Trobleshoot SD-WAN – Part 1

Hi there,

While deploying Cisco SD-WAN you might face control connection errors related to certificate. Here are some tips to help you troubleshoot:

Missing Serial Number

Issue the show control connections-history command. In the Local Error column of the output, the values BIDNTVRFD, CRTREJSER, and SERNTPRES indicate a missing serial number.

• BIDNTVRFD indicates a missing serial number for vBond orchestrators.
• CRTREJSER indicates a missing serial number for vEdge routers and vSmart controllers.
• SERNTPRES on a vBond orchestrator indicates a serial number mismatch between vSmart controllers.

To resolve the problem, send the device's serial number to the controllers:

• In vManage NMS, select the Configuration ? Certificates screen.
• In the vEdge List tab, select the device whose serial number is missing.
• Click Send to Controllers.

?

Revoked Certificate

Issue the show control connections-history command. In the Local Error column of the output, the value VECRTREV indicates a revoked certificate on a vEdge router. The value VSCRTREV indicates a revoked certificate on a remote vSmart controller. If a certificate is revoked on a local vSmart controller, the value VSCRTREV displays in the Remote Error column.

Certification verification failure is when certificate cannot be verified with the root cert installed. You should check if the time is at least?within vBond's certificate validity range.

Organization-name Mismatch

For a given a overlay, the Organization-Name has to match across all the controllers and Edge routers so that control connections can come up. If not, you will see Certificate Org. name mismatch in the “show control connections” output.

I hope you enjoyed this post, leave your comments below and I'll see you on the next one.