Appendix: Troubleshooting SD-Branch Issues
• PnP Server Troubleshooting Commands, on page 1• Generic PnP Service CLI Command, on page 9• Device Registration Fails Due to Incorrect CPE Day -1 Configuration , on page 10• Service Chain Deployment Stays in the 'Provisioning' State Indefinitely, on page 11• Troubleshooting On-boarding , on page 11
PnP Server Troubleshooting Commands
List of Devices in Contact with the PnP ServerTo view the list of CPEs in contact with the PnP server, run the following command:
admin@ncs-sm-vbranch> show pnp listSERIAL IP ADDRESS CONFIGURED ADDED SYNCED LAST CONTACT-------------------------------------------------------------------------------FTX1738AJME 173.36.207.85 true true true 2017-10-24 23:44:44FTX1738AJMG 173.36.207.81 true true true 2017-10-24 23:43:50FTX1740ALBX 173.36.207.80 true true true 2017-10-24 23:44:21SSI184904LG 173.36.207.82 true true true 2017-10-24 23:43:56SSI185104LT 173.36.207.84 true true true 2016-10-24 23:43:57[ok][2016-10-24 23:45:49]
The Last Contact column displays the last date and time when the PnP server was in contact with the CPE. Ifthe CPE has not been in recent contact with the PnP server then it might be due to a potential issue withconnectivity or reachability between the PnP server and the CPE.
Note
SD-Branch CPE in Contact with the PnP Server (without a service)The output below shows the NSO CLI output when no service is provisioned.
admin@ncs-sm-vbranch> show branch-infra:branch-infra branch-cpe%No entries found[ok][2016-10-24 23:45:49]
Appendix: Troubleshooting SD-Branch Issues1
SD-Branch CPE in Contact with the PnP Server (With a Service)The SD-Branch service provisioning may take up to several minutes from the point when the service isinstantiated to the point when the SD-Branch service comes up, end-to-end.
To view the status of the SD-Branch service, run the following command:
admin@ncs-sm-vbranch> show branch-infra:branch-infra-status branch-cpeamXqvXDO9zW2IZleho2cOBrD plan component state statusNAME STATE STATUS-------------------------------------------------self init reached
ready reachedamXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reachedready reached
[ok][2017-10-25 14:20:40]
SD-Branch CPE in Contact with the PnP Server (Detailed)To view the details of the SD-Branch service, run the following command:
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponentplan component selftype selfstate initstatus reachedwhen 2017-10-25T14:15:20message ""state readystatus reachedwhen 2017-10-25T14:16:57message ""real-name amXqvXDO9zW2IZleho2cOBrDplan component amXqvXDO9zW2IZleho2cOBrDtype branch-cpestate initstatus reachedwhen 2017-10-25T14:15:20message ""state pnp-callhomestatus reachedwhen 2017-10-25T14:16:22message ""state readystatus reachedwhen 2017-10-25T14:16:57message Readyreal-name amXqvXDO9zW2IZleho2cOBrDprovider CiscoSystemsdevice amXqvXDO9zW2IZleho2cOBrD_ENCS[ok][2017-10-25 14:23:10]
View CPE DetailsTo view the details of CPEs for a service, run the following commands:
Appendix: Troubleshooting SD-Branch Issues2
Appendix: Troubleshooting SD-Branch IssuesSD-Branch CPE in Contact with the PnP Server (With a Service)
vmsnso@ncs> show pnp list
SERIAL IP ADDRESS CONFIGURED ADDED SYNCED LAST CONTACT---------------------------------------------------------------------------FGL21388017 10.85.189.20 true true true 2017-10-25 14:24:07FGL2138801A 10.85.189.23 false false false 2017-10-25 14:21:16FGL2138801E 10.85.189.24 false false false 2017-10-25 14:21:40[ok][2017-10-25 14:24:20]
vmsnso@ncs> configure
Entering configuration mode private[ok][2017-10-25 14:24:31][edit]
vmsnso@ncs% show branch-infra:branch-infra branch-cpe serial FGL21388017branch-cpe amXqvXDO9zW2IZleho2cOBrD {
provider CiscoSystems;type ENCS;serial FGL21388017;var VBRANCH_DEVICE_TYPE {
val ENCS;}var contact {
val Customer;}var email {
val [email protected];}var phone {
val null;}
}[ok][2017-10-25 14:24:34][edit]vmsnso@ncs% exit[ok][2017-10-25 14:24:53]
Sample Service DeploymentThe Cisco MSX SD-Branch service provisioning may take up to several minutes from the point when theservice is instantiated to the point when the SD-Branch service comes up, end-to-end.
The output below shows a sample of the Cisco MSX SD-Branch service progress in the NSO CLI until thetime when the service is ready for use.
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS-------------------------------------------------self init reached
ready reachedamXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reachedready reached
[ok][2017-10-25 14:24:57]vmsnso@ncs>System message at 2017-10-25 14:28:09...Commit performed by vmsnso via ssh using netconf
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plan
Appendix: Troubleshooting SD-Branch Issues3
Appendix: Troubleshooting SD-Branch IssuesSample Service Deployment
component state statusNAME STATE STATUS--------------------------------------------------------self init reached
ready not-reachedamXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reachedready reached
ASAv10_vBranch-ASAv-1.0 init reachedready not-reached
ISRv-small_vBranch-ISRv-1.0 init reachedready not-reached
[ok][2017-10-25 14:28:30]
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS--------------------------------------------------------self init reached
ready not-reachedamXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reachedready reached
ASAv10_vBranch-ASAv-1.0 init reachedready reached
ISRv-small_vBranch-ISRv-1.0 init reachedready not-reached
[ok][2017-10-25 14:30:50]vmsnso@ncs>System message at 2017-10-25 14:31:13...Commit performed by vmsnso via ssh using netconf.
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS
--------------------------------------------------------------------------------------------self init reached
ready not-reached
amXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reached
ready reached
ASAv10_vBranch-ASAv-1.0 init reached
ready reached
ISRv-small_vBranch-ISRv-1.0 init reached
ready reached
service-net init reached
ready reached
asalan_amXqvXDO9zW2IZleho2cOBrD init reached
vm-deployed reached
vm-alive not-reached
Appendix: Troubleshooting SD-Branch Issues4
Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues
ready not-reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init not-reached
ready not-reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp init not-reached
ready not-reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ospf init not-reached
ready not-reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-syslog init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD init reached
vm-deployed reached
vm-alive not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-base init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-lan init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-qos init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-wan init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-with-security init not-reached
ready not-reached
[ok][2017-10-25 14:31:59]
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS
--------------------------------------------------------------------------------------------self init reached
ready not-reached
amXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reached
ready reached
Appendix: Troubleshooting SD-Branch Issues5
Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues
ASAv10_vBranch-ASAv-1.0 init reached
ready reached
ISRv-small_vBranch-ISRv-1.0 init reached
ready reached
service-net init reached
ready reached
asalan_amXqvXDO9zW2IZleho2cOBrD init reached
vm-deployed reached
vm-alive reached
ready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init reached
ready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp init reached
ready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ospf init reached
ready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-syslog init reached
ready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD init reached
vm-deployed reached
vm-alive not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-base init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-lan init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-qos init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-wan init not-reached
ready not-reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-with-security init not-reached
ready not-reached
Appendix: Troubleshooting SD-Branch Issues6
Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues
[ok][2017-10-25 14:33:45]
vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS----------------------------------------------------------------------------------------self init reached
ready reachedamXqvXDO9zW2IZleho2cOBrD init reached
pnp-callhome reachedready reached
ASAv10_vBranch-ASAv-1.0 init reachedready reached
ISRv-small_vBranch-ISRv-1.0 init reachedready reached
service-net init reachedready reached
asalan_amXqvXDO9zW2IZleho2cOBrD init reachedvm-deployed reachedvm-alive reachedready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init reachedready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp init reachedready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ospf init reachedready reached
asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-syslog init reachedready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD init reachedvm-deployed reachedvm-alive reachedready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-base init reachedready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-lan init reachedready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-qos init reachedready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-wan init reachedready reached
isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-with-security init reachedready reached
Debugging Service Component DetailsTo view the details of the device configuration, run the following commands:
vmsnso@ncs> configureEntering configuration mode private[ok][2017-10-25 14:39:31][edit]
vmsnso@ncs% show branch-infra:branch-infra branch-cpe amXqvXDO9zW2IZleho2cOBrDprovider CiscoSystems;type ENCS;serial FGL21388017;var BGP_LOCAL_AS {
val 200;}var BGP_NEIGHBOR_ADDRESS {
val 192.168.253.1;
Appendix: Troubleshooting SD-Branch Issues7
Appendix: Troubleshooting SD-Branch IssuesDebugging Service Component Details
}var BGP_REMOTE_AS {
val 300;}var PLATFORM_LAN_DATA_ADDRESS {
val 10.1.11.1;}var PLATFORM_LAN_DATA_MASK {
val 255.255.255.0;}var PLATFORM_LAN_DATA_NETWORK {
val 10.1.11.0;}var PLATFORM_LAN_DATA_VLAN {
val 901;}var PLATFORM_LAN_VOICE_ADDRESS {
val 10.1.12.1;}var PLATFORM_LAN_VOICE_MASK {
val 255.255.255.0;}var PLATFORM_LAN_VOICE_NETWORK {
val 10.1.12.0;}var PLATFORM_LAN_VOICE_VLAN {
val 902;}var PLATFORM_WAN_ADDRESS {
val 192.168.253.2;}var PLATFORM_WAN_MASK {
val 255.255.255.0;}var PLATFORM_WAN_VLAN {
val 801;}var VBRANCH_DEVICE_TYPE {
val ENCS;}var contact {
val customer;}var email {
val [email protected];}var phone {
val null;}network service-net;vnfd vBranch-ASAv-1.0 {
vdu ASAv10;}vnfd vBranch-ISRv-1.0 {
vdu ISRv-small;}vnf asalan {
var zmisc {val zmisc;
}deployment ASA;vnfd vBranch-ASAv-1.0;vdu ASAv10;network service-net 1;
Appendix: Troubleshooting SD-Branch Issues8
Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues
network wan-net 2;config vbranch-mpls-sec-asa-interfaces;config vbranch-mpls-sec-asa-ntp;config vbranch-mpls-sec-asa-ospf;config vbranch-mpls-sec-asa-syslog;
}vnf isrlan {
var zmisc {val zmisc;
}deployment ISR-Security;vnfd vBranch-ISRv-1.0;vdu ISRv-small;network GE0-1-SRIOV-1 2;network lan-net 1;network service-net 3;config vbranch-mpls-isr-base;config vbranch-mpls-isr-lan;config vbranch-mpls-isr-qos;config vbranch-mpls-isr-wan;config vbranch-mpls-isr-with-security;
}[ok][2017-10-25 14:40:27][edit]vmsnso@ncs%
Generic PnP Service CLI Command
PnP Server to IP DeviceTo configure the PnP server to the IP Device, run the following command:show run | s pnpRouter#show run | s pnp pnp profile zero-touch transport https ipv4 203.35.248.89 port 443
remotecert ncs
PnP Server configured with HTTPS and SSLTo configure the PnP server with HTTPS and SSL, run the following command:
admin@ncs-sm-vbranch> show configuration pnp serverport 443;use-ssl true;[ok][2016-05-31 19:33:28]
PnP commands to reset the CPETo configure the PnP commands to reset the CPE, run the following command:
request pnp reset clean serial xxxxxxrequest pnp delete serial xxxxxxIf the day-1-config file need changing on CPE use the commands to create a new file andoverwrite the existing:tclsh
Appendix: Troubleshooting SD-Branch Issues9
Appendix: Troubleshooting SD-Branch IssuesGeneric PnP Service CLI Command
puts [open "flash:day--1-config" w+] {aaa new-modelaaa authentication login default noneinterface GigabitEthernet0.....pnp profile zero-touchtransport https ipv4 x.x.x.x port 443 remotecert ncs}Tclquit
Viewing Device Information Through PnP-StateTo view the device information through the PnP state, run the following command:
admin@ncs-sm-vbranch> show pnp-state device FTX1738AJMEpnp-state device FTX1738AJMEudi PID:ISR4451-X/K9,VID:V02,SN:FTX1738AJMEdevice-info 15.5(3)S2ip-address 173.36.207.81mgmt-ip 10.254.0.1port 22name FTX1738AJMEusername user-site2password cisco223sec-password priv-cisco222snmp-community-ro ciscosalt ABCDremote-node ""wan-interface GigabitEthernet0/0/1lan-interface GigabitEthernet0/0/0configured truerequest configadded falsesynced falseis-netsim falseneed-clean falsepending-exec ""last-contact 2016-05-31 19:29:18last-clean 0reload-upon-delete false[ok][2016-05-31 19:29:23]
Device Registration Fails Due to Incorrect CPE Day -1Configuration
Problem
When you place an order for a service, the service comprises of devices for sites. These devices must beregistered with the Cisco MSX portal.
If the device fails to register with the PnP server, you need to verify that the Day -1 configuration on the CPEallows it to call home to the PnP server.
Solution
Step 1 Log in to the device and verify to which PNP server the device is connected to.
Appendix: Troubleshooting SD-Branch Issues10
Appendix: Troubleshooting SD-Branch IssuesViewing Device Information Through PnP-State
Step 2 Run this command show run | s pnp to list the current PnP server that this device is talking to, and examine the output:
Router#show run | s pnp pnpRouter#profile zero-touch transport https ipv4 <IP address> port 443 remotecert ncs
Step 3 To change the IP address of the PNP server, switch to the configuration mode.
Router#config terminalRouter(config)#
Step 4 Enter text that you received as output in Step 2, replacing the IP address with the new one.
Router(config)#pnp profile zero-touchtransport https ipv4 <IP address> port 443 remotecert ncs
Step 5 Exit from the Router(config-pnp-init) mode and f Router(config) mode.Step 6 Copy the configuration into flash configuration, by running the following command:
Router#copy running-config flash:day--1-configDestination filename [day--1-config]?%Warning:There is a file already existing with this nameDo you want to over write? [confirm]4609 bytes copied in 0.876 secs (5261 bytes/sec)
Service Chain Deployment Stays in the 'Provisioning' StateIndefinitely
Problem
After deleting a device, if you perform a device deployment, the service chain deployment continues to be inthe 'Provisioning' state indefinitely. This may be because the subnet associated with the deleted device wasnot removed.
Solution
Step 1 Delete the device configuration manually.Step 2 Go to the Cisco MSX portal and manually delete the associated subnet.
Troubleshooting On-boardingThe table below lists the different troubleshooting errors and their solutions.
Appendix: Troubleshooting SD-Branch Issues11
Appendix: Troubleshooting SD-Branch IssuesService Chain Deployment Stays in the 'Provisioning' State Indefinitely
Table 1: Troubleshooting Errors and their Solutions
ResolutionComment/SymptomsOn-boarding TypeIssue
Set the correct FQDN andcertificate
Device PnP configurationis not correct.
Single IP
2 Public IP Behind NAT
Open Network Policy
Deployment stuck with“pnp-callhome reached... Waiting for CPEReady” in NSO
Click the recycle button ifthe error exists whilerestarting the PnP agenton the device.
Check iPnP log forindications, if token issuesare identified, possiblyrestart ipnp
Check the PnP logs on thedevice for a “Not allowchange admin passwordusing the PnP after day0”error.
Device does not show inthe PnP list in NSO.
Single IP
2 Public IP /Behind NAT
Deployment stuck with“pnp-callhome reached... Waiting for CPEReady” in NSO
1. Review if csr hub IP(emote-interface-ip-addr)is correct, andreachable fromdevice.
2. Review thatremote-system-ip-addexists on Cisco MSXand pingable.
3. SSH to device overlayip on port 830,security groups mightbe blocked
Check notifications on thedevice for Failure aroundsecure-overlay or connectto a device and checksecure tunnel status “showsecure-overlay”
Single IP
2 Public IP /Behind NAT
Deployment stuck with“pnp-callhome reached... Waiting for CPEReady” in NSO
Check if the tunnel is upon the device, or if thetraffic is going through,try to test for intermittentconnectivity that mightrequire mtu/mss changecheck if day0 of single IPVNF allows NAT/PAT
Check to see if device isreachable on public IP. Ifnot, try to reach NFVISeither through the VNF(since now it has publicIP) or through anothermanagement interface(usually through a jumphost on the same network)
Single IPDeployment stuck with"booting VNF ..."
Sample Catalog to Show ENCS-Secure Device Entry
....<branch-cpe><name>ENCS-Secure</name><physical>false</physical><read-timeout>90</read-timeout>
Appendix: Troubleshooting SD-Branch Issues12
Appendix: Troubleshooting SD-Branch IssuesSample Catalog to Show ENCS-Secure Device Entry
<write-timeout>90</write-timeout><enable-commit-queue>false</enable-commit-queue><branch-cpe-template>pnp-map-vCPE</branch-cpe-template><nfvis-tenant>admin</nfvis-tenant><day0><files>nfvis_day0.cfg</files><files>nfvis_day0_del_secure_overlay.cfg</files><files>nfvis_day0_del_intmgtsubnet.cfg</files><files>nfvis_day0_intmgtsubnet.cfg</files><files>nfvis_day0_vbranch_secure_overlay.cfg</files><cfg-common-ref>base-vcpe</cfg-common-ref>
</day0><cpe-onboarding><device-type>netconf</device-type><port>830</port>
</cpe-onboarding><network><name>GE0-0-SRIOV-1</name>
</network><network><name>GE0-0-SRIOV-2</name>
</network><network><name>GE0-1-SRIOV-1</name>
</network><network><name>GE0-1-SRIOV-2</name>
</network><network><name>LAN-SRIOV-1</name>
</network><network><name>LAN-SRIOV-2</name>
</network><network><name>LAN-SRIOV-3</name>
</network><network><name>LAN-SRIOV-4</name>
</network><network><name>LAN-SRIOV-5</name>
</network><network><name>LAN-SRIOV-6</name>
</network><network><name>int-mgmt-net</name>
</network><network><name>lan-net</name>
</network><network><name>wan-net</name>
</network><supported-interfaces><name>GE0-0</name>
</supported-interfaces><supported-interfaces><name>GE0-1</name>
</supported-interfaces><supported-interfaces><name>int-LAN</name>
</supported-interfaces>
Appendix: Troubleshooting SD-Branch Issues13
Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues
</branch-cpe>...
Day-0s for the ENCS-Secure to Create the Tunnel
<config xmlns="http://tail-f.com/ns/config/1.0"><secure-overlays xmlns="http://www.cisco.com/nfvis/secure-overlay"><secure-overlay><name>mgmtvpn</name><local-system-ip-addr>${MGMT_IP_ADDRESS}</local-system-ip-addr><remote-interface-ip-addr>${MGMT_HUB_IP}</remote-interface-ip-addr><remote-system-ip-addr>${MGMTHUB_OVERLAY_IP_ADDR}</remote-system-ip-addr><local-bridge>${SOURCE-BRIDGE}</local-bridge><remote-system-ip-subnet>${MGMTHUB_OVERLAY_NET}</remote-system-ip-subnet><local-system-ip-subnet>${MGMT_NET}</local-system-ip-subnet><remote-id>${REMOTE_ID}</remote-id><psk><local-psk>${LOCAL_PRESHARED_KEY}</local-psk><remote-psk>${REMOTE_PRESHARED_KEY}</remote-psk>
</psk></secure-overlay>
</secure-overlays></config>
Configuration for Single IP ISRv Deployment
<config xmlns="http://tail-f.com/ns/config/1.0"><catalog xmlns="http://cisco.com/ns/branch-infra-common"><name>vBranch</name><deployment><name>ISR-Single-IP</name><bootup-time>600</bootup-time><recovery-wait-time>0</recovery-wait-time><single-ip-mode/><var><name>ngio</name><val>enable</val>
</var><vnfd><name>vBranch-ISRv-SIP</name><vdu><name>ISRv-small</name>
</vdu></vnfd><polling-frequency>15</polling-frequency><vnf-port>2022</vnf-port><port-start-range>22022</port-start-range><port-end-range>22024</port-end-range><vnf-authgroup>isr_authgroup</vnf-authgroup><config><name>example-vrf</name><cfg-template>example-vrf</cfg-template>
</config><day0-url xmlns="http://cisco.com/ns/branchinfra-nfvo"><dstFile>iosxe_config.txt</dstFile><url>{{ ISRV_SIP_DAY0_IOSXE_URL }}</url><var><name>NSO_LOGIN_PASSWORD</name><encrypted-val>$8$tCaCX0UyNYokiYYaenikSNOwHazQqGJahRJtrrJLCKg=</encrypted-val>
Appendix: Troubleshooting SD-Branch Issues14
Appendix: Troubleshooting SD-Branch IssuesDay-0s for the ENCS-Secure to Create the Tunnel
</var><var><name>NSO_LOGIN_PORT</name><val>2022</val>
</var><var><name>PLATFORM_WAN_INTERFACE</name><val>3</val>
</var><var><name>SP_ENABLESECRET_VR</name><encrypted-val>$8$tCaCX0UyNYokiYYaenikSNOwHazQqGJahRJtrrJLCKg=</encrypted-val>
</var><var><name>SP_LICENSE_BANDWIDTH</name><val>500</val>
</var><var><name>SP_LICENSE_PROXY_IP</name><val>12.1.1.11</val>
</var><var><name>SP_LICENSE_PROXY_PORT</name><val>8080</val>
</var><var><name>SP_LICENSE_TOKEN</name>
<val>ZTVhMmIyZmYtNzg0Mi00NmFhLWE1NjAtMjRkZmE4YTc5MThjLTE1MDgzODk2%0AOTg1MTl8MTNUdnFIcTJMbXF5dS9yMTlZekRJd1FhdFFaMTUzUDN2RU1WTTB3%0AOCtQdz0%3D%0A</val>
</var></day0-url><day0-url xmlns="http://cisco.com/ns/branchinfra-nfvo"><dstFile>ovf-env.xml</dstFile><url>{{ ISRV_SIP_DAY0_OVF_URL }}</url><var><name>SSH_PASSWORD</name><encrypted-val>$8$tCaCX0UyNYokiYYaenikSNOwHazQqGJahRJtrrJLCKg=</encrypted-val>
</var><var><name>SSH_USERNAME</name><val>cisco</val>
</var><var><name>TECH_PACKAGE</name><val>ax</val>
</var></day0-url>
</deployment></catalog>
</config>
Sample Template for Single IP ISRv
{"allowedValues": [{"VBRANCH_DEVICE_TYPE": "ENCS","tag": "site-var"
}],"childElements": [
Appendix: Troubleshooting SD-Branch Issues15
Appendix: Troubleshooting SD-Branch IssuesSample Template for Single IP ISRv
{"allowedValues": [],"config": [{"name": "example-vrf"
}],"deployment": "ISR-Single-IP","description": "ISRSIP","flavor": "vBranch-ISRv-SIP","image": "ISRv-small","inputType": "slider","label": "cv","mandatory": true,"name": "isrlan","nics": [{"id": "1","name": "wan-net","network": "wan-net"
}],"parentName": "vBranch Single IP","propertyName": "ISRSIP","section": "vBranch Single IP","supported": true,"type": "branch","value": "ISRSIP","vbranchOptions": {"billableSize": "125"
}}
],"columns": [],"flavors": [{"name": "vBranch-ISRv-SIP","vdus": [{"name": "ISRv-small"
}]
}],"images": [{"name": "ISRv"
}],"inputMetadata": [],"name": "vBranch Single IP With Config","networks": [],"section": "branch-templates","sizes": [{"description": "For 1-10 employees","id": "small","name": "Small Branch","offerIcon": "S","opExPrice": "N/A","recommended": true,"supportedServerIds": ["dev1"
]},{
Appendix: Troubleshooting SD-Branch Issues16
Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues
"description": "For 10-100 employees","id": "medium","name": "Medium Branch","offerIcon": "M","opExPrice": "N/A","supportedServerIds": ["dev2"
]},{"description": "For 100-1000 employees","id": "large","name": "Large Branch","offerIcon": "L","opExPrice": "N/A","supportedServerIds": ["dev3"
]}
],"supported": true,"type": "branch","vbranchOptions": {"iconUrl": "services/vbranch/customizations/images/template-icons/retail.svg","notes": "A example of a single ip template for vBranch","opExPrice": "N/A","serviceIds": "internetAccess","topologyId": "vBranch_Single_IP-topology"
}}
Sample for Single IP ISRv Day-0
interface GigabitEthernet1ip nat insideno shut!interface GigabitEthernet2ip address ${HOST_WAN_IP} ${HOST_WAN_IP_MASK}ip nat outsideno shut!!--- This allows PAT to be used for regular Internet traffic.ip nat inside source static udp ${INT_MGMT_SUBNET_GW} 4500 interface GigabitEthernet2 4500!--- This permits IPSec traffic destined for the GigabitEthernet2!--- interface to be sent to the inside IP address INT_MGMT_SUBNET_GWip nat inside source static udp ${INT_MGMT_SUBNET_GW} 500 interface GigabitEthernet2 500ip nat inside source list NAT interface GigabitEthernet2 overload!--- This allows UDP traffic for the INT_MGMT_SUBNET_GW interface to be!--- statically mapped to the inside IP address INT_MGMT_SUBNET_GW.!--- This is required for the Internet Security Association!--- and Key Management Protocol (ISAKMP) negotiation to be!--- initiated.ip route 0.0.0.0 0.0.0.0 ${HOST_WAN_GATEWAY}ip route ${MGMTHUB_OVERLAY_NET_IP} ${MGMTHUB_OVERLAY_NET_MASK} ${INT_MGMT_SUBNET_GW}ip access-list standard NATpermit ${INT_MGMT_SUBNET_IP} ${INT_MGMT_SUBNET_INVERSE_MASK}
Appendix: Troubleshooting SD-Branch Issues17
Appendix: Troubleshooting SD-Branch IssuesSample for Single IP ISRv Day-0
Appendix: Troubleshooting SD-Branch Issues18
Appendix: Troubleshooting SD-Branch IssuesSample for Single IP ISRv Day-0