image: |
View Software Images
From the Cisco SD-WAN Manager menu, choose .
The Software Repository window displays the images avaialable in the repository.
The Software Version column lists the version of the software image, and the Controller Version column lists the version of Cisco SD-WAN Control Components that is equivalent to the software version. The Cisco SD-WAN Control Components version is the minimum supported version. The software image can operate with the listed Cisco SD-WAN Control Components version or with a higher version.
The Software Location column indicates where the software images are stored, either in the repository on the Cisco SD-WAN Manager server, or in a repository in a remote location.
The Available Files column lists the names of the software image files.
The Updated On column shows when the software image was added to the repository.
The ... option for a desired software version provides the option to delete the software image from the repository.
In Cisco vManage Release 20.6.1 and earlier releases, when two or more software images have the same software version but are uploaded with different filenames, the images are listed in a single row. The Available Files column lists the different filenames. This listing scheme is disadvantageous when deleting software images as the delete operation removes all the software images corresponding to a software version.
From Cisco vManage Release 20.7.1, when two or more software images have the same software version but are uploaded with different filenames, each software image is listed in a separate row. This enables you to choose and delete specific software images.
Upload VNF Images
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . |
||||
Step 2 |
To add a prepackaged VNF image, click Virtual Images, and then click Upload Virtual Image. |
||||
Step 3 |
Choose the location to store the virtual image.
|
View the Status of Network Devices
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the WAN edge router that you want to view the status for. You can either scroll through the list of devices in the device table or enter a keyword in the search bar.
-
Click the relevant WAN edge router under the Hostname column. The System Status screen opens by default.
View VNF Images
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . |
Step 2 |
Click Virtual Images. |
Step 3 |
To filter the search results, use the filter option in the search bar. The Software Version column provides the version of the software image. The Software Location column indicates where the software images are stored. Software images can be stored either in the repository on the Cisco SD-WAN Manager server or in a repository in a remote location. The Version Type Name column provides the type of firewall. The Available Files column lists the names of the VNF image files. The Update On column displays when the software image was added to the repository. |
Step 4 |
For the desired VNF image, click ... and choose Show Info. |
Delete VNF Images
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . |
Step 2 |
Click Virtual Images. The images in the repository are displayed in a table. |
Step 3 |
For the desired image, click ... and choose Delete. |
![]() Note |
If you're downloading a VNF image to a device, you can’t delete the VNF image until the download process completes. |
![]() Note |
If the VNF image is referenced by a service chain, it can’t be deleted. |
Software Upgrade
Use the Software Upgrade window to download new software images and to upgrade the software image running on a Cisco Catalyst SD-WAN device.
From a centralized Cisco SD-WAN Manager, you can upgrade the software on Cisco Catalyst SD-WAN devices in the overlay network and reboot them with the new software. You can do this for a single device or for multiple devices simultaneously.
When you upgrade a group of Cisco Catalyst SD-WAN Validator, Cisco Catalyst SD-WAN Controllers, and Cisco IOS XE Catalyst SD-WAN devices or Cisco vEdge devices in either a standalone or Cisco SD-WAN Manager cluster deployment, the software upgrade and reboot is performed first on the Cisco Catalyst SD-WAN Validator, next on the Cisco Catalyst SD-WAN Controller, and finally on the Cisco IOS XE Catalyst SD-WAN devices or Cisco vEdge devices. Up to 40 Cisco IOS XE Catalyst SD-WAN devices or Cisco vEdge devices can be upgraded and rebooted in parallel, depending on CPU resources.
Introduced in the Cisco vManage Release 20.8.1, the software upgrade workflow feature simplifies the software upgrade process for the Cisco Catalyst SD-WAN edge devices through a guided workflow and displays the various device and software upgrade statuses. For more information on creating a Software Upgrade Workflow, see Software Upgrade Workflow.
![]() Note |
|
Monitor Cflowd and SAIE Flows for Cisco IOS XE Catalyst SD-WAN Devices
Feature Name |
Release Information |
Description |
---|---|---|
Flexible NetFlow Support for IPv6 and Cache Size Modification |
Cisco IOS XE Catalyst SD-WAN Release 17.4.1a Cisco vManage Release 20.4.1 |
Configure Cflowd traffic flow monitoring on Cisco IOS XE Catalyst SD-WAN devices. |
Log Packets Dropped by Implicit ACL |
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a Cisco vManage Release 20.5.1 |
To enable logging of dropped packets, check the Implicit ACL Logging check box and to configure how often the packet flows are logged, enter the value in the Log Frequency field. |
Flexible NetFlow Enhancement |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
Configure Cflowd traffic flow monitoring to collect ToS, sampler ID, and remarked DSCP values in netflow records. |
Flexible NetFlow for VPN0 Interface |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
Configure this feature using the CLI template and also add-on CLI template. |
Flexible NetFlow Export Spreading |
Cisco IOS XE Catalyst SD-WAN Release 17.9.1a Cisco Catalyst SD-WAN Control Components Release 20.9.x Cisco vManage Release 20.9.1 |
This feature enables export spreading to prevent export storms that occur when a burst of packets are sent to external collector. The export of the previous interval is spread during the current interval to prevent export storms. When NetFlow packets are sent over a low-bandwidth circuit, the export spreading functionality is enabled to avoid packet drops. |
Flexible NetFlow Export of BFD Metrics |
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a Cisco Catalyst SD-WAN Control Components Release 20.10.1 |
With this feature, you can export Bidirectional Forwarding Detection (BFD) metrics to an external collector for generating BFD metrics of loss, latency, and jitter. This feature provides enhanced monitoring and faster collection of network state data. |
Real-Time Device Options for Monitoring Cflowd and SAIE Flows |
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a Cisco vManage Release 20.10.1 |
With this feature, you can apply filters for monitoring specific Cflowd and SD-WAN Application Intelligence Engine (SAIE) applications or application families running within a VPN on the selected Cisco IOS XE Catalyst SD-WAN device. This feature was already available on Cisco vEdge devices and is being extended to Cisco IOS XE Catalyst SD-WAN devices in this release. |
Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.10.1a and Cisco vManage Release 20.10.1
For more information on monitoring Cflowd traffic flows, see Traffic Flow Monitoring with Cflowd.
-
From the Cisco SD-WAN Manager menu, choose .
-
Click … adjacent to the Cisco IOS XE Catalyst SD-WAN device name and choose Real Time.
-
From the Device Options drop-down list, choose one of the following options:
-
cFlowd Flows/DPI
-
cFlowd ipv6 Flows/DPI
-
-
Click Show Filters.
You can search for Cflowd flow records based on the selected filters.
Note
The filters are displayed only if you selected one of the Cflowd flows with the DPI device options.
Table 23. Filters for Cflowd with DPI Device Options Field
Description
VPN ID
Enter the VPN ID.
Source IP
Enter the source IPv4 or IPv6 address.
Destination IP
Enter the destination IPv4 or IPv6 address.
Application
Enter the name of the application for which you are configuring Cflowd and SAIE monitoring.
Application Family
Enter the name of the application family for which you are configuring Cflowd and SAIE monitoring.
-
Click Search or Reset All to reset all the search filters.
Monitor Cloud OnRamp Colocation Clusters
Feature Name |
Release Information |
Description |
---|---|---|
Network Assurance –VNFs: Stop/Start/Restart |
Cisco IOS XE Catalyst SD-WAN Release 17.3.1a Cisco vManage Release 20.3.1 |
You can now stop, start, or restart VNFs on Cisco CSP devices from the Colocation Cluster tab. |
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose . Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose . |
||
Step 2 |
To monitor clusters, click Colocation Cluster. Cisco vManage Release 20.6.1 and earlier: Click Colocation Clusters. All clusters with relevant information are displayed in a tabular format. Click a cluster name. You can monitor cluster by clicking Config. View and Port Level View.
|
||
Step 3 |
Click Services. Here, you can view the following:
|
||
Step 4 |
Click Network Functions. Here, you can view the following:
|
Monitor Network Performance
Use the Network screens to monitor the health of data tunnels and the availability of network devices and circuits.
Screen Elements
-
Title bar—Includes the title of the screen.
-
Health—Displays latency, loss, and jitter performance.
-
Availability—Displays downtime information for the Cisco Catalyst SD-WAN edge devices and circuits.
![](/c/dam/en/us/td/i/300001-400000/360001-370000/368001-369000/368698.jpg)
Display Network Availability
To display downtime for Cisco Catalyst SD-WAN edge devices and circuit at each site:
-
Select an edge device or circuit view to see the respective downtime.
-
Adjust length of time: Day, Week, Month, or Custom Period.
-
Select Aggregated Downtime by Sites.
-
Click on individual data elements to see downtime information for a specific site.
-
Click a Cisco Catalyst SD-WAN edge device or circuit to display details about that downtime event.
Display Network Health
Use the Network Health screen to monitor the performance of tunnels over time in your overlay network over time.
The tunnel statistics may be displayed in one of three views: by edge device, by tunnel, or by carrier.
To display performance through Cisco Catalyst SD-WAN edge device view:
-
Click vEdge.
-
Select an individual color to filter the view.
-
Select a Cisco vEdge device to display latency, loss, and jitter on all the tunnels on that device.
To display graphs for latency, loss, and jitter on each tunnel in your overlay network:
-
Click Tunnel. Select an individual carrier, color, or both to filter the view.
-
Hover over a point on a line to open a hover box with details for that point in time.
-
Click a local Cisco Catalyst SD-WAN device to display average latency, loss, or jitter on all the tunnels on that device.
-
Click a remote Cisco Catalyst SD-WAN device to display latency, loss, or jitter on the tunnels between two Cisco Catalyst SD-WAN devices.
To display performance by carrier on a geographical map of the overlay network:
-
Click Carrier. Circles on the map represent each carrier. The legend to the right indicates the color of each carrier.
-
Select Latency, Loss, or Jitter to change the data displayed.
-
Click on individual data elements to select specific carriers to view.
-
Hover over a carrier's circle to display a hover box with details for that location.
-
Click a circle on the map to display loss, latency, or jitter of all the tunnels terminating on that location.
-
Click a carrier on the graph to see performance by individual edge devices on that carrier.
Onboard Cisco Catalyst 8000V Edge Software Hosted by a Cloud Service, Using PAYG Licensing
To onboard a Cisco Catalyst 8000V platform hosted by a cloud service, using pay as you go (PAYG) licensing, perform these steps.
You can also use Cisco Cloud onRamp for Multi-Cloud to onboard a Cisco Catalyst 8000V platform using PAYG licensing. For information to integrate public cloud infrastructure into the Cisco Catalyst SD-WAN fabric, see Cloud OnRamp Configuration Guide, Cisco IOS XE Release 17.x.
![]() Note |
This procedure is applicable to Cisco Catalyst 8000V hosted by Amazon Web Services (AWS). |
-
From the Cisco SD-WAN Manager menu, choose , and click Add PAYG WAN Edges.
-
In the Add PAYG WAN Edges dialog box, enter the number of PAYG devices to onboard into Cisco Catalyst SD-WAN, select the Validate check box, and click Add.
The Task View page opens, showing the progress as Cisco SD-WAN Manager creates logical devices.
Note
Validating causes Cisco SD-WAN Manager to publish the list of devices to the Cisco Catalyst SD-WAN Validator and Cisco Catalyst SD-WAN Controller controllers in the network.
-
After the Task View page shows the logical devices have been created successfully, choose to view the new logical devices on the Devices page.
Note
The Chassis Number column shows the unique identifier for each logical device.
-
For the logical devices that you have created, click … and choose Generate Bootstrap Configuration.
-
(Optional) Attach a device template to the logical devices that you have created.
-
In the Generate Bootstrap Configuration dialog box, click Cloud-Init and then click OK.
The Generate Bootstrap Configuration dialog box shows the content of the bootstrap configuration, which includes the UUID of the logical device, and includes the configuration details provided by the device template if you have attached one.
Note
The UUID corresponds to the identifier in the Chassis Number column in the Devices table.
-
There are different methods for loading the bootstrap configuration onto a C8000V instance on a cloud service. The method you use depends on the cloud service. We recommend to click Download in the Generate Bootstrap Configuration dialog box to save a copy of the bootstrap configuration.
-
In the cloud services portal, create a PAYG instance of the Cisco Catalyst 8000V. When configuring the instance, use the bootstrap configuration that you created in Cisco SD-WAN Manager. The details of how to load the Cisco Catalyst SD-WAN bootstrap configuration onto the instance are specific to the cloud services provider.
Note
On AWS, the workflow for bringing up an instance includes a user data step that enables loading the bootstrap configuration.
-
On the cloud service platform, start the Cisco Catalyst 8000V instance using the bootstrap configuration from an earlier step.
When the Cisco Catalyst 8000V instance boots up, it joins the Cisco Catalyst SD-WAN overlay automatically. In Cisco SD-WAN Manager, on the Devices page, this Cisco Catalyst 8000V instance shows a green medal icon in the State column and In Sync in the Device Status column.
Note
On the Devices page, for logical devices that have not joined the Cisco Catalyst SD-WAN overlay, the State column shows a dotted-circle icon.
Reboot a Device
Use the Device Reboot screen to reboot one or more Cisco Catalyst SD-WAN devices.
Reboot Devices
-
From the Cisco SD-WAN Manager menu, choose .
-
Click WAN Edge, Controller, or vManage depending on the device type that you want to reboot..
-
Check the check boxes next to the device or devices that you want to reboot.
-
Click Reboot.
View Active Devices
To view a list of devices on which the reboot operation was performed:
-
From the Cisco SD-WAN Manager toolbar, click the Tasks icon. Cisco SD-WAN Manager displays a list of all running tasks along with the total number of successes and failures.
-
Click a row to see details of a task. Cisco SD-WAN Manager opens a pane displaying the status of the task and details of the device on which the task was performed.
Reload a Security Application
The Reload Services option in the window lets you to recover a security application from an inoperative state. Ensure that you use this service as an initial recovery option. See Determine Security Applications in Inoperative State.
Ensure that a security application has already been installed on the device that you choose to reload services for. To reload one or more security applications:
-
From the Cisco SD-WAN Manager menu, choose .
-
Under WAN Edge, check the check box for the Cisco Catalyst SD-WAN device you want to choose.
-
Click Reload Services.
The Reload Container dialog box appears.
-
If the security application version is correct, check the check box against the version of the security application.
-
Click Reload.
The security application stops, is uninstalled, reinstalled, and restarted.
Reset a Security Application
The Reset Services option in the window enables you to recover a security application from an inoperative state.
Use the Reset Services option when the virtual network configuration of a security application changes, such as, the virtual port group configuration on a device.
-
Ensure that a security application is already been installed on the device that you choose to reset services for.
-
Ensure that the chosen security application is in a running state.
To reset one or more security applications:
-
Click WAN Edge and check against a Cisco Catalyst SD-WAN device to reload the security application.
-
Click Reset Services.
The Reset Container dialog box opens.
-
If the security application version is correct, check the check box against the version of the device.
-
Click Reset.
The security application is stopped, and then restarted.
Determine Security Applications in Inoperative State
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device by clicking its name in the Hostname column.
-
In the left pane, click Real Time.
The real time device information appears in the right pane.
-
From the Device Options drop-down list, choose App Hosting Details.
A table appears with the device-specific application hosting information. In the table, if the state of the device is ACTIVATED, DEPLOYED, or STOPPED, perform a reload or reset operation on the security application.
If the state of the device is RUNNING, the security application is in an operative state.
-
From the Device Options drop-down list, choose Security App Dataplane Global.
A table appears with the device-specific application data plane information. In the table, if the SN Health of the device is yellow or red, perform a reload or reset operation on the security application.
If the SN Health of the device is green, the security application is in an operative state.
Rediscover Network
Use the Rediscover Network window to locate new devices in the overlay network and synchronize them with Cisco SD-WAN Manager.
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose a device or devices by checking the check box next to the device model. To find the device you are looking for scroll through the device table. Alternatively, choose a device group from the Device Groups drop-down list to see devices that belong to a specific device group.
-
To confirm resynchronization of the device data, click Rediscover.
-
In the Rediscover Network dialog box, click Rediscover.
Replace a Cisco IOS XE Catalyst SD-WAN Device
You might replace a Cisco IOS XE Catalyst SD-WAN device if the device has failed completely or when a component of the device, such as one of the power supplies, has failed.
In general terms, to replace one Cisco IOS XE Catalyst SD-WAN device with another, copy the configuration from the device that you are removing to the new device and then add the new device into the network.
A. Copy the configuration from the device that you are replacing
-
From the Cisco SD-WAN Manager menu, choose .
-
In the list of devices, locate the device to be replaced. In the row of the device, click … and choose Running Configuration.
Note
If Cisco SD-WAN Manager cannot reach the device, skip to step 4 for instructions on logging in to the device directly to copy the configuration information.
-
Copy the text of the configuration and paste it into a text editor.
The configuration information is useful especially if you choose the manual deployment method for onboarding the new replacement device.
-
If the device is not reachable by Cisco SD-WAN Manager, log in to the device directly and use the following commands on the device to display the configuration information. Copy the configuration information from the output.
-
Display the running configuration and save the output to a text file.
show running-config | redirect bootflash:sdwan/ios.cli
-
Display the SD-WAN running configuration and save the output to a text file.
show sdwan running-config | redirect bootflash:sdwan/sdwan.cli
-
B. Remove the device from the overlay network
-
From the Cisco SD-WAN Manager menu, choose .
-
In the list of devices, locate the device to be replaced. In the row of the device, in the Validate column, click Invalid, then OK.
Note
This step causes any control connections to the device to be lost.
-
Click Send to Controllers.
-
From the Cisco SD-WAN Manager menu, choose .
-
In the list of devices, locate the device to be replaced. In the row of the device, click … and choose Delete WAN Edge.
C. Add the replacement device to the Cisco SD-WAN Manager inventory
-
Obtain the chassis number and serial number of the replacement device.
Note
You can use the show sdwan certificate serial command on the device to display this information.
-
Add the new device to the inventory using one of the methods described in the Cisco Catalyst SD-WAN Getting Started Guide.
Note
The methods for adding a new device to the inventory are relevant to onboarding devices in general. They are not unique to replacing a device.
D. Apply a device template to the new device, using the same device template that was applied to the device that is being replaced
-
From the Cisco SD-WAN Manager menu, choose .
-
In the row for the template that was used for the device being replaced, click … and choose Export CSV. The CSV file shows the parameters for each device to which the template is attached.
-
Review the exported CSV file.
-
If the new device is identical to the device being replaced, you do not need to update any of the parameters in the CSV file.
-
If the new device is not identical to the device being replaced, then optionally, you can update parameter values in the CSV file to match the new device, as required. For example, if the replacement device uses a different interface numbering, as compared with the device being replaced, you can update the parameter that specifies interface numbering.
-
-
To attach the template to the replacement device, do the following:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Device Templates.
Note
In Cisco vManage Release 20.7.x and earlier releases, Device Templates is called Device.
-
In the row for the template that was used for the device being replaced, click … and choose Attach Devices.
-
In the Attach Devices window, move the replacement device to the Selected Devices pane and click Attach.
-
Optionally, you can update parameters in the template before applying it to the device, using one of the following methods:
-
In the row of the replacement device, click … and choose Edit Device Template. Edit any parameters, as needed.
-
Upload the CSV file that you downloaded and edited to update the parameters for the replacement device. To upload the CSV file, click Upload (up arrow button) and navigate to the CSV file.
-
-
E. Onboard the new device
Use one of the following methods to onboard the new device.
![]() Note |
The methods for onboarding a new device to the inventory are relevant to onboarding devices in general. They are not unique to replacing a device. |
-
Plug and Play (PnP)
For information, see the Plug and Play Onboarding Workflow section of the Cisco Catalyst SD-WAN Getting Started Guide, and see the Cisco Catalyst SD-WAN: WAN Edge Onboarding guide.
-
Bootstrap
For information, see the Non-PnP Onboarding section of the Cisco Catalyst SD-WAN Getting Started Guide, and see the bootstrap deployment section of the Cisco Catalyst SD-WAN: WAN Edge Onboarding guide.
-
Manual deployment
Note
To configure the new device, you can use the configuration files that you saved earlier in part A.
Note
The manual deployment method requires installing a root certificate authority (CA) for the new device.
For information, see the Cisco Catalyst SD-WAN: WAN Edge Onboarding guide.
For information about installing a root CA, see the Enterprise Certificates section of the Cisco Catalyst SD-WAN Getting Started Guide.
Restore Cisco SD-WAN Manager
This article describes how to restore the vManage NMS in case the server on which the vManage NMS virtual machine (VM) is running fails. This article provides procedures for restoring a vManage NMS using two different VMware interfaces, vSphere Client and vSphere Web Client.
![]() Caution |
When you restore vManage, any vManage certificates are reset to their original state. Any changes to the certificates are lost as a result of restoring vManage; and you would have to reconfigure any certificates that you had customized earlier. |
The vManage NMS database is the repository for the overlay network device configurations, events, alarms, and monitoring information. The vManage NMS database is stored on a separate virtual hard disk on the vManage NMS server; specifically, it is stored on hard disk 2. Hard disk 1 contains the Viptela operating system software.
We recommend that you set up periodic crash-consistent backups of the vManage NMS database. (In a crash-consistent backup, all the VM's data are captured at exactly the same time.) Then, if the vManage NMS server fails, you simply create a new vManage NMS instance and attach the vManage NMS database backup to that instance.
The procedures in this article each encompass both of the following scenarios:
-
If you have a backup of the vManage NMS database, you create a new vManage NMS and attach the disk that contains your backup database.
-
If you do not have a backup of the vManage database, you create a new vManage NMS and create a new virtual hard disk for the database.
Restore vManage NMS Using vSphere Client
-
Create a vManage VM instance. See Launch vSphere Client and Create a vManage VM Instance, in Create a vManage VM Instance .
-
In the left navigation bar of the vSphere Client screen, select the vManage VM instance you just created, and click Edit virtual machine settings. -
Click Add to add a new virtual disk, and click OK.
- If you have a backup of the vManage NMS database, complete the following steps:
-
In the Select a disk screen, select Use an existing virtual disk, and click Next. -
Click Browse. -
Navigate to the location of your backup database, and click OK. -
In the Select Existing Disk screen, click Next.
-
- If you do not have an existing vManage NMS database, you must create a new virtual disk for the vManage database:
-
In the Select a Disk screen, select Create a new virtual disk and click Next.
-
Enter a disk capacity for the vManage database of 100 GB, and click Next.
-
-
In the Advanced Options screen, select IDE for the virtual device node, and click Next. -
Click Finish. -
To verify that the new disk has been created, in the vManage Virtual Machine Properties screen, select the Hardware tab. Hard disk 2—the virtual disk that stores the vManage database—is shown in the hardware list. -
In the left navigation bar of the vSphere Client, select the vManage VM instance you just created, and click Power on the virtual machine. -
Select the Console tab to connect to the vManage console. The vManage console is displayed. -
At the vManage login prompt, log in with the default username, which is admin, and the default password, which is admin. The system prompts you to select the storage device to use.
-
Select the appropriate storage device.
- In response to the question
:Would you like to format x?
-
If you attached an existing disk with a backup of the vManage database, type n. -
If you created a new virtual disk for the vManage database, type y.
-
-
Configure the vManage NMS. See vManage NMS Initial Configuration .
-
Generate a certificate for the new vManage NMS. See Generate vManage Certificate .
-
Add the serial number of the new vManage NMS to all the vBond orchestrators in the overlay network, as described later in this article.
Restore vManage NMS Using vSphere Web Client
-
Create a vManage VM instance. See Launch vSphere Client and Create a vManage VM Instance, in Create a vManage VM Instance .
-
Log in to the vSphere Web Client.
-
Select the VM instance for your vManage NMS. -
Click the Manage tab, and click Edit. The Edit Settings screen is displayed with the Virtual Hardware tab selected.
- If you have a backup of the vManage NMS database, attach it to the new vManage VM. If you do not have a backup database, skip
to step 6 and create a new virtual disk for the database.
-
In the New device field at the bottom of the screen, click Select. A pop-up menu opens. -
From the pop-up menu, select Existing Hard Disk. The Select File window is displayed.
-
In the Select File window, under Datastores, navigate to and select the appropriate .vmdk file, and click OK.
-
- If you do not have an existing vManage NMS database, create a new virtual disk for the vManage NMS database:
-
In the New device field at the bottom of the screen, click Select. A pop-up menu opens.
-
From the pop-up menu, select New Hard Disk. -
In the New Hard Disk field, enter a size for the new virtual disk of 100 GB. -
Click OK.
-
-
From the New Hard Disk section, under Virtual Device Node, select IDE 1, and click OK.
![](/c/dam/en/us/td/i/300001-400000/360001-370000/368001-369000/368982.jpg)
-
From the vSphere Web Client Navigator, select the datacenter that is hosting the VM and then select Open Console from the menu. The vManage console is displayed.
-
At the vManage login prompt, log in with the default username, which is admin, and the default password, which is admin. The system prompts you to select the storage device to use.
-
Select the appropriate storage device:
- In response to the question
:Would you like to format x?
-
If you attached an existing disk with a backup of the vManage database, type n. -
If you created a new virtual disk for the vManage database, type yto reformat the disk.
-
-
Configure the vManage NMS. See vManage NMS Initial Configuration .
-
Generate a certificate for the new vManage NMS. See Generate vManage Certificate .
-
Add the serial number of the new vManage NMS to all the vBond orchestrators in the overlay network, as described below.
Add vManage NMS Serial Number to vBond Orchestrators
When you generate a certificate for a new vManage NMS with a new database, the serial number from the certificate is automatically sent to the vBond orchestrators. However, when you create a new vManage NMS and attach an existing database, you must manually send the new serial number to each vBond orchestrator to overwrite the serial number of the previous vManage NMS.
If you have the management IP address for the vBond orchestrator, you can use vManage NMS to send the serial number to each vBond orchestrator. Otherwise, you must use the CLI.
If you have the management IP address for the vBond orchestrator:
-
From the Cisco vManage menu, choose
. -
Click Controllers.
-
Choose the desired Cisco vBond orchestrator.
-
For the desired Cisco vBond orchestrator, click ... and choose Edit.
-
Enter the management IP address, username, and password for the vBond orchestrator.
-
Click Save.
-
From the Cisco vManage menu, choose
. -
In the Certificates window, click Controllers.
-
Click Send to vBond to send the new Cisco vManage certificate to the Cisco vBond orchestrator.
If you do not have the management IP address for the vBond orchestrator:
-
Find the serial number for the new vManage NMS:
-
From the Cisco vManage menu, choose
. -
In the Certificates window, click Controllers.
-
Choose the Cisco vManage instance and make a note of the serial number that is displayed in the Certificate Serial column.
-
-
From the Cisco vManage menu, choose
. -
Choose the desired Cisco vBond orchestrator instance in the left pane, and enter the user name and password to log in to it.
-
Enter the following command to send the certificate serial number for the new Cisco vManage instance to the Cisco vBond orchestrator, where number is the serial number that you noted in Step 1:
request vsmart add serial-num number
Restrict Network Access for a Device
Feature Name |
Release Information |
Description |
---|---|---|
Geofencing |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
If the location of the device goes beyond its geographical boundary, you can restrict network access to the device using Cisco SD-WAN Manager operational commands. For more information, see the Cisco Catalyst SD-WAN Monitor and Maintain Configuration Guide. |
Added Support for Configuring Geofencing Using a Cisco System Feature Template |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
You can configure the geographical boundary of a device using a Cisco System feature template. |
Added Support for LTE Advanced NIM Modules |
Cisco IOS XE Catalyst SD-WAN Release 17.8.1a |
Added support for Long-Term Evolution (LTE) Advanced Network Interface Modules (NIMs) for Cisco ISR 4000 routers. |
Make Your Device Invalid
You can make your device invalid should your device go beyond its target location.
-
From the Cisco Catalyst SD-WAN menu, choose .
-
For the desired device, click … and choose Make Device Invalid.
-
Confirm that you want to make the device invalid and click OK.
Bring Your Device Back to Valid State
-
From the Cisco Catalyst SD-WAN menu, choose .
-
Choose the invalid device and look for the Validate column.
-
Click Valid.
-
Click Send to Controllers to complete the action.
Stop Data Traffic
You can stop data traffic to your device should your device exceed its target location.
-
From the Cisco Catalyst SD-WAN menu, choose .
-
For the desired device, click … and choose Stop Traffic.
-
Confirm that you want to stop data traffic to your device and click OK.
Perform a Factory Reset
If your device is outside its target boundary, you may need to perform a factory reset of your device.
![]() Note |
The Factory Reset operational command is supported only for Cisco ISR 1000 series and Catalyst 8K devices. |
For more information on geofencing, see the Cisco IOS XE Catalyst SD-WAN Systems and Interfaces Configuration Guide.
-
From the Cisco Catalyst SD-WAN menu, choose .
-
For the desired device, click … and choose Factory Reset.
-
Choose one of the following options:
-
Retain License: Wipes all the device settings and partitions except for licenses. Retain License is a sub option to the factory-reset option.
-
Full Wipe factory-reset: Wipes all the device settings and partitions.
Note
After a full-wipe operation, the device can only be booted up using a USB or TFTP.
-
-
Click Reset.
Run a Report
Feature Name |
Release Information |
Description |
---|---|---|
Reports |
Cisco vManage Release 20.10.1 Cisco IOS XE Catalyst SD-WAN Release 17.10.1a |
You can schedule a report, download it as a PDF document, and receive it as an email. The Reports menu has been added to Cisco SD-WAN Manager. |
Before You Begin
Ensure that the email settings are configured in Cisco SD-WAN Manager for scheduling reports. This step is required only if you want to schedule the report to be emailed.
Configure Email Settings
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Edit adjacent to the Alarm Notifications option.
-
Click Enabled.
-
Check the Email Settings check box.
-
Choose the security level for sending the email notifications. The security level can be None, SSL, or TLS.
-
In the SMTP Server field, enter the name or the IP address of the SMTP server to receive the email notifications.
-
In the SMTP Port field, enter the SMTP port number. For no security, the default port is 25; for SSL it is 465; and for TLS it is 587.
-
In the From address field, enter the full email address to include as the sender in email notifications.
-
In the Reply to address field, enter the full email address to include in the Reply-To field of the email. This address can be a no-reply address, such as noreply@cisco.com.
-
Check the Use SMTP Authentication check box to enable SMTP authentication to the SMTP server.
Enter the username and password to use for SMTP authentication. The default user email suffix is appended to the username. The password that you type is hidden.
-
Click Save.
Run a Report
-
From the Cisco SD-WAN Manager menu, choose Reports.
-
Click Report Templates.
Note
In the Executive Summary Report section, click the header to view a sample report. Use the scroll bar to review the entire report. The following data is presented:-
Data metrics and summaries
-
Graphical representation of the data (including heat maps, pie charts, and bar charts)
-
-
In the Executive Summary Report section, click Create Report to configure parameters to build a report.
Field
Description
Enter Report Name
Enter a name for the report
Site
Click Edit adjacent to this field, and choose the sites for which you want to generate the report.
Time Frame
Choose the time range for which you want to generate the report.
Values: 7 Days, 30 days
Default: 30 days
Email Report
Check this check box if you want to schedule the report to be emailed.
Enter Email
Enter up to a maximum of five email addresses. Schedule
Click one of the schedule options.
Values: Run Now, Run Later (One-Time), Run Recurring
-
If you click Run Later (One-Time), enter the Start Date and Start Time.
-
If you click Run Recurring, choose the frequency from the Repeats drop-down list, and enter the Start Date and Start Time.
-
-
Click Create Report.
Run a Traceroute
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
-
To choose a device, click the device name in the Hostname column.
-
Click Troubleshooting in the left pane.
-
In the Connectivity area, click Trace Route.
-
In the Destination IP field, enter the IP address of the corresponding device in the network.
-
From the VPN drop-down list, choose a VPN to use to reach the device.
-
From the Source/Interface for VPN drop-down list, choose the interface to use to send the traceroute probe packets.
-
Click Advanced Options.
-
In the Size field, enter the size of the traceroute probe packets, in bytes.
-
Click Start to trigger a traceroute to the requested destination.
The lower part of the right pane displays the following information:
-
Raw output of the path the traceroute probe packets take to reach the destination.
-
Graphical depiction of the path the traceroute probe packets take to reach the destination.
From Cisco vManage Release 20.10.1, the Trace Route option can be accessed using one of these methods:
-
Choose … adjacent to the device name, and choose Trace Route.
, click -
In the Site Topology page, click a device or tunnel name, and then click Trace Route in the right navigation pane.
Security Monitoring
Feature Name |
Release Information |
Description |
---|---|---|
Enhanced Security Monitoring on Cisco Catalyst SD-WAN |
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a Cisco vManage Release 20.5.1 |
You can view traffic, CPU, memory usage, health and reachability of UTD. |
View Traffic, CPU, and Memory Usage
-
From the Cisco SD-WAN Manager page, select the device.
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager page, select the device.
-
Under Security Monitoring in the left pane, select one of the UTD features Intrusion Prevention, URL Filtering, and so on.
-
By default, the traffic counter graph is displayed.
You can also customize the time range to see traffic usage for specific time ranges such as Real Time, 1h, 3h or even specify a Custom time range. By default, a time range of 24h is displayed. The time range cannot be more than 365 days.
-
To view CPU or memory usage, do the following:
-
To view CPU usage, click UTD Stats: CPU Usage.
-
To view memory usage, click UTD Stats: Memory Usage.
-
View the Health and Reachability of UTD
-
From the Cisco SD-WAN Manager page, select the device.
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager page, select the device.
-
Under Security Monitoring in the left pane, select one of the UTD features such as Intrusion Prevention, URL Filtering, and so on.
-
For all features, the health of UTD is displayed as one of the following:
-
Down: For example: UTD is not configured.
-
Green: UTD is healthy.
-
Yellow: For example: High memory usage.
-
Red: For example: One or more Snort instances are down.
If you configured UTD on the device and the status is not green, contact Cisco TAC for assistance.
-
-
Depending on the UTD feature that you choose, the following additional information is displayed:
UTD Feature
Status
Intrusion Prevention
Package Version
IPS Last Updated
Reason for last update status
URL Filtering
Cloud Reachability
Advanced Malware Protection
AMP Cloud Reachability Status
TG Cloud Reachability Status
Umbrella DNS Redirect
Umbrella Registered VPNs
DNSCrypt
SSH Terminal
Use the SSH Terminal screen to establish an SSH session to a router. From an SSH session, you can issue CLI commands on a router.
Establish an SSH Session to a Device
To establish an SSH session to a device:
-
From the Cisco SD-WAN Manager menu, choose .
-
Select the device on which you wish to collect statistics:
-
Select the device group to which the device belongs.
-
If needed, sort the device list by its status, hostname, system IP, site ID, or device type.
-
Click the device to select it.
-
-
Enter the username and password to log in to the device.
You can now issue CLI commands to monitor or configure the device.
Upgrade Cisco Catalyst SD-WAN Manager Cluster
Feature Name |
Release Information |
Description |
---|---|---|
Cisco SD-WAN Manager Cluster Upgrade |
Cisco IOS XE Catalyst SD-WAN Release 17.3.1a Cisco vManage Release 20.3.1 |
This feature outlines the upgrade procedure for Cisco vManage servers in a cluster to Cisco vManage Release 20.3.1. To upgrade Cisco vManage nodes in a Cluster, use the screen. |
This section describes how to upgrade Cisco SD-WAN Manager in a cluster.
You can upgrade directly from Cisco vManage 20.3.1 or later releases to Cisco vManage Release 20.6.1. To upgrade from earlier releases, first upgrade to Cisco vManage 20.4.2 or Cisco vManage Release 20.5.1.
If you are upgrading a Cisco SD-WAN Manager cluster deployment from Cisco vManage Release 20.3.1 or later to Cisco vManage Release 20.5.1 or later, you must do it through the CLI.
Before You Begin
Before you upgrade Cisco SD-WAN Manager nodes to Cisco vManage Release 20.6.1 or later releases, verify the following:
-
Ensure that the internal user account vmanage-admin is not locked for any server that you are upgrading.
You can check the status of this admin account by pushing a template to the devices that are connected to the server. The push fails if the account is locked. In such a scenario, you can unlock the account by using the request aaa unlock-user vmanage-admin command.
-
Ensure that PKI keys have been exchanged between the servers that you are upgrading.
To do so, ensure that the control connections are in the UP state on the servers and restart the application server.
-
Ensure that the out-of-band IP address of each server is reachable.
-
Ensure that the Cisco SD-WAN Manager UI is accessible on all servers in the cluster.
-
Ensure that DCA is running on all nodes in the cluster.
To do so, use the request nms data-collection-agent status command and ensure that the status value shows running for each node.
To start DCA, if needed, use the request nms data-collection-agent start command.
![]() Note |
If these prerequisites are not met or if another error occurs during the upgrade, the activation of the image fails and a file named upgrade-context.json is created in the /opt/data/extra-packages/image-version folder on each node in the cluster. You can provide this file to your Cisco representative for assistance with resolving the issue. |
If you are upgrading to Cisco vManage Release 20.6.1 or later releases from a six-node Cisco SD-WAN Manager cluster deployment in which not all services are running on all nodes, contact your Cisco support representative before performing the upgrade.
-
Take snapshots of all the Cisco SD-WAN Manager servers. Take a backup of the configuration database and save it in a location outside of the Cisco SD-WAN Manager server using the following command:
request nms configuration-db backup path path_and_filename
-
Ensure that Cisco vManage Release 18.3 or later is installed.
-
For upgrades from Cisco vManage Release 20.3.1 or later, copy the current image to each Cisco SD-WAN Manager server in the cluster and install the image on each Cisco SD-WAN Manager server by using the following command. Do not activate the image at this time.
request software install path
-
For upgrades from Cisco vManage Release 20.3.1 or later, activate the current image on each Cisco SD-WAN Manager server using the following command. All servers reboot simultaneously.
request software activate version
-
You must upgrade the configuration database when upgrading from one of the following:
-
Cisco SD-WAN Manager Release 18.4.x or 19.2.x to Cisco SD-WAN Manager 20.3.x or 20.4.x
-
Cisco SD-WAN Manager Release 20.3.x or 20.4.x to Cisco SD-WAN Manager Release 20.5.x or 20.6.x
-
Any Cisco SD-WAN Manager release to Cisco vManage Release 20.10.1 or later
Note
-
Starting from Cisco vManage Release 20.1.1, before upgrading the configuration database, ensure that you verify the database size. We recommend that the database size is less than or equal to 5 GB. To verify the database size, use the following diagnostic command:
request nms configuration-db diagnostics
-
When you upgrade the configuration database, ensure that you have activated the current image on each Cisco SD-WAN Manager server in the cluster as described in the previous step. In addition, ensure that all services except the application server and configuration-db services are running on these servers by entering the request nms all status command on each server.
To upgrade the configuration database, do the following:
-
To determine which node to upgrade, enter the request nms configuration-db status command on each node. In the output look for the following:
Enabled: true Status: not running
Note
After activating a new image on a Cisco SD-WAN Manager host server, the server reboots. After the reboot, for approximately 30 minutes, the output of the request nms configuration-db status command shows Enabled: false even on a node that has the configuration database enabled, while NMS services are being migrated to a containerized form.
-
On the node to upgrade, as determined in the previous step, enter the following:
request nms configuration-db upgrade
Note
-
Enter this command on one node only.
-
Do not enter this command if you are upgrading from Cisco vManage Release 20.5.x to Cisco vManage Release 20.6.1 or later.
-
-
-
Enter your login credentials, if prompted. Login credentials are prompted in releases earlier than Cisco vManage Release 20.3.1 if all the Cisco SD-WAN Manager servers establish control connection with each other. After a successful upgrade, all the configuration database services are UP across the cluster, and the application server is started.
You can check the database upgrade logs at the following location: vmanage-server:/var/log/nms/neo4j-upgrade.log.
For information about how to upgrade Cisco SD-WAN Manager clusters by using the Cisco SD-WAN Manager GUI, see the Upgrade the Software Image on a Device section in Cisco Catalyst SD-WAN Monitor and Maintain Configuration Guide.
View Application Health Dashlet
Minimum supported release: Cisco vManage Release 20.10.1
You can view a summary of the health of all applications on the Application Health dashlet on Monitor Overview dashboard.
You can view the usage of applications across all sites in a graphical format. The graph indicates whether the application performance is Good, Fair, or Poor based on the application Quality of Experience (QoE).
Starting from Cisco Catalyst SD-WAN Manager Release 20.12.1, a bar graph displays the application bandwidth usage information and changes in bandwidth from the last time period for each application. You can filter the applications based on the health status using the drop-down list for Good Performing Applications, Fair Performing Applications, and Poor Performing Applications.
Click View Details to open the Monitor > Applications window.
View Admin-Tech Files
You can perform any of the following operations after the admin-tech file is generated:
-
View the list of the generated admin-tech files.
-
Copy the selected admin-tech files from your device to Cisco SD-WAN Manager.
-
Download the selected admin-tech files to your local device.
-
Delete the selected admin-tech files from Cisco SD-WAN Manager, the device, or both.
-
From the Cisco SD-WAN Manager menu, choose .
-
For the desired device, click . . . and choose View Admin Tech List.
A tar file appears that contains the admin-tech contents of the device that you selected earlier. This file has a name similar to ip-address-hostname-20210602-032523-admin-tech.tar.gz, where the numeric fields are the date and the time.
You can view the list of the generated admin-tech files and decide which files that you want to copy to Cisco SD-WAN Manager.
-
Click the Copy icon to copy the admin-tech file from the device to Cisco SD-WAN Manager.
A hint appears letting you know that the file is being copied from the device to Cisco SD-WAN Manager.
-
After the file is copied from the device to Cisco SD-WAN Manager, you can click the Download icon to download the file to your local device.
You can view the admin-tech file size after the file is copied to Cisco SD-WAN Manager.
-
After the admin-tech file is successfully copied to Cisco SD-WAN Manager, you can click the Delete icon and choose which files to delete from Cisco SD-WAN Manager, the device, or both.
For more information on admin tech and technical support commands, see request admin-tech and show tech-support.
View Device Interfaces
To view information about interfaces on a device:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device by clicking its name in the Hostname column.
-
Click Interface in the left pane. The right pane displays interface information for the device.
The upper part of the right pane contains:
-
Chart Options bar—Located directly under the device name, this bar includes:
-
Chart Options drop-down—Click Chart Options to choose how the data should be displayed.
-
IPv4 & IPv6 drop-down—Click IPv4 & IPv6 to choose the type of interfaces to view. The information is displayed in graphical format. By default, the graph is Combined, showing interfaces on which both IPv4 and IPv6 addresses are configured. To view IPv4 and IPv6 interfaces in separate graphs, select the Separated toggle button.
-
Time periods—Click either Real Time, a predefined time period, or a custom time period for which to view the data.
-
-
Interface information in graphical format.
-
Interface graph legend—Choose an interface to display information for just that interface.
The lower part of the right pane contains:
-
Filter criteria.
-
Interface table, which lists information about all interfaces. By default, the first six interfaces are displayed. The graphical display in the upper part of the right pane plots information for the selected interfaces.
-
Check the check box to the left to select and deselect interfaces. You can select and view information for a maximum of 30 interfaces at a time.
-
To rearrange the columns, drag the column title to the desired position.
-
For cellular interfaces, click the interface name to view a detailed information about the cellular interface.
-
To view interface status and interface statistics, see show interface and show interface statistics.
View Device Status in the Overlay Network
You have the following options to view the status of a device in the overlay network.
Use the Dashboard Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
For releases before Cisco vManage Release 20.6.1, click the upward or downward arrow next to WAN Edge.
For Cisco vManage Release 20.6.1 and later, click the number representing the number of WAN Edge devices.
-
To know the status of the WAN edge device, see the Reachability column in the dialog box that opens.
Use the Geography Screen
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Filter and choose WAN Edge under Types.
-
Click the router icon to check its status.
Use the Network Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the WAN edge router that you want to view the status for. You can either scroll through the list of devices in the device table or enter a keyword in the search bar.
-
Click the relevant WAN edge router under the Hostname column. The System Status screen opens by default.
View the Geographic Location of Your Devices
Use the Geography window in Cisco SD-WAN Manager to view information about the Cisco Catalyst SD-WAN devices and links in the overlay network. The Geography window provides a map displaying the geographic location of the devices in the overlay network.
![]() Note |
The browser on which you are running Cisco SD-WAN Manager must have internet access. If you do not have internet access, ensure that the browser has access to "*.openstreetmaps.org." |
To view the geographic location of the devices in the overlay network:
-
From the VPN Group list, choose a VPN group.
-
From the VPN Segment list, choose a VPN segment.
-
Set filters.
Set Map Filters
To select the devices and links you want to display on the map:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Filter.
-
From the options that display, choose the device group. By default, the group All is selected and displays all devices in the overlay network. The group No Groups displays devices that are not part of a device group. If all devices are in a group, the No Groups option is not displayed.
-
Choose the devices you want to view. By default, the map displays all device types including edge devices, Cisco SD-WAN Validator, Cisco SD-WAN Controller, and Cisco SD-WAN Manager.
-
Choose the state of control and data links. By default, the map displays all control and data connections.
-
Close the Filter box by moving the cursor outside the box.
The map dynamically updates to display your selections.
View Device Information
To view basic information for a device, hover over the device icon. A pop-up box displays the system IP, hostname, site ID, device type, and device status.
To view detailed information for a device, double-click the device icon. Click Device Dashboard, Device Details, SSH Terminal, Site Topology, or Links to view more details for the device.
Note the following about links:
-
A thin blue line displays an active control connection between two devices.
-
A bold blue line displays multiple active connections between devices.
-
A dotted red line displays a control connection that is down.
-
A bold dotted red line displays multiple control connections that are down.
-
A thin green line displays an active data connection between two devices.
-
A bold green line displays multiple active data connections.
-
A dotted red line displays a data connection that is down.
-
A bold dotted red line displays multiple data connections that are down.
-
A thick gray line displays an active consolidated control and data connection between two devices.
If you hover over the line, a hover box tells you if the connection is up or down.
Configure and View Geographic Coordinates for a Device
To configure the geographic coordinates for a device, use the System Feature template under .
If the Cisco Catalyst SD-WAN device is not attached to a configuration template, you can configure the latitude and longitude directly on the device:
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the left pane. The SSH Terminal window opens in the right pane.
-
Enter the username and password to log in to the device.
-
Use the show system status
command to determine whether the device is attached to a configuration template:
In the output, check the values in theDevice# show system status... Personality: vedge Model name: vedge-cloud Services: None vManaged: false Commit pending: false Configuration template: None
vManaged
andConfiguration template
output fields. If thevManaged
field is false, the device is not attached to a configuration template, and theConfiguration template
field value isNone
. For such a device, you can configure the GPS coordinates directly from the CLI. If thevManaged
field istrue
, the Cisco SD-WAN Manager server has downloaded the device configuration, and theConfiguration template
field value displays the name of the configuration template. For such a device, you cannot configure the GPS coordinates directly from the CLI. If you attempt to do so, thevalidate
orcommit
commands fails with the following message:Aborted: 'system is-vmanaged': This device is being managed by the vManage. Configuration through the CLI is not allowed.
-
Enter configuration mode:
For Cisco vEdge devices:
Device# config Device(config)#
For Cisco IOS XE Catalyst SD-WAN devices:
Device# configure-transaction Device(config)#
-
Configure the latitude and longitude for the device. Device(config)# system gps-location latitude degrees.minutes.seconds Device(config-system)# gps-location longitude degrees.minutes.seconds
-
Save the configuration. Device(config-system)# commit Device(config-system)#
View Network Site Topology
Feature Name |
Release Information |
Description |
---|---|---|
Site Topology Visualization in Cisco SD-WAN Manager |
Cisco IOS XE Catalyst SD-WAN Release 17.8.1a Cisco vManage Release 20.8.1 |
You can now view the topology diagram of a site in Cisco SD-WAN Manager. |
Site Topology Visualization in Cisco SD-WAN Manager (Phase II) |
Cisco IOS XE Catalyst SD-WAN Release 17.9.1a Cisco vManage Release 20.9.1 |
You can view information about the health of devices and tunnels in the topology. |
You have the following options to view the topology of a site.
Use the Devices Window
-
From the Cisco SD-WAN Manager menu, choose .
-
Find the corresponding Cisco IOS XE Catalyst SD-WAN device in the table and click the value in the Site ID column adjacent to this device name.
Alternatively, click the device name in the Hostname column, and then click the Site ID value in the device dashboard.
Cisco SD-WAN Manager displays the topology of the site.
Use the Geography Window
-
From the Cisco SD-WAN Manager menu, choose .
-
Click the corresponding Cisco IOS XE Catalyst SD-WAN device in the map.
-
Click the Site ID value.
Cisco SD-WAN Manager displays the topology of the site.
View Network-Wide Path Insight
Feature Name |
Release Information |
Description |
---|---|---|
Network-Wide Path Insight in Cisco SD-WAN Manager |
Cisco IOS XE Catalyst SD-WAN Release 17.4.1a Cisco vManage Release 20.4.1 |
This feature lets you view network-wide path tracing information using Cisco SD-WAN Manager. |
Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
You can configure network-wide path insight options to include additional filters and parameters for traces and DNS domain discovery, and view new displays for application flows, trace views, and app trends. |
Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements |
Cisco IOS XE Catalyst SD-WAN Release 17.9.1a Cisco vManage Release 20.9.1 |
This feature provides enhancements to the Network-Wide Path Insight feature to include the collection and display of insight information, trace-level insight information, path insight information, and detailed application trace information. |
Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements |
Cisco IOS XE Catalyst SD-WAN Release 17.12.1a Cisco Catalyst SD-WAN Manager Release 20.12.1 |
This feature provides enhancements to the Network-Wide Path Insight feature to include support for multiple VPNs for traces, the ability to generate synthetic traffic for traces, options for grouping trace information, support for auto-on tasks, new information on insight displays, and expanded insight summaries. |
Information About Network-Wide Path Insight
Network-wide path insight provides on-demand end-to-end application-tracing serviceability in the Cisco Catalyst SD-WAN network. You can obtain and view detailed information at the packet level, application level, domain level, flow level, and network level. This information provides comprehensive insights into the operations of your network and can assist with performance analysis, planning, and troubleshooting.
Supported Devices
This feature is supported on Cisco IOS XE Catalyst SD-WAN devices.
Overview
With the Network-Wide Path Insight feature, Cisco SD-WAN Manager lets you initiate application tracing and displays the trace results collected from multiple devices in a consolidated view.
Benefits of Network-Wide Path Insight
-
End-to-end bidirectional network path visibility for applications over Cisco Catalyst SD-WAN fabric
-
Real-time network performance measurement and visibility for applications
-
Feature execution insight on Cisco Catalyst SD-WAN device. Example: QoS, SD-WAN Policy, SAIE flow, and SD-WAN overlay tunneling
Note
In Cisco vManage Release 20.7.x and earlier releases, the SD-WAN Application Intelligence Engine (SAIE) flow is called the deep packet inspection (DPI) flow.
-
Validation of application policies
Use Cases for Network-Wide Path Insight
-
Verification of network and policy design when deploying a new site, VPN, or application
-
Daily monitoring of network, application, and policy operations
-
Collection of information for diagnosing operational issues
Restrictions for Network-Wide Path Insight
-
Support for this feature on Cisco vEdge devices is limited to interoperation with Cisco IOS XE Catalyst SD-WAN devices.
-
Only UDP and TCP can be traced using the Network-Wide Path Insight feature.
-
This feature is not supported on VPN 0 or the transport VPN.
-
This feature is not supported when extranet VPNs or service chain policies are configured in your Cisco Catalyst SD-WAN deployment.
-
Not all packet traces are captured per flow. The system takes samples for the most typical packets automatically.
-
Flow records do not display the complete history of flow path and hop information for releases before Cisco vManage Release 20.6.1.
-
Mixed application and default policies are not supported for releases before Cisco vManage Release 20.6.1.
-
You can monitor a maximum of two traces per device, and 10 concurrent active traces per Cisco SD-WAN Manager tenant.
-
The following table shows the number of active flows that can be monitored, and the supported number of completed flows. Tracing stops when the monitoring limit is reached.
Release
Number of Supported Active Flows
Number of Supported Number of Completed
Releases before Cisco vManage Release 20.6.1
50 to 100 per device, depending on the Cisco IOS XE Catalyst SD-WAN device
1,000
Cisco vManage Release 20.6.1 through Cisco vManage Release 20.8.x
50 to 100 per device, depending on the Cisco IOS XE Catalyst SD-WAN device
10,000
Cisco vManage Release 20.9.1 and later releases 50 to 100 per device, depending on the Cisco IOS XE Catalyst SD-WAN device
60,000
-
In releases before Cisco vManage Release 20.6.1, flow trace does not show the complete network path if the following optimizations are enabled:
-
UTD
-
TCP
-
SSL
-
DRE
-
-
In the Application Stats graphs that are available in the tab, you cannot choose a WAN color for Cisco ASR 1000 Series Routers and Cisco Catalyst 8500 Series Edge Platforms.
Prerequisites for Network-Wide Path Insight
Ensure that the Data Stream option is enabled in Cisco SD-WAN Manager. To enable this option, follow these steps:
-
From the Cisco SD-WAN Manager menu, choose .
-
For the Data Stream option, click View.
-
Click Edit and choose Enable.
-
Click Save.
![]() Note |
If you try to set up a trace path when Data Stream is not enabled, you are prompted to enable it. |
View Network-Wide Path Insight for Releases Before Cisco vManage Release 20.6.1
This section describes how to perform network-wide path insight tracing in releases before Cisco vManage Release 20.6.1. To start a trace, follow these steps:
-
From the Cisco SD-WAN Manager menu, choose .
-
In the Policy area, choose Site ID(*) from the drop-down list. Ensure that you only choose a site that you have access to.
-
In the VPN(*) field, choose a VPN ID from the drop-down list. Only VPNs associated with the chosen site are listed.
-
(Optional) Enter the Source/ Destination IP Addresses.
-
(Optional) Choose the Application from the drop-down list.
-
(Optional) Specify the required Trace Duration in minutes. The default trace duration is 60 minutes and the maximum duration supported is 1440 minutes.
-
(Optional) Choose Device and Source Interface from the drop-down list.
-
(Optional) Choose Protocol from the drop-down list. TCP and UDP protocols are supported. The All option indicates both UDP and TCP protocols.
-
(Optional) Choose DSCP from the drop-down list.
-
Click Start to initiate a path trace. A dialog box displays the Trace ID, Start time of the trace, and all the details such as their IP addresses and trace status of the started devices.
Note
To stop an ongoing trace before the timer expired, click Stop. You can also stop a trace from the Trace section.
View Network-Wide Path Insight for Cisco vManage Release 20.6.1 and Later Releases
This section describes how to perform network-wide path insight tracing from Cisco vManage Release 20.6.1.
Tracing provides detailed information about application issues and can discover domains and applications that run in domains. You can configure a variety of options to specify the tracing that you need and view detailed information about trace flows.
To start a trace, follow these steps:
-
From the Cisco SD-WAN Manager menu, choose .
From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can also start a trace by choosing Create a Trace from the page.
Note
In Cisco vManage Release 20.6.x and earlier releases, Monitor menu.
is part of the
-
Perform one of the following actions:
-
From Cisco vManage Release 20.6.1 through Cisco vManage 20.11.x:
-
(Optional) In the Trace area, check the Enable DNS Domain Discovery check box to enable DNS domain discovery for network-wide path insight.
-
Click New Trace.
-
-
From Cisco Catalyst SD-WAN Manager Release 20.12.1:
-
Click New Trace.
-
(Optional) In the Trace area, check the Enable DNS Domain Discovery check box to enable DNS domain discovery for network-wide path insight, or continue to Step 3.
-
Note
When Enable DNS Domain Discovery is enabled, DNS snooping is used to discover DNS domains and the apps that are running in the discovered domains. You can then monitor the domains under the Application option to obtain information about health, trends, and metrics. When this option is disabled, the trace monitors the application flows based on the criteria and filters that you specify.
Enabling this option provides deep insight information for DNS domains, especially in Cisco Catalyst SD-WAN Cloud OnRamp for SaaS and Direct Internet Access (DIA) deployments. You can check the discovered domains for information about DNS domain queries that are running, and then start a trace to probe the traffic in these domains.
-
-
(Optional) In the Trace Name field, enter a name for the trace.
If you do not enter a name, the system assigns the name trace_ID, where ID is the system-generated identifier of the trace.
-
In the Trace Duration field, enter the number of minutes for which the trace lasts.
The minimum value is 1. The maximum value is 1440 (24 hours). The default value is 60.
-
In the Filters area, perform these actions:
-
In the Site ID field, enter the ID of the Cisco Catalyst SD-WAN network site in which to perform the trace.
-
From the VPN drop-down list, choose the service VPN for the trace to monitor. From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can choose up to 64 VPNs.
-
(Optional. This option is applicable only if DNS domain discovery is disabled.) In the Source Address/Prefix field, enter the source IPv4 or IPv6 IP address and the prefix of flows for the trace to monitor. If you leave this field blank, the trace monitors flows with any source address or prefix.
-
(Optional. This option is applicable only if DNS domain discovery is disabled.) In the Destination Address/Prefix field, enter the destination IPv4 or IPv6 IP address and prefix of flows for the trace to monitor. If you leave this field blank, the trace monitors flows with any destination address or prefix.
-
(Optional. This option is applicable only if DNS domain discovery is enabled.) In the Client Address/Prefix field, enter the source IPv4 or IPv6 IP address or prefix of flows for the trace to monitor. If you leave this field blank, the trace monitors flows with any source address or prefix.
-
(Optional. The Application option applies only if DNS domain discovery is disabled.) Click one of the following options, then click the field under the option and use the check boxes that appear to choose the applications or application groups for the trace to monitor:
-
Application: Choose this option to designate specific applications for the trace to monitor.
-
Application Group: Choose this option to designate specific application groups for the trace to monitor. The trace then monitors all the applications that an application group includes.
For example, if you choose the application group ms-cloud-group, all the applications that this group includes are monitored. These applications are ms-office-365, ms-services, ms-teams, and more.
If you do not choose an option, the trace monitors all the applications.
To remove an application or application group from this field, click X adjacent to the corresponding application or application group name.
-
-
-
(Optional) If DNS domain discovery is not enabled, click the Expand icon to expand the Advanced Filters area and perform the following actions, as needed, to configure specific items for the trace to monitor.
-
From the Device drop-down list, choose one or more devices for the trace to monitor by checking the check box for each device.
If you do not choose a device, the trace monitors all devices for the site that you specified in Step 5.
-
From the Source Interface drop-down list, choose the source interface of traffic for the trace to monitor.
If you do not choose a source interface, the trace monitors traffic from all source interfaces in the VPN that you specified in Step 5.
-
In the Source Port field, enter the source port number of traffic that the trace should monitor. The trace monitors traffic that flows from this port number.
If you do not choose a source port, the trace monitors traffic for all source ports.
-
In the Destination Port field, enter the destination port number of traffic for the trace to monitor. The trace monitors traffic that flows to this port number.
If you do not choose a destination port, the trace monitors traffic for all destination ports.
-
From the Protocol drop-down list, choose the traffic protocol type for the trace to monitor.
If you do not choose a protocol, the trace monitors traffic for all supported protocols.
-
From the DSCP drop-down list, choose the DSCP type for the trace to monitor. The DEFAULT selection indicates DSCP0.
If you do not choose a DSCP type, the trace monitors traffic for all DSCP types.
-
-
(Optional) Click the Expand icon to expand the Monitor Settings area and perform these actions:
-
(From Cisco vManage Release 20.9.1) Click QoS Insight to have the trace include application, VPN, interface, and queue-level throughput and drop-rate metrics for all traffic.
This option is enabled by default.
-
Click ART Visibility to have the trace include the application response time (ART) metrics for TCP traffic. These metrics include client network delay (CND) and server network delay (SND) information.
This option is enabled by default.
-
Click App Visibility to have the trace use the SD-WAN Application Intelligence Engine (SAIE) flow to discover applications and application groups.
Note
In Cisco vManage Release 20.7.x and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.
If you chose applications or application groups in Step 5, this option is enabled automatically.
If DPI is not enabled, we recommend that you enable App Visibility to ensure that flows are mapped to the correct applications. Enabling this option authorizes Network-Wide Path Insight to enable DPI in the first hop router of the trace for the duration of the trace.
-
Click DIA Visibility to enable the viewing of downstream information from direct internet access flows, beginning with the first flow.
This option is enabled by default if DNS domain discovery is enabled.
This option does not affect the applications that are transported over a Cisco Catalyst SD-WAN tunnel.
If you do not enable this option, the device discovers direct internet access traffic automatically, but it can take some time for this discovery to begin.
-
Click Hub WAN Visibility (or WAN Visibility for releases from Cisco Catalyst SD-WAN Manager Release 20.12.1.) when starting a trace to have the trace includes flows that are initiated in the WAN to LAN direction.
By default, a trace monitors flows that are initiated in the LAN to WAN direction.
For releases before Cisco Catalyst SD-WAN Manager Release 20.12.1, if DNS domain discovery is enabled, this option is enabled by default and cannot be disabled. For releases from Cisco Catalyst SD-WAN Manager Release 20.12.1, this option is disabled by default in all cases and can be enabled as needed.
~~Note
Because traffic typically flows from a spoke to a hub, we recommend that you start a trace from a spoke site.
-
Click Sampling to enable sampling when tracing, which causes the trace to capture flows at the specified interval.
In the Sampling Interval field that appears, enter the time interval, in seconds, between samples. For example, if you enter 100, one flow will be traced every 100 seconds even if there are multiple other flows.
The minimum sampling interval value is 1 second. The maximum value is 86400 seconds (24 hours). The default value is 60.
The sampling options can help extend the monitoring period of a trace by increasing the time that it takes it to reach the maximum number of flows in a trace.
-
-
(Optional) From Cisco Catalyst SD-WAN Manager Release 20.12.1, click the Expand icon and perform the following actions in the Synthetic Traffic area to enable synthetic traffic.
Synthetic traffic helps verify network design. When a new site is onboarded or an existing site configuration is changed, it is important to validate whether applications work as designed and as intended. Enabling synthetic traffic generates sample user traffic that you can evaluate with other network-wide path insight features to check whether applications are working as expected.
Synthetic traffic starts when the trace starts and stops when the trace stops. After the trace stops, you can see the information about synthetic traffic flows in the Completed Flows tab, and filter information on that tab to see information that only relates to synthetic traffic.
-
In the URL field, enter the URL to which a router should send synthetic traffic, for example, https://www.cisco.com.
-
In the VPN field, choose a service VPN on which to start synthetic traffic. The VPNs that are available are based on the VPNs that you chose in the Filters area.
-
In the DNS Server field, enter the IP address of the DNS server for translating the URL.
We recommend that you enter the IP address of your organization’s DNS server so that that the synthetic traffic flows to the same destination as the actual user traffic.
-
From the DSCP drop-down list, choose the DSCP to use for the synthetic traffic.
-
In the Interval field, enter how often, in minutes, the synthetic traffic is sent to the URL during the duration of the trace. For example, if you enter an interval of 2, synthetic traffic is sent every 2 minutes. The minimum values is 1.
-
(Optional) Click the plus sign icon and repeat these steps to add another synthetic traffic instance.
-
Click Save.
-
-
(Optional) From Cisco Catalyst SD-WAN Manager Release 20.12.1, click the Expand icon to expand the Grouping Fields area and configure the following options.
By default, information on the App Performance Insight tab on the Insight Summary display is grouped by application. Additional options area let you group information into smaller groups so that you can refine the display of information to meet your needs.
-
Check the Client Prefix check box to additionally group information by client prefix.
-
Check the Server Prefix check box to additionally group information by server prefix.
-
Check the Source SGT check box to additionally group information by source security group tag (SGT).
-
-
Click Start to initiate the trace.
The Start Trace window displays information about the trace, including the trace ID, the start time of the trace, and related details such as the IP addresses and trace status of the started devices.
-
Close the Start Trace window.
The trace is displayed in the list of traces in the
window.Note
In Cisco vManage Release 20.6.x and earlier releases, the list of traces is available in the
page.
Create Auto-On Task
![]() Note |
The auto-on task feature is available from Cisco Catalyst SD-WAN Manager Release 20.12.1. |
An auto-on task monitors your network for events that you choose and automatically runs a trace if an event is detected.
An auto-on task monitors the network for a period that you specify. Each trace that a task runs lasts for 5 minutes. To avoid congestion from multiple traces running simultaneously, for each site that is monitored, there is a ½ hour interval after a trace starts before the next one begins.
Options for traces that an auto-on task generates are preconfigured and cannot be changed.
An auto-on task is useful if you have identified or suspect a potential or intermittent issue in your network. For example, if you have identified intermittent SLA violations, instead of manually monitoring the network and manually starting a trace when you see an SLA violation, you can create a task that automatically starts traces when SLA violations are detected.
-
From the Cisco SD-WAN Manager menu, choose .
-
Click New Auto-on Task.
-
In the Task Name field, enter a name for the task.
-
From the Select Event drop-down list, choose either or both of the following events that, when detected, start a trace:
-
QoS Congestion: Congestion on the nondefault QoS queue of an interface.
-
SLA Violation: Traffic outside of the parameters that are defined by a service level agreement (SLA), for example, traffic latency exceeding predefined criteria.
-
-
(Optional) From the Select Site drop-down list, choose the name of one or more Cisco Catalyst SD-WAN network sites in which to perform the trace.
If you do not choose a network site, the task monitors all the sites.
-
In the Select Duration field, enter the number of hours the task lasts for.
The task monitors your network for the selected events during this duration.
Enter a number from 1 through 168.
-
Click Start.
The task appears in the table of auto-on tasks. This table provides the following information and options for each task and each trace that the task starts:
-
Task name: Task trace name. This field also includes the Insight Summary link, which lets you see more information about the traces that the task started. See Insight Summary.
-
Task ID: System-generated identifier of the task or trace.
-
Event(s): The event or events that you configured to start a trace, or the events that triggered a trace.
-
Site(s): The name of each site that the task monitors, or the name of the site in which a trace ran.
-
State: Active means that the task is live or a trace is running. Finished means that the task or trace has completed.
-
Start Time: Date and time at which you started the task or that a trace started.
-
Duration: Number of hours that a task or trace is live or ran.
-
Stop Time: Date and time at which the task or trace ended.
-
Actions:
-
Click Delete to remove a task or trace from the table.
-
Click Stop to stop an active task. Note that a stopped task cannot be restarted.
-
-
Trace
The path trace instances appear with unique trace IDs in the Trace History area (in releases before Cisco vManage Release 20.6.1) or in the Trace area (in Cisco vManage Release 20.6.1 and later releases). Information about each instance is also displayed, including its state and the actions that you can perform.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, the Trace area includes the following tabs:
-
All Trace: Provides information about the traces that you start manually.
-
Auto-On Task: Provides information about the traces that are generated by an auto-on task.
You can perform the following actions in the Trace History area or Trace area:
-
In releases before Cisco vManage Release 20.6.1:
-
To stop an active trace, click Stop. If you have specified the trace duration, the trace stops automatically when the timer expires.
-
To navigate to the Flow Path and Metrics section, click Detail.
-
-
From Cisco vManage Release 20.6.1:
Action
Procedure
Tab (from Cisco Catalyst SD-WAN Manager Release 20.12.1)
Stop a trace that is in progress.
Click Stop in the Action column for the trace, and then click Confirm in the Stop Trace dialog box.
All Trace and Auto-On Task
Delete a trace that is completed.
Click Delete in the Action column for the trace, and then click Confirm in the Delete Trace dialog box.
All Trace and Auto-On Task
Display trace-level insight summary information (from Cisco vManage Release 20.9.1).
See Insight Summary.
All Trace and Auto-On Task
Display detailed information about the flows in a trace in the Insight area.
Click Insight Summary for the trace in the Trace Name column.
All Trace
View the filters and settings for a trace.
Click the name of the trace in the Trace Name column.
All Trace
View information about the source of a trace.
Click the corresponding value in the Src Site column.
All Trace
View information about the applications or application groups that a trace monitors.
Click the corresponding value in the Application/App Group column.
All Trace
View the status of a trace and error messages, if any, that have been generated.
Click the corresponding value in the Trace State column.
All Trace
View statistics for a task (from Cisco Catalyst SD-WAN Manager Release 20.12.1).
Click the name of the corresponding task.
Auto-On Task
View the filters and settings for a trace in a task (from Cisco Catalyst SD-WAN Manager Release 20.12.1).
Expand the task that you want, and then click the name of the trace in the Trace Name column.
Auto-On Task
Flow Path and Metrics
This section applies to releases before Cisco vManage Release 20.6.1.
In the Flow Path and Metrics section, view bidirectional flow path table with hop-by-hop metrics. You can expand any trace instance in the log to view the following details:
Column |
Description |
---|---|
Last Update Time |
The flow path instances in running state are refreshed every 10 seconds and the time of the update is displayed. |
Flow ID |
Flow IDs differentiate two identical flow path instances occurring at different times. |
State |
This state helps you visualize potential issues with the flow. Only SLA state of the flow is supported. |
Direction |
Directions could be upstream or downstream. The direction in which the first packet flow is identified is considered as upstream. |
Local Color, Remote Color |
Local edge (source) and the remote edge (destination) colors indicate different WAN interfaces. |
Local Drop(%), Remote Drop(%), WAN Drop(%) |
Packet drop is measured at local and remote edge routers. The packet drop is also measured on the complete WAN network. |
Jitter(ms), Latency(ms) |
Jitter and latency metrics of the flow. These metrics help with evaluating the application performance in real time. |
Total Packets, Total Bytes |
For each direction of the flow, total number of packets and total byte count are displayed. |
Insight
This section is applicable to Cisco vManage Release 20.6.1 and later.
Click View Insight in the Actions column in the list of traces to display detailed information about the flows in the corresponding trace. This detailed information appears in the Insight area. The following information is displayed in this area:
-
The DNS Domains tab is available only when DNS domain discovery is enabled and displays information about each domain that the trace discovers. You can expand any row in the list to display detailed information about the application.
From Cisco vManage Release 20.9.1, click Discovered Domains to display information for every domain that the trace discovered but that are not yet traced. Click Monitored Domains to display information only for domains that the trace monitored.
Note
In Cisco vManage Release 20.6.1 through Cisco vManage Release 20.8.x, the DNS Domains tab is called the Applications tab.
-
(From Cisco vManage Release 20.9.1) The Applications tab displays information about applications that were traced. You can expand any row in this list to display bidirectional path information with hop-by-hop metrics for each application.
-
The Active Flows tab displays information about the flows that are in the Running state. You can expand a flow instance to display bidirectional flow path information with hop-by-hop metrics.
-
The Completed Flows tab shows information about the flows that are in the Stopped state. You can expand a flow instance to display bidirectional flow path information with hop-by-hop metrics.
-
In the DNS Domains tab, start or stop flow monitoring of the applications in the selected domain for an active trace. Starting flow monitoring also deploys an HTTP probe (through Cisco vManage Release 20.8.x) or an HTTPS probe (from Cisco vManage Release 20.9.1) for the domain on the WAN. A dialog box indicates that monitoring has started. Monitoring information is displayed in the Active Flows and Completed Flows tabs.
-
In Cisco vManage Release 20.6.1 through Cisco vManage Release 20.8.x, click Start Flow Monitor and Stop Flow Monitor, as needed, to start or stop monitoring for the selected domains.
-
From Cisco vManage Release 20.9.1, to start flow monitoring, click Discovered Domains, check the corresponding check box for one or more domains to start monitoring, and click Start Flow Monitor. In the confirmation dialog box that appears, click Confirm. You can change the domain selections in this dialog box before you click Confirm.
From Cisco vManage Release 20.9.1, to stop flow monitoring, click Monitored Domains, check the check box for each domain for which you want to stop monitoring, and click Stop Flow Monitor. In the confirmation dialog box that appears, click Confirm.
-
-
Use the Search option to find specific flow instances.
From Cisco vManage 20.6.1, you also can cut and paste the following keywords to search for flows that include corresponding the events:
-
Local Drop
-
WAN Loss
-
TCP Reset
-
NAT Translation
-
DPI First Packet Unclassified
-
SLA Violation
-
QoS Congestion
-
WAN Color Inconsistency
-
Flow Asymmetry
-
Policy Bypass
-
Server No Response
-
AppQoE Diverted
-
UTD Diverted
-
-
For completed flows, use the Filter option to display only flow instances that meet specified criteria.
-
For completed flows, you can limit the display to flows that occurred within a specified period.
In releases through Cisco vManage Release 20.8.x, you can choose a period of 1, 10, or 30 minutes, or 1, 2, or 5 hours. You also can click Custom and enter a date and time range.
From Cisco vManage Release 20.9.1, you can drag the ends of the time bar to designate the start and end dates and times for a certain period.
The following tables describe the information that appears for each application and each instance in a flow, and, if DNS domain discovery is enabled, for each domain.
![]() Note |
The DNS domains tab (called Applications tab in Cisco vManage Release 20.6.1 through Cisco Manage 20.8.x) is available only when DNS Domain Discovery is enabled for a trace. |
Column |
Description |
---|---|
Check box |
Check the check box for the domains for which you want monitoring to be enabled or disabled and click Start Flow Monitor or Stop Flow Monitor. |
Domain |
Name of the domain that the trace discovered. |
Update Time |
Date and time at which the information was last refreshed. Instances are refreshed every 30 seconds by default. |
Application |
Name of the application that the trace discovered in the domain. |
Application Group or App Group |
Name of the application group that the trace discovered in the domain. |
VPN Id |
Available from Cisco Catalyst SD-WAN Manager Release 20.12.1. Identifier of the VPN in which the application flow was traced. |
DNS Server |
Destination of DNS packets sent from clients. |
DNS Redirect |
DNS resolver to which a device redirects DNS traffic if a resolver is configured by a centralized policy or by Cisco Umbrella. |
Resolved IP |
DNS-resolved IP address for the application. |
DNS Transport |
Transport type used by the domain. |
DNS Egress |
Egress interface and type used by the domain. |
TTL (sec) |
DNS time to live, in seconds. |
Request |
Number of DNS packets sent. |
Monitor State |
Status of flow monitoring for the domain. |
Column |
Description |
---|---|
Columns Displayed in Cisco vManage Release 20.9.1 through Cisco vManage Release 20.11.x |
|
Last Update Time |
Date and time at which the information was last refreshed. Instances are refreshed every 10 seconds by default. |
App Name |
Name of the application. |
App Group |
Application group to which the application belongs. |
Upstream Flow Count |
Number of upstream flows that were counted for the application. |
Downstream Flow Count |
Number of downstream flows that were counted for the application. |
Upstream Bytes (K) |
Number of KBs in the upstream traffic of this application. |
Downstream Bytes (K) |
Number of KBs in the downstream traffic of this application. |
Columns Displayed From Cisco Catalyst SD-WAN Manager Release 20.12.1 |
|
Last Update Time |
Date and time at which the information was last refreshed. Instances are refreshed every 10 seconds by default. |
App Name |
Name of the application. |
App Group |
Application group to which the application belongs. |
VPN Id |
Identifier of the VPN in which the application flow was traced. |
Total Bytes (K) |
Number of KBs in the upstream and downstream flows of this application. |
Total packets |
Number of packets in the upstream and downstream flows of this application. |
KBPS |
Number of KBs per second in the upstream and downstream flows of this application during the past minute. |
PPS |
Number of packets per second in the upstream and downstream flows of this application during the past minute. |
Total Flows |
Number of flows that were counted for the application. |
Active Flows |
Flows that had activity during the past 1 minute. |
Flow Setup Rate |
Average number of new flows per second during the past 1 minute. |
Flow Live Time (ms) Max/Min/Avg |
Maximum, minimum, and average number of milliseconds of detectable flow activity during the duration of the trace. |
Sampled Flows |
Number of flows that were sampled in the upstream or downstream traffic of this application. Click the up arrow icon next to the column name to display information for upstream traffic. Click the down arrow icon to display information for downstream traffic. |
Sampled Bytes (K) |
Number of KBs in the upstream or downstream traffic of this application. Click the up arrow icon next to the column name to display information for upstream traffic. Click the down arrow icon to display information for downstream traffic. |
Column |
Description |
||
---|---|---|---|
Last Update Time or Start - Update Time |
In releases through Cisco vManage 17.8.x: Date and time at which the information was last refreshed. In releases from Cisco vManage 20.9.1: Date and time at which the flow started, and date and time at which the information was last refreshed. Instances are refreshed every 10 seconds by default. |
||
Flow ID |
System-assigned identifier of the flow. |
||
Readout |
Information that the flow contains (error, warning, or information). Click an icon to display detailed information about the flow in a dialog box (in releases before Cisco vManage Release 20.9.1) or a slide-in pane (in releases from Cisco vManage Release 20.9.1). If the flow identifies an application issue, you can use this information to assist with a root-cause analysis. The dialog box or slide-in pane includes the following information:
|
||
VPN Id |
From Cisco Catalyst SD-WAN Manager Release 20.12.1, identifier of the VPN in which the application flow was traced. |
||
Source IP |
Source IP address of the traffic that the trace monitors. |
||
Source Port or Src Port |
Source port of the traffic that the trace monitors. |
||
Destination IP |
Destination IP address of the traffic that the trace monitors. |
||
Destination Port or Dest Port |
Destination port of the traffic that the trace monitors. |
||
Protocol |
Protocol of the traffic that the trace monitors. |
||
DSCP Upstream/Downstream |
DSCP type that the trace monitors for upstream traffic and downstream traffic. |
||
Application |
Application that the flow monitors. |
||
Application Group |
Application group that the flow monitors. |
||
Domain |
Domain that the flow belongs to. Click a domain name to display the protocol from which the domain was recognized.
|
||
ART CND (ms)/SND (ms) |
Application response time, in milliseconds, for client network delay (CND) and server network delay (SND). |
||
Security Group Tag |
From Cisco Catalyst SD-WAN Manager Release 20.12.1, security group tag that is assigned to the flow. |
Column |
Description |
---|---|
Egress Interface |
Egress interface type used by the domain. |
Local Edge, Remote Edge |
Names of the local edge (source) and the remote edge (destination) of the flow. |
Local Color |
Color of the local edge (source) of the flow, which indicates the egress WAN interface. |
Remote Color |
Color of the remote edge (destination) of the flow, which indicates the ingress WAN interface. |
App CND (ms)/App SND (ms) |
Application response time, in milliseconds, for client network delay (CND) and server network delay (SND). |
HTTP Probe Response Time (ms) |
Response time, in milliseconds, of an HTTP probe ping from the device to the application server. |
HTTP Probe Loss (%) |
Packet loss percentage of an HTTP probe ping from the device to the application server. |
Path Score |
Path score of an HTTP probe ping from the device to the application server. |
Column |
Description |
---|---|
Direction |
Direction of the application flow (upstream or downstream). The first packet that the flow identifies is shown as a flow in the upstream direction. |
HopIndex |
Hop index number for each direction of the application. |
Local Edge |
Name of the local edge device (source) of the application. |
Remote Edge |
Name of the remote edge device (destination) of the application. |
Local Color |
Color of the local edge device (source) of the application, which indicates the egress WAN interface. |
Remote Color |
Color of the remote edge device (destination) of the application, which indicates the ingress WAN interface. |
Local Drop (%), WAN Drop (%), Remote Drop (%) or Local Drop (%), WAN Loss (%), Remote Drop (%) |
Packet drop, as measured in the local and remote edge routers. Packet drop is also measured in the complete WAN network. |
Jitter (ms), Latency (ms) |
Jitter and latency metrics of the application during the past minute. These values help with evaluating the application performance in real time. |
ART CND (ms)/SND (ms) |
Application response time, in milliseconds, for client network delay (CND) and server network delay (SND) during the past minute. |
Total Packets, Total Bytes, or Sampled Total Packets and Sampled Total Bytes |
For each direction of the application flow, the total number of packets and the total byte count of packets. |
Column |
Description |
---|---|
Direction |
Direction of the flow (upstream or downstream). The first packet that the flow identifies is considered to flow in the upstream direction. |
HopIndex |
Hop index number for each direction of the flow. |
Local Edge |
Name of the local edge (source) of the flow. |
Remote Edge |
Name of the remote edge (destination) of the flow. |
Local Color |
Color of the local edge (source) of the flow, which indicates the egress WAN interface. |
Remote Color |
Color of the remote edge (destination) of the flow, which indicates the ingress WAN interface. |
Local Drop (%), WAN Drop (%), Remote Drop (%) or Local Drop (%), WAN Loss (%), Remote Drop (%) |
Packet drop, as measured in the local and remote edge routers. The packet drop is also measured in the complete WAN network. |
Jitter (ms), Latency (ms) |
Jitter and latency metrics of the flow. These values help with evaluating the application performance in real time. |
ART CND (ms)/SND (ms) |
Application response time, in milliseconds, for client network delay (CND) and server network delay (SND). |
Total Packets, Total Bytes |
For each direction of the flow, the total number of packets and the total byte count of packets. |
Queue Id |
Identifier of the QoS queue for the flow. |
QDepthLimit/Max/Min/Avg |
Limit, maximum, minimum, and average values of the QoS queue depth for the flow. |
Insight Summary
Minimum release: Cisco vManage Release 20.9.1.
An insight summary provides trace-level insight information for application traffic and flows. This information appears in a slide-in pane. The following table describes how to display the various insight summaries that are available.
Insight Summary Information |
Procedure |
---|---|
For Manually Generated Traces |
|
Insight summary for a single manually generated trace |
In the All Trace tab, click Insight Summary in the Trace Name column for the trace that you want. |
Consolidated insight summary for selected manually generated traces (from Cisco Catalyst SD-WAN Manager Release 20.12.1) |
In the All Trace tab, check the check box for each trace that you want, and then click Insight Summary above the Trace Name column. |
For Auto-On Task Traces (from Cisco Catalyst SD-WAN Manager Release 20.12.1) |
|
Insight summary for a single trace generated by an auto-on task |
In the Auto-On Task tab, expand a task and click Insight Summary next to the trace that you want. |
Consolidated insight summary for all the traces generated by an auto-on task |
In the Auto-On Task tab, click Insight Summary next to the name of the task. |
-
Overview tab: Displays the following information.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, click Sampled Flow Insight to see the Applications graph, Events graph, and Hotspot Issues. Information for all the VPNs that the trace detects is selected by default. You can remove a VPN by unchecking it in the corresponding drop-down list, and add a VPN by choosing it in the corresponding drop-down list.
The information in this Sampled Flow Insight area is based on sampled data, which comes from a subset of the total number of flows that were monitored. The number of flows that are sampled is determined by an internal algorithm. For example, if the trace monitors 1,000 flows, this tab might show information for only 10 of those flows.
-
Applications graph: Displays the number of flows that the trace detects in each application in the monitored traffic. Hover your cursor over the data points in the graph to display the percentage of total flows that the corresponding application flow represents.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, check the Application check box to display information for all flows that include application traffic. Check the DNS check box to display information for all the flows with DNS resolution.
-
Events graph: Displays the events that the trace detects in the monitored traffic and the number of application flows that each event affects. Hover your cursor over the data points in the graph to display the percentage of total application flows that the corresponding event affected.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, check one or more severity check boxes (Critical, Warning, and Informational) to display information for events that have the corresponding severity level.
-
Hotspot Issues: For each event, provides information about each application flow that was affected, including the traffic path in which the event occurred and the duration of the event.
This information is displayed for each event that appears in the Events field. By default, all the events that the trace detects appear in this field. You can remove an event by clicking X next to its name and add an event by choosing the event from the Events drop-down list.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, when viewing the Overview tab for a single trace, click Application Stats to see the following graphs. These graphs provide information for the top 10 applications with the most flows. Hover your cursor over the data points in a graph to display more detailed information for the corresponding item.
-
Applications (top 10) - Total Flows: Total number of application flows for the duration of the trace. The selected color is for the egress WAN interface on which flows were initialized.
-
Applications (top 10) - Total Bytes: Overall application bidirectional bandwidth for the duration of the trace. Upstream and downstream flow bandwidths are counted on the egress WAN on which flows were initialized.
-
Applications (top 10) – Flow Setup Rate: New incoming flows per second, calculated at 1-minute intervals.
-
Applications (top 10) – Active Flow: Number of active flows, calculated at 1-minute intervals.
-
Applications (top 10) – Bandwidth: Number of KB per second, calculated at 1-minute intervals.
-
Applications (top 10) – Flow Live Time: Overall lifetime of application flows, based on the flows completed within the monitor interval and calculated at 1-minute intervals.
The Applications (top 10) - Total Flows and Applications (top 10) - Total Bytes graphs provide information for each item that is selected in the VPN, Device, and WAN Color fields. All the items that the trace detects are selected by default.
The other graphs provide information only when only one item is selected in the VPN, Device, and WAN Color fields.
You can remove an item from these fields by unchecking it in the corresponding drop-down list, and add an item by choosing the item from the corresponding drop-down list.
Note
You can view detailed information about an event in the Event Insight tab.
-
-
App Performance Insight tab (not available for consolidated insight summaries): Displays the following performance information for the selected items.
From Cisco Catalyst SD-WAN Manager Release 20.12.11, the Score graph appears when you expand Hop Metrics. The other graphs appear when you expand Detailed Metrics under the expanded Hop Metrics.
-
Score graph: Provides an evaluation of application performance.
-
Loss graph: Provides information about packet loss.
-
Delay graph: Provides information about delays in the traffic flows.
-
Jitter graph: Provides information about the inconsistencies in latency in traffic flows.
-
CND/SND graph: Provides information about client network delay (CND) and server network delay (SND).
-
Applications Path & Performance Sankey chart: Provides a snapshot of bandwidth used and loss information at a particular time. You can choose the time by clicking a dot on a timeline in a metrics graph.
The graphs display information for each application that appears in the Application field and the hop that is displayed in the Hop field. From Cisco Catalyst SD-WAN Manager Release 20.12.1, the Application field appears when you expand Group Fields. The Sankey chart displays information for each application that appears in the Application field and for all the hops, regardless of the hop that is displayed in the Application field.
The five applications with the most hotspot issues appear in the Application field by default. You can remove an application by clicking the X next to its name, and add an application by choosing the application from the Application drop-down list. You can choose a hop from the Hop drop-down list.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, information for all the VPNs that the trace detects are selected by default. You can remove a VPN by unchecking it in the corresponding drop-down list, and add a VPN by choosing the item from the corresponding drop-down list.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can arrange the information that displays into groups, according to the items that you choose in the Group Fields area. The fields that are displayed depend on the Grouping Fields options that you chose when you started the trace. You can remove a grouping item by clicking X next to its name, and add an item by choosing it from the corresponding drop-down list.
Click Upstream to display information for upstream traffic in the graphs and chart. Click Downstream to display information for downstream traffic in the graphs and chart.
Hover your cursor over a data point in a graph to display more detailed information. Click a data point in a graph to update the Sankey chart for that data point. Hover your cursor over a data point in the Sankey chart to display more detailed information.
-
-
Event Insight tab (not available for consolidated insight summaries): Displays the following information about application flows that were affected during each minute of the duration of an event. You can use this information to assist with a root-cause analysis.
-
Flows graph: Provides information about the number of flows at a particular time.
-
Applications Path & Event Sankey chart: Provides detailed information about the effect of designated events at a particular time. Hover your cursor over a data point to see more information.
The graph displays information for each application that appears in the Application field and the hop that is displayed in the Hop field. From Cisco Catalyst SD-WAN Manager Release 20.12.1, the Application field appears when you expand Group Fields. The Sankey chart displays information for each application that appears in the Application field, for all the hops regardless of the hop that is displayed in the Hop field, and for the events that are displayed in the Events field.
The five applications with the most hotspot issues appear in the Application field by default. You can remove an application by clicking X next to its name, and add an application by choosing the application from the Application drop-down list. You can choose a hop from the Hop drop-down list.
Hotspot events that the trace detects appear in the Events field by default. You can remove an event by clicking X next to its name and add an event by choosing the event from the Application drop-down list.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, information for all the VPNs that the trace detects is selected by default. You can remove a VPN by unchecking it in the corresponding drop-down list, and add a VPN by choosing the item from the corresponding drop-down list.
From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can use the fields in the Group Fields area to group the information that displays by the selected items. The fields that are displayed depend on the Grouping Fields options that you chose when you started the trace. You can remove a grouping item by clicking X next to its name, and add an item by choosing it from a drop-down list.
Click Upstream to display information for upstream traffic in the graph and chart. Click Downstream to display information for downstream traffic in the graph and chart.
Hover your cursor over a data point to display detailed information about the events that affect the flow at that point. Click a data point to update the Sankey chart for that data point. Hover your cursor over a data point in the Sankey chart to display more detailed information.
-
-
QoS Insight tab (not available for consolidated insight summaries): Displays network-wide information about which application traffic entered which QoS queues on the devices that the trace detects. This information includes all the hops for the traffic.
To display information on this tab, enable the QoS Insight option when you start the trace.
-
QoS Drop Rate graph: Provides information about the packet or byte drop rates for the selected devices over the period of the trace.
-
QoS - Applications Distribution Sankey chart: Provides detailed information about the traffic spectrum and QoS processing at a particular time. The chart illustrates forwarded or dropped traffic that occurs in a flow that goes from an application to a VPN to a physical interface to a queue.
To provide complete information about bandwidth consumers that cause dropped packets, this tab displays information for all the applications on a device, regardless of the applications that you choose by using the Application filter when you start a trace. It also displays information for VPN0 and all the service VPNs, regardless of the service VPNs that you choose by using the VPN filter when you start the trace.
The graph and chart display information for each device that appears in the Devices field.
The chart displays information for each item that appears in the Applications, VPNs, Interfaces, Queues, and Forward/Drop fields. All the items that the trace detects are displayed in these fields by default, except items with a packet per second (PPS) rate of less than 0.05. You can remove an item by clicking the X next to its name, and add an item by choosing the item from a corresponding drop-down list.
Click Packet to display packet drop rate information in the graph and packets per second (PPS) information in the Sankey chart. Click Byte to display byte drop rate information in the graph and kilobits per second (Kbps) information in the Sankey chart.
Hover your cursor over a data point in the graph to display more detailed information. Click a data point in the graph to update the Sankey chart for that data point. Hover your cursor over a data point in the Sankey chart to display more detailed information.
-
Trace Views
In releases before Cisco vManage Release 20.6.1, you can view the trace flow from three sections—Geography View, Feature View (Upstream), and Feature View (Downstream).
From Cisco vManage Release 20.6.1, you can view the trace flow information from these tabs in the Insight - Advanced Views area after expanding a flow in the Insight area—Domain Trend, Flow Trend, Upstream Feature, Downstream Feature, and Geography.
![]() Note |
In Cisco vManage Release 20.6.1 through Cisco vManage 20.8.x, Domain Trend is called App Trend. |
The Domain Trend tab is available from Cisco vManage Release 20.6.1. It was called App Trend in In Cisco vManage Release 20.6.1 through Cisco vManage 20.8.x. This tab appears only when DNS discovery is enabled and displays trends for metrics and events in an application flow. Hover your cursor over the data points in the tab to see detailed information.
The client network delay (CND) and server network delay (SND) information that appears on this tab are measured by the applications' TCP traffic. DNS request frequency shows how often a SaaS application is visited. HTTP probe response time and loss rate are measured by probes that are sent by a router to the SaaS application server to detect a reachable direct internet access (DIA) network path and help evaluate the benefit of deploying a DIA traffic policy.
From the Chart Metrics drop-down list, you can choose the metric types for which you want to view information. From the Devices drop-down list, you can choose specific devices for which you want to view data. By default, trend information appears for all metric types and all devices.
You can limit the display to trends that occurred within a specified time, or those that occurred within a specified period. You can choose a period of 1, 10, or 30 minutes, or 1, 2, or 5 hours. You also can click Custom and enter a date and time range, or click Real Time to display information as it is collected.
The Flow Trend tab is available from Cisco vManage Release 20.6.1. This tab displays trends for metrics and events in a trace flow. Hover your cursor over data points to see detailed information.
From the Chart Metrics drop-down list, you can choose specific metric types for viewing information. From the Flow Direction drop-down list, you can choose the traffic flow direction for viewing data. By default, trend information appears for latency, jitter, WAN loss, and average queue depth, and for all the flow directions.
Use the Navigate to Event drop-down list to choose information about a specific event.
You can limit the display to trends that occurred within a specified time, or those that occurred within a specified period. You can choose a period of 1, 10, or 30 minutes, or 1, 2, or 5 hours. You also can click Custom and enter a date and time range, or click Real Time to display information as it is collected.
In the Geography View section for releases before Cisco vManage Release 20.6.1 or the Geography tab in releases beginning with Cisco vManage Release 20.6.1, you can view the end-to-end trace flow and metrics plotted on the map for a selected trace. The topology graph displays the geographic information about the devices included in the flow.
-
The geography view supports "Automatic Network Path Discovery," where you input only the Site and VPN to trace the complete bidirectional, end-to-end real-traffic network flow path.
-
Each node in the topology is connected with two lines. One line represents upstream direction and the other represents downstream direction.
-
Issues (example: SLA violation) detected in the flow metric are shown in different colored lines.
In the Feature View section for releases before Cisco vManage Release 20.6.1 or the Upstream Feature and Downstream Feature tabs in releases beginning with Cisco vManage Release 20.6.1, view the upstream and downstream feature trace with associated policy details.
To view the upstream and downstream details of the flow, expand a flow record in the flow path and metrics table.
-
The feature view provides a list of ingress and egress features that are applied to the flow, and the execution result of each feature.
-
Typical ingress features include: SD-WAN ACL, NBAR, SD-WAN data policy, SD-WAN app-route policy, SD-WAN forwarding, and so on.
-
Typical egress features include: NBAR, IPsec, SDWAN QoS Output, QoS, Transmit report, and so on.
-
-
For releases before Cisco vManage Release 20.6.1, in the Ingress or Egress view, click a policy to view detailed configuration in a pop-up window and validate policy behavior. For releases beginning with Cisco vManage Release 20.6.1, click View Policy to view this information and validate behavior for the corresponding policy. (View Policy does not apply to policies that are configured by using a CLI template.)
![]() Note |
The downstream feature view shows similar information but organized from a downstream direction. |
Troubleshooting Network-Wide Path Insight
Problem
No information is displayed when you view the results of a trace.
Solution
Check the following:
-
Data stream collection might not be operating properly. To resolve this issue, choose Disabled, then click Save. Click Data stream again, click Enabled, choose System for the IP address type, then click Save.
, click -
You may have enabled DNS domain discovery for the trace, and the monitored traffic may not be from DNS domains. To resolve this issue, choose Enable DNS Domain Discovery check box in the Trace area, and run the trace again.
, uncheck the
Problem
The location of devices does not appear in the Geography View section for releases before Cisco vManage Release 20.6.1 or the Geography tab in Cisco vManage Release 20.6.1.
Solution
Ensure that GPS is configured for the device.
Monitor Performance of Cloud OnRamp for SaaS
View Application Performance
In vManage NMS, select the
screen. The Cloud OnRamp for SaaS Dashboard displays the performance of each cloud application in a separate pane.Each application pane displays the number of Cisco IOS XE Catalyst SD-WAN devices accessing the application and the quality of the connection:
-
The bottom status bar displays green for devices experiencing good quality.
-
The middle status bar displays yellow for devices experiencing average quality.
-
The top status bar displays red for devices experiencing bad quality.
The number to the right of each status bar indicates how many devices are experiencing that quality of connection.
View Application Details
-
In vManage NMS, choose the
screen. The Cloud OnRamp for SaaS Dashboard displays each cloud application in a separate pane. -
Click in an application's pane. vManage NMS displays a list of sites accessing the application.
-
Click a graph icon in the vQoE Score column to display vQoE history for that site:
-
Click a predefined or custom time period for which to display data.
-
Hover over a point on the chart to display vQoE details for that point in time.
-
View ARP Table Entries
The Address Resolution Protocol (ARP) is used to resolve network layer addresses, such as IPv4 addresses) into link layer addresses (such as Ethernet, or MAC, addresses). The mappings between network and physical addresses are stored in an ARP table.
To view the entries in the ARP table:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that displays.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list in the right pane, choose ARP.
CLI equivalent: show arp
View BFD Session Information
Bidirectional Forwarding Detection (BFD) sessions between routers start automatically when the devices come up in the network. BFD which runs on secure IPsec connections between the routers, is used to detect connection failures between the routers.
To view BFD information for a router:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that displays.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose one of the following commands as relevant:
-
BFD Sessions (to view real-time BFD sessions)
-
BFD History (to view BFD session history)
-
View BGP Information
You can configure the Border Gateway Protocol (BGP) on routers to enable routing on the service side (site-local side) of the device, thus providing reachability to networks at the devices' local sites.
To view BGP information on a router:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that displays.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose one of the following commands as relevant:
Option
Description
BGP Summary (show bgp summary View BGP connection status.
BGP Neigbors (show bgp neighbor ) View BGP neighbors.
BGP Routes (show bgp routes ) View routes learned by BGP.
View Cflowd Information
Feature Name |
Release Information |
Description |
---|---|---|
Flexible NetFlow Support for IPv6 and Cache Size Modification |
Cisco IOS XE Catalyst SD-WAN Release 17.4.1a Cisco vManage Release 20.4.1 |
Configure Cflowd traffic flow monitoring on Cisco IOS XE Catalyst SD-WAN devices. |
Log Packets Dropped by Implicit ACL |
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a Cisco vManage Release 20.5.1 |
To enable logging of dropped packets, check the Implicit ACL Logging check box and to configure how often the packet flows are logged, enter the value in the Log Frequency field. |
Flexible NetFlow Enhancement |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
Configure Cflowd traffic flow monitoring to collect ToS, sampler ID, and remarked DSCP values in netflow records. |
Flexible NetFlow for VPN0 Interface |
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 |
Configure this feature using the CLI template and also add-on CLI template. |
Flexible NetFlow Export Spreading |
Cisco IOS XE Catalyst SD-WAN Release 17.9.1a Cisco Catalyst SD-WAN Control Components Release 20.9.x Cisco vManage Release 20.9.1 |
This feature enables export spreading to prevent export storms that occur when a burst of packets are sent to external collector. The export of the previous interval is spread during the current interval to prevent export storms. When NetFlow packets are sent over a low-bandwidth circuit, the export spreading functionality is enabled to avoid packet drops. |
Flexible NetFlow Export of BFD Metrics |
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a Cisco Catalyst SD-WAN Control Components Release 20.10.1 |
With this feature, you can export Bidirectional Forwarding Detection (BFD) metrics to an external collector for generating BFD metrics of loss, latency, and jitter. This feature provides enhanced monitoring and faster collection of network state data. |
Real-Time Device Options for Monitoring Cflowd and SAIE Flows |
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a Cisco vManage Release 20.10.1 |
With this feature, you can apply filters for monitoring specific Cflowd and SD-WAN Application Intelligence Engine (SAIE) applications or application families running within a VPN on the selected Cisco IOS XE Catalyst SD-WAN device. This feature was already available on Cisco vEdge devices and is being extended to Cisco IOS XE Catalyst SD-WAN devices in this release. |
Cflowd monitors traffic flowing through routers in the overlay network and exports flow information to a collector, where it can be processed by an IPFIX analyzer. For a traffic flow, Cflowd periodically sends template reports to a flow collector. These reports contain information about the flow and data extracted from the IP headers of the packets in the flow.
To configure Cflowd in a router, use centralized data policy to define a Cflowd template that specifies the location of a Cflowd collector and timers that control the flow collection.
To view Cflowd flow information for a router:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices displayed.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose one of the following commands or options, as relevant:
Option
Description
Cflowd Template (show app cflowd template ) View the Cflowd template.
Device option is displayed on Cisco vEdge devices.
Cflowd Collector (show app cflowd collector ) View Cflowd Collector information.
Device option is displayed on Cisco vEdge devices.
Cflowd Flows (show app cflowd flows , show app cflowd flow-count ) View Cflowd flows.
Device option is displayed on Cisco vEdge devices.
Cflowd Statistics (show app cflowd statistics )
View Cflowd statistics.
Device option is displayed on Cisco vEdge devices.
cFlowd Flows/DPI (show cflowd flows )
View Cflowd traffic flow information and SAIE flow information.
From Cisco IOS XE Catalyst SD-WAN Release 17.10.1a and Cisco vManage Release 20.10.1, the cFlowd Flows/DPI field is added for applying filters for monitoring specific SAIE applications or application families running within a VPN on the selected Cisco IOS XE Catalyst SD-WAN device.
Device option is displayed on Cisco IOS XE Catalyst SD-WAN devices.
cFlowd ipv6 Flows/DPI (show cflowd flows )
View Cflowd IPv6 traffic flow information and SAIE flows.
From Cisco IOS XE Catalyst SD-WAN Release 17.10.1a and Cisco vManage Release 20.10.1, the cFlowd ipv6 Flows/DPI field is added for applying filters for monitoring specific SAIE applications or application families running within a VPN on the selected Cisco IOS XE Catalyst SD-WAN device.
Device option is displayed on Cisco IOS XE Catalyst SD-WAN devices.
View Device Templates
View a Template
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Device Templates or Feature Templates, and select a template you wish to view.
Note
In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device, and Feature Templates is titled Feature.
-
Click …, and then click View.
View Device Templates Attached to a Feature Template
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Feature Templates, and select a template you wish to view.
Note
In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.
-
Click …, and click Show Attached Device Templates.
Device Templates dailog box opens, displaying the names of the device templates to which the feature template is attached.
View Devices Attached to a Device Template
For a device template that you created from feature templates:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Device Templates, and select a template you wish to view.
Note
In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.
-
Click …, and click Attach Devices.
-
From Attach Devices, click Attached Devices.
For a device template that you created from a CLI template:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Device Templates, and select a template you wish to view.
Note
In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.
-
Click …, and then click Show Attached Devices.
View and Monitor Cellular Interfaces
This topic describes how to monitor the status of cellular interfaces in Cisco Catalyst SD-WAN devices.
Monitor Cellular Interfaces
You can verify signal strength and service availability using either Cisco SD-WAN Manager or the LED on the router. You can view the last-seen error message for cellular interfaces from Cisco SD-WAN Manager.
Verify Signal Strength
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
From the Device Groups drop-down list, choose a group that the device belongs to.
-
Choose a device by clicking its name in the Hostname column.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list in the right pane, choose Cellular Radio.
The values for the different cellular signals are displayed. If signal strength is poor, or there is no signal, see Troubleshoot Common Cellular Interface Issues.
CLI equivalent: show cellular status
Verify Radio Signal Strength Using the Router LED
To check signal strength and service availability of a cellular connection from the router, look at the WWAN Signal Strength LED. This LED is typically on the front of the routers, and is labeled with a wireless icon.
The following table explains the LED color and associated status:
Color |
Signal Strength |
State |
Description |
---|---|---|---|
Off |
— |
— |
LTE interface disabled (that is, admin status is down) or not configured |
Green |
Excellent |
Solid |
LTE interface enabled and in dormant mode (no data being received or transmitted) |
Blinking |
LTE interface enabled and in active mode (data being received and transmitted) |
||
Yellow |
Good |
Solid |
LTE interface enabled and in dormant mode (no data being received or transmitted) |
Blinking |
LTE interface enabled and in active mode (data being received and transmitted) |
||
Orange |
Poor |
Solid |
LTE interface enabled and in dormant mode (no data being received or transmitted) |
Blinking |
LTE interface enabled and in active mode (data are being received and transmitted) |
||
Red |
Critical Issue |
Solid |
LTE interface enabled but faulty; issues include no connectivity with the base transceiver station (BTS) and no signal |
View Error Messages for Cellular Interfaces
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device by clicking its name in the Hostname column.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list in the right pane, choose Cellular Status.
The output displayed includes a column for Last Seen Error
CLI equivalent: show cellular status
View a Signed Certificate
Signed certificates are used to authenticate Cisco SD-WAN devices in the overlay network. To view the contents of a signed certificate using Cisco SD-WAN Manager:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Controllers.
-
For the desired device, click ... and choose View Certificate to view the installed certificate.
View Cisco Umbrella Information
To view Cisco Umbrella information on a device, perform the following steps:
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
Click Device Options, and choose the following.
Device Option |
Command |
Description |
---|---|---|
Umbrella Device Registration |
show umbrella deviceid |
Displays Cisco Umbrella registration status for Cisco IOS XE Catalyst SD-WAN devices. |
View Cisco Catalyst SD-WAN Validator Information
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose one of the following commands:
Device Option |
CLI Command |
Description |
---|---|---|
Orchestrator Reverse Proxy Mapping |
show orchestrator reverse-proxy-mapping |
Displays the proxy IP addresses and port numbers that are configured for use by reverse proxy. |
Orchestrator Statistics |
show orchestrator statistics |
Displays statistics about the packets that a Cisco Catalyst SD-WAN Validator has transmitted and received in the process of establishing and maintaining secure DTLS connections to a Cisco IOS XE Catalyst SD-WAN devices in the overlay network. |
Orchestrator Valid vManage ID |
show orchestrator valid-vmanage-id |
Lists the chassis numbers of the valid Cisco SD-WAN Manager instance in the overlay network. |
View Cloud Express Information
To view Cloud Express information on a device, perform the following steps:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose one of the following commands:
Device Option |
Command |
Description |
---|---|---|
Cloud Express Applications |
show sdwan cloudexpress applications |
Displays the best path that Cloud onRamp for SaaS has selected for each configured SaaS application on Cisco IOS XE Catalyst SD-WAN devices. |
Cloud Express Gateway Exits |
|
Displays the Quality of Experience (QoE) measurements received from gateway sites, for Cloud onRamp for SaaS on Cisco IOS XE Catalyst SD-WAN devices. |
Cloud Express Local Exits |
|
Displays the list of applications enabled for Cloud onRamp for SaaS probing on Cisco IOS XE Catalyst SD-WAN devices, and the interfaces on which the probing occurs. |
View Control Connections
To view all control connections for a device:
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose a device to view its control connections.
If you select a controller device—a Cisco Catalyst SD-WAN Validator, Cisco SD-WAN Manager, or a Cisco Catalyst SD-WAN Controller, the Control Connections screen opens by default.
-
If you choose an edge device, the System Status screen displays by default. To view control connections for the device, click Control Connections in the left pane. The right pane displays information about all control connections that the device has with other controller devices in the network.
The upper area of the right pane contains the following elements:
-
Expected and actual number of connections.
-
Control connection data in graphical format. If the device has multiple interfaces, Cisco SD-WAN Manager displays a graphical topology of all control connections for each color.
The lower area of the right pane contains the following elements:
-
Search bar—Includes the Search Options drop-down, for a Contains or Match.
-
Control connections data in tabular format. By default, the first six control connections are selected. The graphical display in the upper part of the right pane plots information for the selected control connections.
View Data Policies
A centralized data policy is configured and applied on Cisco SD-WAN Controllers, and is then carried in OMP updates to the edge devices in the site-list that the policy is applied to. Centralized data policy examines fields in the headers of data packets, looking at the source and destination addresses and ports, and the protocol and DSCP values, and for matching packets, it modifies the next hop in a variety of ways or applies a policer to the packets. The policy match operation and any resultant actions are performed on the router as it transmits or receives data traffic.
Localized data policy, also called access lists (ACLs), is configured directly on a local router and affects data traffic being transmitted between the routers on the Cisco Catalyst SD-WAN overlay network.
To view ACL information on a router, do the following:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that appears.
-
Click Real Time in the left pane.
-
Click Device Options, and choose one of the following commands:
Command |
Description |
---|---|
show policy access-list-names |
View names of configured ACLs |
show policy access-list-associations |
View Interfaces to which ACLs are applied |
show policy access-list-associations |
View count of packets affected by ACLs |
View Cisco Catalyst SD-WAN Controller Policy
To view policy information from Cisco Catalyst SD-WAN Controller on a device, perform the following steps:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that appears.
-
Click Real Time in the left pane.
-
Click Device Options, and choose one of the following commands:
Device Option |
Command |
Description |
---|---|---|
Policy from vSmart |
show sdwan policy from-vsmart |
Displays a centralized data policy, an application-aware policy, or a cflowd policy that a Cisco Catalyst SD-WAN Controller has pushed to the Edge devices. |
View Devices Connected to Cisco Catalyst SD-WAN Manager
-
From the Cisco SD-WAN Manager menu, choose .
-
Under Service Configuration, click the hostname of the desired Cisco SD-WAN Manager server. The vManage Details screen appears.
-
Or alternatively:
Under Service Configuration, for the desired Cisco SD-WAN Manager instance, click ... and choose Device Connected.
View Device Information
You can view basic or detailed information for a device in the overlay network.
To view basic information:
-
From the Cisco SD-WAN Manager menu, choose .
-
Hover over the device icon.
A pop-up box displays the system IP address, hostname, site ID, device type, and device status. To view more information for a device, double-click the device icon to open the View More Details pop-up box. Click Device Dashboard, Device Details, SSH Terminal, or Links to get further details for the device.
To view detailed information:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the WAN edge router to view the status. You can either scroll through the list of devices in the device table or enter a keyword in the search bar.
-
Click the relevant device under the Hostname column. The right pane displays System Status by default. To view more detailed information for the device, choose one of the categories from the left pane.
![]() Note |
Starting from Cisco vManage Release 20.9.2, the page displays the devices that are newly added or synced to Cisco SD-WAN Manager using the options available on the page. |
View Device Health in Table View
Minimum supported release: Cisco vManage Release 20.10.1
You can view details about the device health for the last one hour in the table view by default in the Monitor Device window.
The table displays:
-
Device model
-
Site ID
-
System IP address
-
Device health
-
Device reachability
-
Memory utilization
-
CPU load
You can also view the health of all the devices on a single site by clicking All Sites and selecting the site ID to enter the single site view.
Devices Health Metrics
The devices health is calculated as follows:
Health State |
Reachability |
Control Plane |
Data Plane |
Resources |
Evaluation Logic |
---|---|---|---|---|---|
Good |
Device reachable |
All control connections up |
All BFD tunnels up |
CPU usage < 75% Memory usage < 75% |
All attributes met |
Fair |
Device reachable |
> = 1 control connections up |
> = 1 BFD tunnels up |
CPU usage > 75% Memory usage > 75% |
Any attributes met |
Poor |
Device not reachable |
No control connections up |
No BFD tunnels up |
CPU usage > 90% Memory usage > 90% |
Any attributes met |
For a single device record the health is calculated as follows:
Health |
QoE |
---|---|
Good |
10 |
Fair |
5 |
Poor |
0 |
The average health metric of devices is calculated as follows:
Health |
QoE |
---|---|
Good |
QoE >= 6.67 |
Fair |
3.34 <= QoE < 6.67 |
Poor |
0 < QoE < 3.34 |
View Device Health in Heatmap View
Minimum supported release: Cisco vManage Release 20.10.1
In the heatmap view, the grid of colored squares displays the device health as Good, Fair, or Poor. You can hover over a square or click it to display additional details of a device at a specific time. Click the time interval drop-down list to change the time selection and filter the data for a specific interval.
You can view the health of all the devices on a single site by clicking All Sites and selecting the site ID to enter the single site view.
View DHCP Server and Interface Information
When you configure a tunnel interface on a device, several services are enabled by default on that interface, including DHCP. The device can act as a DHCP server for the service-side network to which it is connected, assigning IP addresses to hosts in the service-side network. It can also act as a DHCP helper, forwarding requests for IP addresses from devices in the service-side network to a DHCP server that is in a different subnet on the service side of the device.
To view DHCP server and interface information:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose the device by clicking its name in the Hostname column.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list in the right pane. choose one of the following to view specific DHCP server and interface information:
Device Option |
Command |
Description |
---|---|---|
DHCP Servers |
show dhcp server |
View information about the DHCP server functionality that is enabled on the device |
DHCP Interfaces |
show dhcp interface |
View information about the interfaces on which DHCP is enabled on an edge device or a Cisco SD-WAN Controller |
View SAIE Flows
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
Starting from Cisco vManage Release 20.6.1, to view the detailed SD-WAN Application Intelligence Engine (SAIE) flow information such as source IP address, destination IP address, and port details, you need to add the devices to the on-demand troubleshooting list. Add the device to the on-demand troubleshooting list from .
Note
-
In Cisco vManage Release 20.6.1 and earlier releases, On Demand Troubleshooting is part of the Monitor menu.
-
In Cisco vManage Release 20.7.1 and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.
-
Ensure that no Cisco or third-party APIs that instruct on-demand troubleshooting to stop are called. These APIs prevent on-demand troubleshooting from compiling information.
To enhance the application visibility, the data collection process on the device generates aggregated application statistics usage data, which in turn reduces the size of the statistics data files that are processed by default on the management plane. This enhancement allows Cisco SD-WAN Manager to collect SAIE data efficiently and reduce the processing time of the management plane.
-
-
Under Applications in the left pane, click SAIE Applications. The right pane displays SAIE flow information for the device.
Note
-
When displaying the SAIE flow usage, peak usage is shown to be higher from one time interval than for another for the same time period. This situation occurs because the data is not yet available from the statistics database to display in Cisco SD-WAN Manager. Cisco SD-WAN Manager displays only available data and then plots that data in the appropriate axis.
-
In Cisco vManage Release 20.7.1 and earlier releases, SAIE Applications is called DPI Applications.
-
The upper part of the right pane contains:
-
Filter option: Click the Filter option to view a drop-down menu to choose the desired VPN and Local TLOC. Click Search. Click a predefined or custom time period for which to view the data.
Note
Filtering Local TLOC : Dia is supported only for Cisco vEdge devices.
-
SAIE flow information in graphical format.
-
SAIE flow graph legend—Select an application family to display information for just that flow. Click the Total Network Traffic check box to display flow information as a proportion of total network traffic.
The lower part of the right pane contains:
-
Filter criteria.
-
SAIE flow information table that lists all application families sorted by usage. By default, the top six application families are selected. The graphical display in the upper part of the right pane plots the flow and usage of the selected application families.
-
Click the check box on the left to select or deselect application families. You can choose to view information for a maximum of six application families at one time.
-
Click an application family to view applications within the family.
-
Click an application to view the source IP addresses of the devices accessing the application. The Traffic per TLOC pie chart next to the graph displays traffic distribution per TLOC (color).
-
To re-arrange the columns, drag the column title to the desired position.
-
View Interface MTU Information
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device by clicking its name in the Hostname column.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list in the right pane, choose Interface Detail.
View Interfaces in Management VPN or VPN 512
VPN 512 is commonly used for out-of-band management traffic. To display information about the interfaces in VPN 512 on a router:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the device that you want to view the status for. You can either scroll through the list of devices in the device table or enter a keyword in the search bar.
-
Choose the device by clicking its name in the Hostname column.
-
In the left pane, click Real Time.
-
From the Device Options drop-down list in the right pane, choose Interface Detail.
-
In the Select Filter dialog box, click Show Filters if you want to use filters. Otherwise click Do Not Filter.
-
In the Search bar, enter 512, which is the management VPN.
CLI equivalent: show interface vpn 512.
View License Information
To view license information on a device, perform the following steps:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
Click Device Options, and choose one of the following commands:
Device Option |
Command |
Description |
---|---|---|
Smart License <info> |
show licenses |
Display the licenses for the software packages used by Cisco Catalyst SD-WAN. |
View Logging Information
To view logging information on a device, perform the following steps:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
Click Device Options and choose the following command:
Device Option |
Command |
Description |
---|---|---|
Logging |
show logging |
Displays the settings for logging syslog messages. |
View Log of Certificate Activities
To view the status of certificate-related activities, use the Cisco SD-WAN Manager window.
-
From the Cisco SD-WAN Manager toolbar, click the tasks icon. Cisco SD-WAN Manager displays a list of all running tasks along with the total number of successes and failures.
-
Click a row to see details of a task. Cisco SD-WAN Manager opens a status window displaying the status of the task and details of the device on which the task was performed.
View Log of Configuration Template Activities
To view a log of activities related to creation of configuration templates and the status of attaching configuration templates to devices:
-
From the Cisco SD-WAN Manager menu, choose .
-
Choose WAN Edge List or Controllers, and choose a device.
-
For the desired device, click ... and choose Template Log.
View Loss Percentage, Latency, Jitter, and Octet Information for Tunnels
View the loss percentage, latency, jitter, and octets for tunnels in a single chart option in Cisco SD-WAN Manager.
Feature Name |
Release Information |
Description |
---|---|---|
View Loss Percentage, Latency, Jitter, and Octet Information for Tunnels |
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a Cisco SD-WAN Release 20.5.1 Cisco vManage Release 20.5.1 |
You can view the loss percentage, latency, jitter, and octet information for tunnels in a single chart option in Cisco SD-WAN Manager. |
View Loss Percentage, Latency, Jitter, and Octets for Tunnels
You can choose the Real Time option or other time frames to view tunnel information in the graph.
To view loss percentage, latency, jitter, and octets in Cisco SD-WAN Manager:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device.
-
In the left pane, click Tunnel under the WAN area. The right pane displays information about all tunnel connections.
-
In the right pane, click Chart Options to choose the format in which you want to view the information. Click Loss Percentage/Latency/Jitter/Octets for troubleshooting tunnel information.
The upper part of the right pane contains the following elements:
-
Data for each tunnel is graphed based on time.
-
Legend for the graph—Choose a tunnel to view information for just that tunnel. Lines and data points for each tunnel are uniquely colored.
The lower part of the right pane contains the following elements:
-
Search bar—Includes the Search Options filter to filter the table based on a Contains or a Match criteria.
-
Tunnel Table—Lists the jitter, latency, loss percentage, and other data about all the tunnel end points. By default, the first six tunnels are selected. The graphical display in the upper part of the right pane plots information for the selected tunnels.
-
Click the column drop-down lists to enable or disable all of the descriptions.
-
Check the check box to the left to select and deselect tunnels. You can choose and view information for a maximum of six tunnels at one time.
-
View Multicast Information
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that displays.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose one of the following commands as relevant:
Device Option |
Command |
Description |
---|---|---|
Multicast Topology |
show multicast topology |
View topology information about the Multicast Domain |
OMP Multicast Advertised Autodiscover or OMP Multicast Received Autodiscover |
show omp multicast multicast-auto-discover |
View peers that support Multicast |
Multicast Tunnels |
show multicast tunnel |
View information about IPsec tunnels between Multicast peers |
Multicast RPF |
show multicast rpf |
View Multicast reverse-path forwarding information |
Multicast Replicator |
show multicast replicator |
View Multicast replicators |
OMP Multicast Advertised Routes or OMP Multicast Received Routes |
show omp multicast-routes |
View Multicast routes that OMP has learned from PIM join messages |
View NMS Server Status
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a Cisco SD-WAN Manager device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose NMS Server Running.
Device Option |
Command |
Description |
---|---|---|
NMS Server Running |
show nms-server running |
Displays whether a Cisco SD-WAN Manager NMS server is operational. This device option is available from Cisco vManage Release 20.6.1. |
View Device Configuration
-
From the Cisco SD-WAN Manager menu, choose .
-
Click WAN Edge List or Controllers.
-
To view the running configuration, for the desired device, click … and choose Running Configuration.
To view the local configuration, for the desired device, click … and choose Local Configuration.
View Routing Information
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that appears.
-
Click Real Time in the left pane.
-
Click Device Options, and choose one of the following commands as relevant:
Device Options |
Command |
Description |
---|---|---|
IP Routes |
show ip routes show ipv6 routes |
Displays information about the IP route table entries. Displays the IPv6 entries in the local route table. |
IP FIB |
show ip fib show ipv6 fib |
Displays information about forwarding table entries. Display the IPv6 entries in the local forwarding table. |
IP MFIB Summary |
show ip mfib summary |
Displays information about a summary of active entries in the multicast FIB. |
IP MFIB OIL |
show ip mfib oil |
Displays information about outgoing Interfaces from the multicast FIB. |
IP MFIB Statistics |
show ip mfib stats |
Displays information about statistics for active entries in the multicast FIB. |
OMP Peers |
show omp peers |
Displays OMP peers and their peering sessions. |
OMP Summary |
show omp summary |
Displays information about the OMP sessions running between Cisco SD-WAN Controller and the routers. |
OMP Received Routes or OMP Advertised Routes |
show omp routes show sdwan omp routes |
Displays OMP routes. From Cisco vManage Release 20.11.1, you can download OMP route details in JSON or CSV formats for Cisco IOS XE Catalyst SD-WAN devices. |
OMP Received TLOCs or OMP Advertised TLOCs |
show omp tlocs |
Displays OMP TLOCs. |
OSPF Interfaces |
show ospf interface |
Displays information about the Interfaces running OSPF. |
OSPF Neighbors |
show ospf neighbor |
Displays information about the OSPF neighbors. |
OSPF Routes |
show ospf routes |
Displays routes learned from OSPF. |
OSPF Database Summary |
show ospf database-summary |
Displays a summary of the OSPF link-state database entries. |
OSPF Database |
show ospf database |
Displays information about the OSPF link-state database entries. |
OSPF External Database |
Not applicable |
Display OSPF external routes. External routes are OSPF routes that are not within the OSPF AS (domain). |
OSPF Processes |
show ospf process |
Display the OSPF processes. |
PIM Interfaces |
show pim interface |
Displays information about interfaces running PIM. |
PIM Neighbors |
show pim neighbor |
Displays information about PIM neighbors. |
PIM Statistics |
show pim statistics |
Displays information about PIM-related statistics. |
Interface Detail |
show ipv6 interface |
Displays information about IPv6 interfaces on Cisco Cisco IOS XE Catalyst SD-WAN devices. From Cisco vManage Release 20.6.1, this device option is available on all Cisco IOS XE Catalyst SD-WAN devices and Cisco vEdge devices. |
View Services Running on Cisco Catalyst SD-WAN Manager
-
From the Cisco SD-WAN Manager menu, choose .
-
Under Service Configuration, click the hostname of the desired Cisco SD-WAN Manager server. The screen displays the process IDs of all the Cisco SD-WAN Manager services that are enabled on Cisco SD-WAN Manager.
View SFP Information
To view SFP information on a router, perform the following steps:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
Click Real Time in the left pane.
-
Click Device Options, and choose one of the following commands:
Device Option |
Command |
Description |
---|---|---|
SFP Detail |
show interface sfp detail |
Displays detailed SFP status and digital diagnostic information. |
SFP Diagnostic |
show interface sfp detail |
Displays SFP digital diagnostic information. |
SFP Measurement Value |
show interface sfp detail |
Displays SFP measurement data. |
SFP Measurement Alarm |
show interface sfp detail |
Displays SFP alarm information for the measurements. |
View Site Health Dashlet
Minimum supported release: Cisco vManage Release 20.10.1
You can view the overall health across all sites in the Site Health dashlet on the Monitor Overview dashboard.
The Site Health dashlet displays the health, which is calculated by the average Quality of Experience (QoE) across all sites. The site health depends on the health metrics of devices, tunnels, and applications at that site.
Starting from Cisco Catalyst SD-WAN Manager Release 20.12.1, a bar graph displays the bandwidth usage information for each site, and changes in bandwidth from the last time period. You can filter the view based on health status using the drop-down list for Good Performing Sites, Fair Performing Sites, and Poor Performing Sites.
Click View Details to open the site table view window.
View Site Health in Table View
Minimum supported release: Cisco vManage Release 20.10.1
In the sites table view you can view the site health, tunnel health, device health, application health, and application usage.
The sites table view displays all the sites by default and the overall health scores for sites, devices, tunnels, and applications. The table also displays the application usage data for the last one hour.
Site Health Metrics
The average health metric of sites is calculated as follows:
Health |
Condition |
---|---|
Good |
All applications, WAN edge devices, and tunnels are in good state. |
Fair |
Any one application, WAN edge device, or tunnel in fair state. |
Poor |
Any one application, WAN edge device, or tunnel in poor state. |
View Site Health in Heatmap View
Minimum supported release: Cisco vManage Release 20.10.1
In the heatmap view, the grid of colored squares displays the site health as Good, Fair, or Poor. You can hover over a square or click to display additional details of a site at a specific time. The data shown here in the aggregated dats for the last three hours. Click the time interval drop-down list to change the time selection and filter the data for a specific interval.
View the Software Versions Installed on a Device
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device by clicking its name in the Hostname column.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list in the right pane, choose Software Versions.
View and Open TAC Cases
Feature Name |
Release Information |
Description |
---|---|---|
Access TAC Cases from Cisco SD-WAN Manager |
Cisco IOS XE Catalyst SD-WAN Release 17.9.1a Cisco vManage Release 20.9.1 Cisco SD-WAN Release 20.9.1 |
This feature allows you to access Support Case Manager (SCM) wizard using Cisco SD-WAN Manager. You can create, view, or edit the support cases directly from Cisco SD-WAN Manager without having to go to a different Case Manager portal. |
SCM Integration Improvements |
Cisco IOS XE Catalyst SD-WAN Release 17.11.1a Cisco vManage Release 20.11.1 |
This feature introduces various enhancements to the Settings page in Cisco SD-WAN Manager and the Support Case Manager (SCM) wizard. |
Supported Devices
This feature is supported on both Cisco Catalyst SD-WAN and Cisco IOS XE Catalyst SD-WAN devices.
Overview
For any Cisco SD-WAN Manager troubleshooting issues, you raise a support case in the SCM portal. In Cisco SD-WAN Manager, there is a provision to upload an Admin-Tech File to a specific Service Request (SR) on the SCM server by providing the SR number and the token details.
Starting from Cisco vManage Release 20.9.1, you can access SCM portal from Cisco SD-WAN Manager. In the SCM portal, you can create, view, or upload an admin-tech file. For more information on Admin-tech files, see Admin-Tech File.
Prerequisites to Access TAC Cases
-
You need active Cisco single sign-on (SSO) login credentials to access the SCM Wizard and the cloud server.
View TAC Cases
Perform the following steps to view TAC cases from Cisco SD-WAN Manager.
-
From the Cisco SD-WAN Manager menu, choose .
-
Login to the SCM portal using Cisco SSO login.
The TAC Support Cases portal displays a list of cases.
Open a TAC Case
Perform the following steps to open a TAC Case from Cisco SD-WAN Manager.
-
From the Cisco SD-WAN Manager menu, choose .
-
In the TAC Support Cases page, click Open a Case.
-
Enter all the other relevant case details.
-
Click Create.
The TAC Support Cases portal now displays the updated list of cases.
For more information about using SCM portal, refer Cisco TAC Connect.
View Template Log and Device Bringup
View Log of Template Activities
A log of template activities contains information that relates to creating, editing, and deleting configuration templates, and the status of attaching configuration templates to devices. This information can be useful for troubleshooting.
To view a log of template activities:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click WAN Edge List or Controllers, and select the device.
-
Click …, and click Template Log.
View Status of Device Bringup
You can view the status of the operations involved in bringing a router or controller up in the overlay network. This information can help you monitor these operations.
To view the status of a device bringup:
-
From the Cisco SD-WAN Manager menu, choose .
-
Click WAN Edge List or Controllers, and select the device.
-
Click …, and click Device Bring Up.
View the Status of a Cisco Catalyst SD-WAN Validator
You have the following options to view the status of a Cisco Catalyst SD-WAN Validator.
Use the Dashboard Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
-
For releases before Cisco vManage Release 20.6.1, click the upward or downward arrow next to Cisco vBond.
For Cisco vManage Release 20.6.1 and later, click the number representing the number of Cisco SD-WAN Validator orchestrators in your overlay network.
-
To know the status of the Cisco Catalyst SD-WAN Validator, see the Reachability column in the dialog box that opens.
Use the Geography Screen
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Filter and choose vBond under Types.
-
Click the Cisco SD-WAN Validator icon to check its status.
Use the Network Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the Cisco Catalyst SD-WAN Validator that you want to view the status for. You can either scroll through the list of devices in the device table or enter vBond as the keyword in the search bar.
-
Click the relevant Cisco Catalyst SD-WAN Validator under the Hostname column. The Control Connections screen opens by default and displays information about all control connections that the device has with other controller devices in the network.
View Device Status in the Overlay Network
You have the following options to view the status of a device in the overlay network.
Use the Dashboard Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
For releases before Cisco vManage Release 20.6.1, click the upward or downward arrow next to WAN Edge.
For Cisco vManage Release 20.6.1 and later, click the number representing the number of WAN Edge devices.
-
To know the status of the WAN edge device, see the Reachability column in the dialog box that opens.
Use the Geography Screen
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Filter and choose WAN Edge under Types.
-
Click the router icon to check its status.
Use the Network Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the WAN edge router that you want to view the status for. You can either scroll through the list of devices in the device table or enter a keyword in the search bar.
-
Click the relevant WAN edge router under the Hostname column. The System Status screen opens by default.
View Top Applications Pane
The Top Applications pane in the Cisco SD-WAN Manager page displays the SD-WAN Application Intelligence Engine (SAIE) flow information for traffic transiting WAN Edge routers in the overlay network.
![]() Note |
In Cisco vManage Release 20.7.1 and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow. |
To list top applications by VPN, select a VPN from the drop-down list. To select a time period for which to display data, click the Time drop-down list.
To list top applications in a sidebar:
-
Click View Details to open the Top Applications sidebar. It displays a more detailed view of the same information.
-
In SAIE Application, from the VPN drop-down list, select the desired VPN, and then click Search.
Note
In Cisco vManage Release 20.7.1 and earlier releases, SAIE Application is called DPI Application.
-
Click Chart to list the applications.
-
Click Details to display more information about the applications.
-
-
Click SSL Proxy, from the View by Policy Actions drop-down list, select the policy action. All Policy Action, Encrypted, Un-Encrypted, Decrypted view are supported. From the VPN drop-down list, select the desired VPN, and then click Search. The Hour option displays statistics for the selected hour duration.
-
Click Chart to list the SSL applications.
-
Click Details to display more information about the SSL applications.
-
-
Click X to close the window and return to the page.
![]() Note |
In Cisco vManage Release 20.6.1 and earlier releases, Cisco SD-WAN Manager has the following behavior: |
-
The Top Applications pane is part of the page.
-
A filter icon instead of a drop-down list lists the VPN options and indicates the time period for which to display data.
-
An expand icon instead of the View Details button opens the Top Applications pop-up window.
![]() Note |
Flow DPI data is collected by Cisco SD-WAN Manager on schedule but processed on user requests. Flow DPI based reports are available after data is processed. |
View the Status of a Cisco Catalyst SD-WAN Controller
You have the following options to view the status of a Cisco Catalyst SD-WAN Controller.
Use the Dashboard Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
-
For releases before Cisco vManage Release 20.6.1, click the upward or downward arrow next to Cisco vSmart.
For Cisco vManage Release 20.6.1 and later, click the number representing the number of Cisco SD-WAN Controller in your overlay network.
-
To know the status of the Cisco Catalyst SD-WAN Controller, see the Reachability column in the dialog box that opens.
Use the Geography Screen
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Filter and choose vSmart under Types.
-
Click the Cisco SD-WAN Controller icon to check its status.
Use the Network Screen
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the Cisco Catalyst SD-WAN Controller that you want to view the status for. You can either scroll through the list of devices in the device table or enter vBond as the keyword in the search bar.
-
Click the relevant Cisco Catalyst SD-WAN Controller instance under the Hostname column. The Control Connections screen opens by default and displays information about all control connections that the device has with other controller devices in the network.
View Tunnel Connections
To view details about the top 100 data plane tunnels between Cisco Catalyst SD-WAN devices with the lowest average latency, do the following:
-
From the Cisco SD-WAN Manager menu, choose .
The Tunnels table lists the following information about all tunnel end points:
-
Health
-
State
-
Quality of Experience (QoE) score. The QoE score rates the quality of experience of an application that a network can deliver for a period of time.
-
Local IP and remote IP
-
Average latency, loss, and jitter data
The health of a tunnel is defined based on the following criteria:
-
Good: If the QOE score is between 8 and 10, and the tunnel status is 1/1.
-
Fair: If the QOE score is between 5 and 7, and the tunnel status is 1/1.
-
Poor: If the QOE score is between 1 and 4, or the tunnel status is 0/1.
-
![]() Note |
The tunnel information is available in Cisco SD-WAN Manager as a separate menu starting from Cisco vManage Release 20.7.1. |
To view tunnel connections of a specific device, do the following:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that is displayed.
-
In the left pane, click TLOC under the WAN area. The right pane displays information about all tunnel connections.
-
(Optional) Click the Chart Options drop-down list to choose the type of data to view.
You can also choose a predefined time period or a custom time period to sort the data. -
(Optional) In the lower part of the right pane, use the filter option in the search bar to customize the table fields you want to view.
The tunnel table lists average latency, loss, and jitter data about all tunnel end points. By default, the first six tunnels are selected. The graphical display in the upper part of the right pane plots information for the selected tunnels.
-
(Optional) Click the check box to the left to select and deselect tunnels. You can select and view information for a maximum of 30 tunnels at one time.
-
(Optional) Click Application Usage to the right to view the SD-WAN Application Intelligence Engine (SAIE) flow information for that TLOC.
Note
-
Beginning with Cisco vManage Release 20.8.1, the Application Usage column and the Application Usage links are removed from the window. After you have configured on-demand troubleshooting for a device, you can view SAIE usage data based on the selected filters or based on application families sorted by usage.
-
In Cisco vManage Release 20.7.x and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.
For more information on configuring on-demand troubleshooting, see On-Demand Troubleshooting. For more information on viewing SAIE flows, see View SAIE Flows.
-
View Tunnel Health in Table View
Minimum supported release: Cisco vManage Release 20.10.1
In the Monitor Tunnels window the table shows information about the health of tunnels created in the last hour, displaying a maximum of 10,000 tunnels.
The tunnel information includes the following:
-
Tunnel health
-
State
-
Quality of Experience (QoE)
-
Average latency
-
Average loss
-
Average jitter
-
Local IP address
-
Remote IP address
You can also view the tunnel health on a single site by clicking All Sites and selecting the site ID to enter the single site view.
Tunnel Health Metrics
The average health metric of tunnels is calculated as follows:
Health |
QoE |
Status |
Evaluation Logic |
---|---|---|---|
Good |
QoE >= 8 |
UP |
All attributes met |
Fair |
5 <= QoE < 8 |
UP |
All attributes met |
Poor |
0 < QoE< 5 |
DOWN |
Any attributes met |
View Tunnel Health in Heatmap View
Minimum supported release: Cisco vManage Release 20.10.1
In the heatmap view, a grid of colored squares displays the tunnel health as Good, Fair, or Poor. You can hover over a square or click to display additional details of a tunnel at a specific time. Click the time interval drop-down list to change the time selection and filter the data for a specific interval.
You can view the tunnel health on a single site by clicking All Sites and selecting the site ID to enter the single site view.
View Tunnel Health Dashlet
Minimum supported release: Cisco vManage Release 20.10.1
You can view details about the tunnel health on Monitor Overview dashboard.
The Tunnel Health dashlet lists the following information about all tunnel end points:
-
Health
-
Average latency, loss, and jitter data
You can view the tunnel health across all sites in a graphical format. You can also filter the tunnel information based on the health status using the drop-down list for Good Tunnels, Fair Tunnels, and Poor Tunnels, and Latency, Loss, and Jitter.
Starting from Cisco Catalyst SD-WAN Manager Release 20.12.1, a bar graph displays current status of the tunnel and the change in status from the last time period.
Click View Details to open the Monitor > Tunnels window to view the tunnel health in table view.
View Tunnel Loss Statistics
View Data Plane Tunnel Loss Statistics
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device from the list of devices that displays.
-
Click Real Time in the left pane.
-
From the Device Options drop-down list, choose Tunnel Statistics.
View Traffic Loss for Application-Aware Routing
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Scroll down to the Application-Aware Routing pane.
You can also use the show app-route statistics command to view traffic loss for application-aware routing.
View WAN Interfaces
Transport interfaces in VPN 0 connect to a WAN network of some kind, such as the Internet, Metro Ethernet network, or an MPLS network.
You can view information about WAN interfaces on a device using one of the following options:
Real Time Pane
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Locate the device that you want to view the status for. You can either scroll through the list of devices in the device table or enter a keyword in the search bar.
-
Choose the device by clicking its name in the Hostname column.
-
In the window that opens, choose Real Time in the left pane.
-
From the Device Options drop-down in the right pane, choose Control WAN Interface Information.
Note
Starting from Cisco Catalyst SD-WAN Manager Release 20.12.1, a new field Bind Interface is introduced to display mapping relationship between the loopback interfaces and the physical interfaces.
Interface Pane
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
From the Device Groups drop-down list, choose the device group to which the device belongs.
-
Choose the device by clicking its name in the Hostname column.
-
In the left pane, choose Interface.
View WAN Edge Health Dashlet
Minimum supported release: Cisco vManage Release 20.10.1
You can view the state for each WAN edge device and the number of WAN edge devices in that state in the WAN Edge Health dashlet on Monitor Overview dashboard.
You can view the state for each WAN edge device and the number of WAN edge devices in that state in the WAN Edge Health dashlet on Monitor Overview dashboard.
Starting from Cisco Catalyst SD-WAN Manager Release 20.12.1, a bar chart displays the CPU utilization of WAN edge devices at a site, and the changes in CPU utilization from the last time period.
You can filter the WAN Edge Health dashlet view based on the health status using the drop-down list for Good Devices, Fair Devices, and Poor Devices and also for CPU Load and Memory Load.
Click View Details to open the Monitor > Devices window to view the device health in table view.
View VRRP Information
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device.
-
Click Real Time from the left pane.
-
Click Device Options, and choose VRRP Information.
View Device Interfaces
To view information about interfaces on a device:
-
From the Cisco SD-WAN Manager menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose .
-
Choose a device by clicking its name in the Hostname column.
-
Click Interface in the left pane. The right pane displays interface information for the device.
The upper part of the right pane contains:
-
Chart Options bar—Located directly under the device name, this bar includes:
-
Chart Options drop-down—Click Chart Options to choose how the data should be displayed.
-
IPv4 & IPv6 drop-down—Click IPv4 & IPv6 to choose the type of interfaces to view. The information is displayed in graphical format. By default, the graph is Combined, showing interfaces on which both IPv4 and IPv6 addresses are configured. To view IPv4 and IPv6 interfaces in separate graphs, select the Separated toggle button.
-
Time periods—Click either Real Time, a predefined time period, or a custom time period for which to view the data.
-
-
Interface information in graphical format.
-
Interface graph legend—Choose an interface to display information for just that interface.
The lower part of the right pane contains:
-
Filter criteria.
-
Interface table, which lists information about all interfaces. By default, the first six interfaces are displayed. The graphical display in the upper part of the right pane plots information for the selected interfaces.
-
Check the check box to the left to select and deselect interfaces. You can select and view information for a maximum of 30 interfaces at a time.
-
To rearrange the columns, drag the column title to the desired position.
-
For cellular interfaces, click the interface name to view a detailed information about the cellular interface.
-
To view interface status and interface statistics, see show interface and show interface statistics.