Like some of the other articles I’ve written, this serves mostly as a documentation page to myself. The last time I had to manually install a certificate on a vEdge cloud router was six months ago, so it’s something you easily forget. This guide was written for vEdge Cloud 18.3.3.
Installing a vEdge Cloud router
It’s fairly easy to install the vEdge Cloud router. There are images available for VMs in all the major clouds. In my experience, Azure provides an image, but also has a two templates you can run which help with the setup. You can choose a 3-nic VM or a 4-nic VM and running the template assists with setting up the VMs in the right subnets. If you run the standard image, you will end up with a 2-nic variant by default. These templates use outdated versions though, so be aware as you might miss some features that can assist in troubleshooting.
Connecting to the v-manage
As every other vedge that might not automaticallly connect, make sure there is an IP address under the interface tied to VPN 0. Also check for a name-server and an IP route. Under system, make sure the device has an device ID, site id and vbond address.
Setting up the certificate
You need to copy the certificate of the vmange to the vedge and install it there.
Getting the vManage cert
In the v-manage, go to Configuration > Certificates > Controllers. Under the v-manage options, you can view the certificate. Copy this certificate.
Installing the Cert on the vEdge
SSH into the vEdge Cloud router and open the shell:
Paste the certificate of the vmanage into a file. Get into the VI editor, press i to insert and then paste with keyboard shortcuts or your mouse. To get out, press ESC (escape key) and type
:wq followed by a carriage return.
vEdge:~$ vi ca.crt # paste into vi and go out # then check the contents of the file to make sure it is there vEdge:~$ cat ca.crt vEdge:~$ exit
Install the certificate in the vEdge. The location is dependent on the user you used to SSH into the device, so put the right user in between the slashes.
vEdge# request root-cert-chain install home/<username>/ca.crt
Verify the install of the certificate with:
vEdge# show control local-properties
vEdge# show certificate root-ca-cert
Root-ca OK, Certificate-status not-installed
What this comes down to, is that the vEdge does not have the list of CA certificates to verify the vbond certificate against. The easiest way to fix this is to copy this list from the vbond. SSH into the vbond.
vbond# vshell vbond:~$ cat /usr/share/viptela/root-ca.crt
Copy these lines (for me 628) to a file on the vEdge. Make sure that the lines do not have extra spaces at the end of each.
vEdge# vshell vEdge:~$ vi root-ca.crt # paste into vi and go out # then check the contents of the file to make sure it is there vEdge:~$ cat root-ca.crt vEdge:~$ exit vEdge# request certificate install
Now your output should look something like this:
vEdge# show control local-properties personality vedge sp-organization-name <org name> organization-name <org name> certificate-status Installed root-ca-chain-status Installed certificate-validity Valid certificate-not-valid-before Jun 02 11:55:56 2020 GMT certificate-not-valid-after May 31 11:55:56 2030 GMT dns-name <vbond address> site-id <site id> domain-id 1 protocol dtls tls-port 0 system-ip <system ip> chassis-num/unique-id <chassis id> serial-num <certificate serial number> token Invalid keygen-interval 1:00:00:00 retry-interval 0:00:00:17 no-activity-exp-interval 0:00:00:12 dns-cache-ttl 0:00:02:00 port-hopped TRUE time-since-last-port-hop 0:01:31:58 embargo-check success number-vbond-peers 0 number-active-wan-interfaces 1
Connect vEdge to vbond
From here on out, it should be an automatic process. However, if it doesn’t, OR if you want to utilize an exising chassis-id located in your vmanage that is not yet in use:
vEdge# request vedge-cloud activate Value for 'chassis-number' (<Chassis number/uuid of the device>): Value for 'token' (<Serial number of the device>):
The chassis ID can be found under Configuration > Devices and then selecting the right device. The Token ID can be located under the extra options > Generate Bootstrap Configuration. Select Cloud-Init and locate the Token-ID.
It can help to perfom some debugging on why a vEdge does not connect. You can run the following commands on both the vEdge as well as on the vbond.
debug vdaemon misc high show log tail -f /var/log/tmplog/vdebug
The debug will point you in the right direction in terms of what issue might be the cause of your connecting issues to the vbond, vmanage and vsmart.
To disable debug:
no debug vdaemon misc