SD-WAN

 View Only
  • 1.  VPNC Route Advertisement Issue

    Posted Oct 04, 2024 05:25 AM

    I have a setup with two VPNCs in a cluster.  The branch 9004 is forming an Internet and LTE tunnel to VPNC2 and the MPLS tunnel to VPNC1.  This is done by the Orchestrator.  The issue is that only VPNC2 is advertising routes from the data center over the Internet and LTE tunnels.  VPNC1 is not advertising any routes except local IP addresses to the VPNC.  In Dynamic Path Selection, I am trying to prefer the MPLS tunnel for traffic to the data center, but since VPNC1 is not advertising the routes, all traffic is flowing over the Internet tunnel.  How do I get VPNC1 to advertise routes via the MPLS tunnel so the preferred traffic pathing works?

    Topology:

    VPNC1:

    OAP Status

    Admin State:         UP

    Oper State:          UP

    Master:              127.0.0.1:24400

    Channel:             CONNECTED

    Serial:              CNP4KLB023

    MAC:                 28:de:65:a5:d4:b3

    Site ID:             28:de:65:a5:d4:b3

    Tunnel If:           tsgw

    Graceful-restart-timer : 86400 seconds

    Channel UP since:    Wed 2024-10-02 23:02:01 IST

    Channel Down count:  11

    Learnt Routes:       5

    Advertised Routes:   2

    Tunnels:             2

    Keepalive sent:      59818

    Keepalive received:  66010

    Keepalive pending:   0

    PCM Gen ID IPv4:     1726627298787033

    Peak Routes IPv4:      5 at Wed 2024-09-18 09:59:50 IST

    Peak Tunnels:          2 at Wed 2024-10-02 11:08:28 IST

     

     VPNC2:

     

    OAP Status

    Admin State:         UP

    Oper State:          UP

    Master:              127.0.0.1:24400

    Channel:             CONNECTED

    Serial:              CNP4KLB04N

    MAC:                 28:de:65:a5:db:1b

    Site ID:             28:de:65:a5:db:1b

    Tunnel If:           tsgw

    Graceful-restart-timer : 86400 seconds

    Channel UP since:    Wed 2024-10-02 23:02:04 IST

    Channel Down count:  13

    Learnt Routes:       5

    Advertised Routes:   16

    Tunnels:             9

    Keepalive sent:      59856

    Keepalive received:  66657

    Keepalive pending:   0

    PCM Gen ID IPv4:     1726627298772384

    Peak Routes IPv4:      5 at Wed 2024-09-18 09:59:50 IST

    Peak Tunnels:          10 at Wed 2024-10-02 11:08:28 IST

    The route tables on the VPNCs are exactly the same, with both supposed to redistribute overlay, connected and static.  

    Route table on the branch gateway:

    COMMAND=show ip route 
     
    Codes: C - Connected, O - OSPF, IA - OSPF Inter Area, E1 - OSPF External Type 1, R - RIP
           E2 - OSPF External Type 2, N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2
           B I - BGP Interior, B E - BGP Exterior, S - Static
           U - BGW Peer Uplink, M - Management, Ru - Route Usable, * - Candidate Default
           V - RAPNG VPN/Branch, I - Crypto-Cfgset, N - Not Redistributed, Bc - Cloud Overlay Protocol
    
    S*    0.0.0.0/0  [50/10] via 10.68.152.181
                     [50/10] via 192.168.1.1
    Bc    172.31.0.0/23  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    192.168.0.0/16  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                          [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    I     10.10.0.2/32  [70/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-mpls_mpls
    Bc    10.254.76.19/32  [90/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-mpls_mpls
    Bc    10.254.76.3/32  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                          [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    172.29.5.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    10.133.0.0/16  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    C     10.10.1.3/32 is directly connected, VLAN4000 
    Bc    172.31.33.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                          [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    C     192.168.1.0/24 is directly connected, VLAN4094 
    Bc    192.168.5.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                          [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    172.33.250.0/24  [90/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-mpls_mpls
    Bc    10.0.0.0/8  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                      [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    I     10.254.76.1/32  [70/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-mpls_mpls
    Bc    172.16.250.0/24  [90/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-mpls_mpls
    I     10.10.0.1/32  [70/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                        [70/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    10.254.76.8/29  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                          [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    S     192.168.214.38/32  [50/10] via 10.68.152.181
    C     172.33.85.1/32 is directly connected, VLAN1 
    S     192.168.208.38/32  [50/10] via 10.68.152.181
    C     10.133.85.0/29 is directly connected, VLAN4093 
    C     172.33.85.0/24 is directly connected, VLAN1 
    Bc    10.254.76.11/32  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                           [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    172.16.0.0/12  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    C     172.16.85.0/24 is directly connected, VLAN2 
    I     185.50.100.11/32  [70/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                            [70/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    10.254.76.16/29  [90/10] ipsec map data-vpnc-28:de:65:a5:d4:b3-mpls_mpls
    Bc    10.254.76.0/29  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                          [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    172.33.5.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    172.33.1.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    Bc    172.33.2.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    
    Bc    172.33.3.0/24  [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-lte_lte
                         [90/20] ipsec map data-vpnc-28:de:65:a5:d4:b3-boyle_inet_inet
    C     10.68.152.180/30 is directly connected, Loopback 
    
    === Troubleshooting session completed ===


  • 2.  RE: VPNC Route Advertisement Issue

    Posted 7 days ago
    Edited by Oliver Wehrli 7 days ago

    In case this is still an issue that needs a bit more data:

    • How do VPNC1 and VPNC2 learn these routes in the first place?
    • What does the routing table look like on both VPNCs?
    • Have you configured Overlay Route redistribution identically on both VPNC?

    It's worth mentioning that there is a detailed TechNote on how ORO propagates routes and what the prerequisites/logic is: https://www.arubanetworks.com/techdocs/central/sd-branch-ref-docs/sd-branch-orchestrator.pdf



    ------------------------------
    I work for Aruba. Any opinions expressed here are solely my own and not do not represent that of Hewlett Packard Enterprise or Aruba.
    ------------------------------