SD-WAN

 View Only
  • 1.  SD-Branch labbing issues

    Posted Mar 13, 2024 10:04 AM

    Hi all, first of all, let me introduce myself since this is my first post on these forums.

    25 years experience in networking, 17 years in HPE, worked with Cisco, Procurve, Aruba-CX and more, recently started deepdiving into Aruba SD and wireless which is totally new for me.

    I'm having an issue, and I can't really find out what the actual problem is, I've followed Mitchells great video here Aruba SD-Branch from scratch - Part 4 - SDWAN

     but I just can't get it to work.


    To have some backstory to this.

    2x 9004LTE in a branch group

    2x VPNC in a VPNC group

    All of these have a WAN port connected to an internal VLAN that hits my Opnsense box, with a rule allowing them only internet access, no cross VLAN access, all is fine and dandy and everything connects to central fine.

    However, after following the video guide above, I get to the point where I'm going to redistribute the routes in the overlay, however that doesn't happen, and upon further investigation I see that the Control Connections are all up, however the tunnels do not come up, they stay perpetually in a "bring up" state.

    Upon looking at AI Insight it tells me "Gateway tunnels failed to get established" and "Tunnel is down because uplink has been disabled \ deleted"

    Since all WAN links are up, WAN VLANs are up and System IPs are UP, I'm not sure what would be "disabled \ deleted".

    I'm probably an idiot, but I really can't figure out what I have done wrong here, anyone seen this before or have any good ideas how to troubleshoot it ?



    ------------------------------
    EirikZakariassen
    ACSA + ACNSA + a plethora of others
    ------------------------------



  • 2.  RE: SD-Branch labbing issues

    Posted Mar 14, 2024 09:49 AM

    Hey Eirik,

    Just went through a few months of setting this up ourselves from scratch.  Where are your VPNCs located?  Are they in a public cloud or in your own DC?  Also do you have UDP4500 and UDP500 allowed inbound to the VPNCs?  I am sure you do, just double checking.  There is also a posabillity that the uplinks may not be in there right as it gets a bit finicky.

    Here is a GREAT step by step verified deploy that lets you bring things up, and gives you a good base to then jump off of and adjust for your needs.  And don't worry the initial setup can be daunting, but once you get it going everything is super customizable, and rapidly deployable.

    https://www.arubanetworks.com/techdocs/VSG/docs/080-sd-branch-deploy/esp-sd-branch-deploy-010-introduction/ 




  • 3.  RE: SD-Branch labbing issues

    Posted Mar 15, 2024 09:25 AM

    Hi !

    My setup is pretty rudimentary, which is why I think it isn't working, as mentioned I'm emulating the devices connected via internet via a private VLAN, on the VPNC side you can specify "private \ public ip" however on the branch gateway you cannot, and I believe that is the issue, since my branch gateway is going out to the internet, then trying to get back in, instead of going directly.

    See attached drawing



    ------------------------------
    EirikZakariassen
    ACSA + ACNSA + a plethora of others
    ------------------------------



  • 4.  RE: SD-Branch labbing issues

    Posted Mar 18, 2024 10:18 AM

    What is your public IP address showing up as on the overview for the Gateways in central.  Are they showing for what you created, or the externals for the OPNSENSE?




  • 5.  RE: SD-Branch labbing issues

    Posted Mar 25, 2024 11:54 AM

    the VPNC defaults to show the Opnsense public one, but I have tried overriding it with the internal IP to no avail, also since the 9004 doesn't allow overriding the public IP that makes it harder...

    Trying to get more ipv4s from my ISP, miss my old one that gave me 8 and a /56 too..

    Curious if I can form an SD-WAN tunnel with ipv6 only ? If so I have a full /56 tunnel network already that I use for testing in my kubernetes setup...



    ------------------------------
    EirikZakariassen
    ACSA + ACNSA + a plethora of others
    ------------------------------



  • 6.  RE: SD-Branch labbing issues

    Posted Mar 26, 2024 06:30 AM

    Finally progress!

    I moved the vPNCs to another subnet (VLAN2001 172.16.2.0/24) and kept the 9004s on the original one (VLAN2000 172.16.1.0/24) and now the tunnels come up!



    ------------------------------
    EirikZakariassen
    ACSA + ACNSA + a plethora of others
    ------------------------------