Author Archives: ACR 2014

About ACR 2014

Network Enthusiast

WIP | Cisco WLC and AP’s

Work in progress

Dashboard:
10272019-wirelessdash.PNG

EIGRP Metric Calculator

bw = 200000
delay = 2900
K1 = 1
K3 = 1
met = 256 * (int(K1 * 10**7 / bw) + K3 * delay / 10)
print met
!
bw = raw_input(“Bandwidth: “)
dly = raw_input(“Delay: “)
met = 256 * (int(K1 * 10**7 / bw) + K3 * delay / 10)
!

DMVPN Configuration

Template Configuration:
## R1
int g1/0
ip address 122.1.1.1 255.255.255.0
no shut
duplex full
exit

## R2
int g1/0
ip address 122.1.1.2 255.255.255.0
no shut
duplex full
exit

## R3
int g1/0
ip address 122.1.1.3 255.255.255.0
no shut
duplex full
exit

conf t
int range f1/1 – 3
shutdown
no shutdown
exit

HUB:
interface tunnel 0
! IP address
ip address 10.0.0.1 255.255.255.0

! Bandwidth – Will be part of routing metrics
bandwidth 1000

! Ensures longer packets are fragmented before they are encrypted
ip mtu 1400

! The following line must match on all nodes that “want to use” this mGRE tunnel:
ip nhrp authentication donttell

! Note that the next line is required only on the hub
ip nhrp map multicast dynamic
Note: encapsulating multicast based on encapsulating unicast

! The following line must match on all nodes that want to use this mGRE tunnel:
ip nhrp network-id 99
ip nhrp holdtime 300

! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not advertised routes that are learned vie the mGRE interface backout that interface.
no ip split-horizon eigrp 1

!
tunnel source g1/0
tunnel mode gre multipoint
tunnel key 100000

SPOKES:
SPOKES 1
int tunnel 0
ip address 10.0.0.2 255.255.255.0
!
ip nhrp authentication donttell

! Definition of NHRP server at the hub (10.0.0.1), which is permantly mapped to the static public address of the hub (122.1.1.1)..(left Private / Public address)
ip nhrp map 10.0.0.1 122.1.1.1

! Sends multicast packets to the hub router, and enables the use of a dynamic routing protocol between spoke and the hub.
ip nhrp map multicast 122.1.1.1

! The following line must match on all nodes that want to use this
ip nhrp network-id 99
ip nhrp holdtime 300

! Configures the hub router as the NHRP next-hop server
ip nhrp nbs 10.0.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source g1/0
tunnel destination 122.1.1.1
tunnel key 100000

SPOKES 2
int tunnel 0
ip address 10.0.0.3 255.255.255.0
ip nhrp authentication donttell
ip nhrp network-id 99
ip nhrp map 10.0.0.1 122.1.1.1
ip nhrp map multicast 122.1.1.1
ip nhrp nhs 10.0.0.1
tunnel source g1/0
tunnel destination 122.1.1.1
tunnel key 100000

Configuring Dynamic routing protocol:
! Configure on all Hub and spokes
router eigrp 1
network 10.0.0.0
network 192.168.0.0
no auto-summary

Troubleshooting:

EIGRP IS FLAPPING?
https://community.cisco.com/t5/switching/eigrp-continually-flapping/td-p/1811550
https://learningnetwork.cisco.com/thread/76634
https://community.cisco.com/t5/routing/random-eigrp-peer-termination-received-msgs/td-p/2055665
https://community.cisco.com/t5/switching/eigrp-flapping-retry-limit-exceeded/td-p/1925753

DMVPN

What is DMVPN?
a. Point-to-multipoint Layer 3 overlay VPN
– Logical hub and spoke topology
– Direct spoke to spoke traffic is supported

b. DMVPN uses a combination of…
– Multipoint GRE Tunnels (mGRE)
– Next Hop Resolution Protocol (NHRP)
– IPsec Crypto Profiles
– Routing

Why Use DMVPN?
a. Independent of SP access method
– Only requirement is IP connectivity

b. Routing policy is not dictated by SP
– E.g. MPLS L3VPN restriction

c. Highly scalable
– If properly designed

Note: You can use internet, MPLS, L2VPN but the main implication of this is that you can use any internet connectivity. Some design will put DMVPN on top of MPLS but the main advantage is that transport doesn’t matter. As long as the end points can ping each other they can able to build a tunnel.

How DMVPN Works?
a. DMVPN allows on-demand full mesh IPsec tunnels with minimal configuration through usage of…
– Multipoint GRE tunnel (mGRE)
– Next Hop Resolution Protocol (NHRP)
– IPsec Crypto Profiles
– Routing

b. Reduces need for n*(n-1)/2 static tunnel configuration
– Uses one mGRE interface for all connections
– Tunnel are created on-demand between nodes
– Encryption is optional

Creates on-demand tunnel between nodes
a. Initial tunnel-mesh is hub-and-spoke (always on)
b. Traffic pattern trigger spoke-to-spoke tunnels
c. Solves management scalability problem

Maintains tunnel based on traffic patterns
a. Spoke-to-spoke tunnel is on-demand
b. Spoke-to-spoke tunnel lifetime is based on traffic

Note: If Spoke A and Spoke B and eventually they stop sending traffic, that tunnel will automatically be torn down. So in a control plane scaling point of view we don’t have to have 999 crypto peers if you have dmvpn made of a thousand nodes. You would only have to have the IPsec security association or the actual GRE association with the end point the your currently talking too.

Requires two IGPs: Underlying and overlay
a. Ipv4/Ipv6 supported for both passenger and transport

How DMVPN works – Hup to Spokes
a. Two main components
– DMVPN Hub / NHRP Server (NHS)
– DMVPN Spokes / NHRP Client (NHC)

b. Spoke/Clients register with Hub/Server
– Spokes manually specify Hub’s address
– Sent via NHRP Registration Request
– Hub dynamically learns Spoke’s VPN address & NBMA address

Note: IP over ethernet uses the ARP in order to bind the destination IP and Destination mac address. IN the case of frame relaty we use inverse-ARP to bind a remote IP to a local circuit same thing with ATM. Basically NHRP is the same but it’s binding an IP to IP, Where it figure’s out “How do I actually route this traffic to a private address but the thing is I need a GRE encapsulated in order to get there, so what is the underlay address or what is the NBMA address that I need to put on the destination of the actual IP packet.”

So this is actually the job of the next-hop server is, To tell the client when you want to send a traffic to a particular destination or specifically to a specific spoke what is the mapping between the mapping of underlay address which is NBMA and overlay address which is the VPN address.

c. Spokes establish tunnels to hub
– Exchange IGP routing information over the tunnel

d. Spoke1 knows Spoke2’s routes via IGP
– Learned via tunnel to hub
– Nexthop is spoke2’s VPN IP for DMVPN phase2
– Next-hop is Hub’s VPN IP for DMVPN Phase3

e. Spoke1 asks for spokes2 real address
– Maps next-hop (VPN) IP to tunnel source (NBMA) IP
– Sent via NHRP Resolution Request

f. Spoke to spoke tunnel is formed
– Hub only used for control plane exchange
– Spoke-to-spoke data plane may flow through hub initially

NHRP Important Messages
1. NHRP Registration Request
– Spokes register their NMBA and the VPN IP to NHS
– Required to build the spoke to hub tunnels
2. NHRP Resolution Request
– Spoke queries for the NBMA-to-VPN mappings of the other spokes
– Required to build spoke-to-spoke tunnels
3. NHRP Redirect
– NHS answer to a spoke-to-spoke data-plane packet through it
– Similar to IP redirects, when packet in/out interface is the same
– Used only in DMVPN phase3 to buld spoke-to-spoke tunnels

Reference:
https://my.ine.com/course/ccie-rs-v5-dmvpn/653eff2c-d05d-4de3-9350-49ce03352299

vManage Web Certificate Installation

Another thing we need to do in post-installation part is the vManage web certificate installation which resolve the issue of browser invalid service.
webbrowsercerissue.PNG

Go to Admin > Settings

a. Generate CSR
1010webcertx1

Generated CSR
1010generawebcertcsr

b. CSR Installation
101019instalwebcesvert

Note: Once the installation is completed, In order for Cert. to take effect we need to reboot the server. Make sure the CSR is updated before reboot.

To Reboot go to Maintenance > Device Reboot > vManage
101009rebootx

Reference:https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Configuration/Generate_Web_Server_Certificate

Viptela Web Interface

vManage Web Interface Options/Role

I. Dashboard

II. Monitor

III. Configuration

IV. Tools

V. Maintenance

VI. Administration

a. Settings

1010adminsettingsx.png

Organization name – Added on the post-installation and has to match to every single devices you have on your sd-wan deployment.
vBond – Specifies the vBond address for contact and authentication using the default port.
Email Notification – For alarm via email. You can specify the smtp email and other mail server details.
Controller Certificate Authorization – This is where we assign how we assign the vManage certificate and it consist of 3 ways.
WAN Edge Cloud Certificate Authorization – Issue the certificate to the vEge cloud (default).
Web Server Certificate – SSL Certificate installation.
Enforce Software Version(ZTP) – Software repository when you upload the update file.
Banner – will be dispay on vmanage.
Reverse Proxy – To enable reverse proxy function.
Statistics Settings – Enable/disable statistics collection (all by default).
CloudExpress – To enable cloud express features.
vAnalytics – To enable/launch vAnalytics.
Client Session Timeout – Disable by default, how to handle the web session.
Data Stream – Data collection on wan edge is disabled (packet capture, log collection speed test)
Tenancy Mode – Can change to single (default) or multiple tenant. 
     Note: Once you switchover to multi test you can never switchback.
Statistics Configuration – How often vManage collects device statistics (min of 5min).
Maintenance window -  You can schedule a maintenance window to any major changes. 
Identity Provider settings – Disabled by default. Use if you want to have a single signed-on server.
Statistics Database Configuration – Change/Set the size of the allocated database for statistics types.
Google Map API key – Key advertised to google for geographic location.
Software Install Timeout – For controller upgrade which try up to Default is 60 minutes before we terminate. 
IPS Signature Update - 

VII. Analytics

Viptela Controller Configuration

Viptela Lab – Topology

1008topoloab

I . vManage Initial Configuration(CLI)

vmanage# conf t
Entering configuration mode terminal
vmanage(config)# system
vmanage(config-system)# host-name LAB-VMANAGE1
vmanage(config-system)# system-ip 1.1.255.11
vmanage(config-system)# site-id 255
vmanage(config-system)# organization-name "2019_VIPLAB"
vmanage(config-system)# ntp server 1.1.0.1 prefer vpn 0
vmanage(config-server-1.1.0.1)# exit
vmanage(config-ntp)# exit
vmanage(config-system)# clock timezone America/Los_Angeles
vmanage(config-system)# vbond 1.1.0.12

! Configuration that were added to the internal memory. This won’t take effect until commit.

vmanage(config-system)# show configuration
system
host-name LAB-VMANAGE1
system-ip 1.1.255.11
site-id 255
organization-name 2019_VIPLAB
clock timezone America/Los_Angeles
vbond 1.1.0.12
ntp
server 1.1.0.1
version 4
prefer
exit
!
vmanage(config-system)# commit
Commit complete.

II. Interface Configuration(CLI)

LAB-VMANAGE1# conf t
Entering configuration mode terminal
LAB-VMANAGE1(config)# vpn 0
LAB-VMANAGE1(config-vpn-0)# ip route 0.0.0.0/0 1.1.0.1
LAB-VMANAGE1(config-vpn-0)# interface eth0
LAB-VMANAGE1(config-interface-eth0)# ip address 1.1.0.11/24
LAB-VMANAGE1(config-interface-eth0)# no shut
LAB-VMANAGE1(config-interface-eth0)# commit

Note: VPN512 is other reserved VPN used for dedicated management access, mainly refer to management interface in cisco router.

LAB-VMANAGE1# request nms all status 
NMS application server
Enabled: true
Status: waiting
NMS configuration database
Enabled: true
Status: running PID:6831 for 107s
NMS coordination server
Enabled: true
Status: running PID:6844 for 107s
NMS messaging server
Enabled: true
Status: running PID:8542 for 89s
NMS statistics database
Enabled: true
Status: running PID:2355 for 138s
NMS data collection agent
Enabled: true
Status: not running
NMS cloud agent
Enabled: true
Status: running PID:268 for 155s
NMS container manager
Enabled: false
Status: not running
NMS SDAVC proxy
Enabled: true
Status: running PID:363 for 155s

III. Post Installation(GUI)

1008guilab

Log In to a Device for the First Time
Enter a URL in the format https://ip-address:8443, where 8443 is the port number used by the vManage NMS.

a. Set Organization, vBond(Default port)
Administration > Settings
1009portinstallation1

b. Controller Certificate Authorization
When we bring up all the controller they authenticate to each other using certificate but they need to get that certificate.

Ways to issue certificate to controllers
1. Symantec Automated – vManage will create a CSR on devices behalf then automatically have it signed by the symantec host CA server which controls by Cisco support.

2. Symantec Manual – Similar with the first method but everything is done manually. Includes generating CSR (go to symantec website to have it signed and needs to be approved by Cisco team). Once you get the signed certificate you can manually install it, you do this when you have no vManage internet access.

3. Enterprise root certificate – Basically take all the certificate signing into your own hands, So you need to have your own Boot CA. Process is similar to symantec manual but need to make all devices trust your root CA as supposed to the devices already trusted the symantec CA (built in).

IV. vBond Initial Configuration(CLI)

Similar to vEdge, you need to configure the system-id, site-id, organization etc. Difference is we need enable the vBond service by providing the local command.

vedge# conf t
Entering configuration mode terminal
vedge(config)# system 
vedge(config-system)# host-name LAB-VBOND1
vedge(config-system)# system-ip 1.1.255.12
vedge(config-system)# site-id 255
vedge(config-system)# organization-name "2019_VIPLAB"
vedge(config-system)# ntp server 1.1.0.1 prefer vpn 0
vedge(config-server-1.1.0.1)# exit
vedge(config-ntp)# exit
vedge(config-system)# vbond 1.1.0.12 local
vedge(config-system)# 
Uncommitted changes found, commit them? [yes/no/CANCEL] yes
Commit complete.
!
LAB-VBOND1# conf t
Entering configuration mode terminal
LAB-VBOND1(config)# vpn 0
LAB-VBOND1(config-vpn-0)# ip route 0.0.0.0/0 1.1.0.1
LAB-VBOND1(config-vpn-0)# interface ge0/0
LAB-VBOND1(config-interface-ge0/0)# ip address 1.1.0.12/24
LAB-VBOND1(config-interface-ge0/0)# no shut
LAB-VBOND1(config-interface-ge0/0)# no tunnel-interface
LAB-VBOND1(config-interface-ge0/0)# commit
LAB-VBOND1# show interface 
interface vpn 0 interface ge0/0 af-type ipv4
 ip-address        1.1.0.12/24
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         service
 mtu               1500
 hwaddr            50:00:00:03:00:01
 speed-mbps        1000
 duplex            full
 tcp-mss-adjust    1416
 uptime            0:00:03:11
 rx-packets        149
 tx-packets        111
interface vpn 0 interface system af-type ipv4
 ip-address        1.1.255.12/32                 <----- For vManage
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         loopback
 mtu               1500
 hwaddr            00:00:00:00:00:00
 speed-mbps        0
 duplex            full
 tcp-mss-adjust    1416
 uptime            0:00:03:17
 rx-packets        0
 tx-packets        0
interface vpn 512 interface eth0 af-type ipv4
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         service
 mtu               1500
 hwaddr            50:00:00:03:00:00
 speed-mbps        0
 duplex            half
 tcp-mss-adjust    0
 uptime            0:00:03:10
 rx-packets        0
 tx-packets        41

Note: By default it just a vEdge cloud router until you enable vBond using local command. Also by default tunnel interface is enabled on vEdge router, So we need to delete if you plan to registed vManage using the G0/0 interface because it will not register because there’s a policy added on the tunnel interface “allow-services” and by default it is not allowed to talk to anything but the specific services.

V. Adding vBond to vManage (web)
Add vBond management interface but as long you disable tunnel 0 you be able to connect to vBond vpn 0.

Configuration > Devices > Controllers > Add Controller > vBond
1009vbondtovmanage1x

VI. Certificate Installation using OpenSSL

LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++++
...............................+++++
e is 65537 (0x10001)

LAB-VMANAGE1:~$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
> -subj "/C=AU/ST=NSW/L=NSW/O=network-lab/CN=vmanage.lab" \
> -out ROOTCA.pem
LAB-VMANAGE1:~$ exit

LAB-VMANAGE1# request root-cert-chain install /home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ cat > vmanage.csr
LAB-VMANAGE1:~$ ls
ROOTCA.key ROOTCA.pem archive_id_rsa.pub vmanage.csr vmanage_csr

LAB-VMANAGE1:~$ pwd 
/home/admin

LAB-VMANAGE1:~$ cat > vmanage.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UECxQLMjAxOV9WSVBMQUIxFDASBgNV
BAoTC3ZJUHRlbGEgSW5jMUMwQQYDVQQDEzp2bWFuYWdlLWJmMGM1NGIyLWRiOGUt
NDAwZi1hNGM3LTkzYmIyMjZhYzM5YS0xLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA05ofYt9O39qLpcD73D2yOl0e9XLeDtJtQqAqNlPrBcQvmkNKO2Jx
sGL7uLB0I5JLMWQnC58GHe+h8HPNMjFIoPD7lGVHs1lzgsZ/OkODGGbI+0mHENnS
lWOyqcrkKbg7lB7EcIc40MJF9fqhIIV6z0Lwmr0/hqIrzD0LanSUss1LcyJ1XAVF
oNUIhEUKZVkrEPMFuHpBPw2lSL2ghFHagNExVLwFwXfmVSqBr2bfO7vIgqWOZQKO
lUc3ZrHgwmTO3pjRKsUXUztYxbspLK3gf2v+IJrIxSlxYcd3RHCXnIccEkOMD/cM
eu+7QDKleYrSjnXa0uXzUYmpSf5Y4EQR0QIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ9ic9XKX3scnPi0UYRC288tJRwNDANBgkq
hkiG9w0BAQsFAAOCAQEAvN34hWESmr8YCQzh4flJf7LexhZovKVR5ZmsjJxr4uBU
7/Y4A6+eNq678ogoGhPtIuWg6Bs4+fo2r3/qLoOa6SAMCxtQApjz5fuzZcmYoZCB
53VGWY1yk33S0GLikNt7ZS5nNAkZKkWtnswsl5w2KeNfYReb3VVoEe804S/7Nqqd
fU6zkC3dq3x4Ddm3FfC/U4EntonX4eaMsu7EKP4jYEQYRsf++WW13WoTEkFHG2PG
I/lxRCrNsLJk0OArNU/rYTHM62AkWU15I9P5WALZpJDVcTftrhSaleU2XNNjk14y
tN5bE8D/g4fAv0sxS237VsnmvbaxchVXIb/e9a9IMw==
-----END CERTIFICATE REQUEST-----

LAB-VMANAGE1:~$ openssl x509 -req -in vmanage.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vmanage.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=2019_VIPLAB/O=vIPtela Inc/CN=vmanage-bf0c54b2-db8e-400f-a4c7-93bb226ac39a-1.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
LAB-VMANAGE1:~$ ls
ROOTCA.key ROOTCA.pem ROOTCA.srl archive_id_rsa.pub vmanage.crt vmanage.csr vmanage_csr

-----BEGIN CERTIFICATE-----
MIIDnDCCAoQCCQCn0+m/Nt5msjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJB
VTEMMAoGA1UECAwDTlNXMQwwCgYDVQQHDANOU1cxFDASBgNVBAoMC25ldHdvcmst
bGFiMRQwEgYDVQQDDAt2bWFuYWdlLmxhYjAeFw0xOTEwMDgxMDE3MzBaFw0yMTAy
MTkxMDE3MzBaMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTER
MA8GA1UEBxMIU2FuIEpvc2UxFDASBgNVBAsUCzIwMTlfVklQTEFCMRQwEgYDVQQK
Ewt2SVB0ZWxhIEluYzFDMEEGA1UEAxM6dm1hbmFnZS1iZjBjNTRiMi1kYjhlLTQw
MGYtYTRjNy05M2JiMjI2YWMzOWEtMS52aXB0ZWxhLmNvbTEiMCAGCSqGSIb3DQEJ
ARYTc3VwcG9ydEB2aXB0ZWxhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANOaH2LfTt/ai6XA+9w9sjpdHvVy3g7SbUKgKjZT6wXEL5pDSjticbBi
+7iwdCOSSzFkJwufBh3vofBzzTIxSKDw+5RlR7NZc4LGfzpDgxhmyPtJhxDZ0pVj
sqnK5Cm4O5QexHCHONDCRfX6oSCFes9C8Jq9P4aiK8w9C2p0lLLNS3MidVwFRaDV
CIRFCmVZKxDzBbh6QT8NpUi9oIRR2oDRMVS8BcF35lUqga9m3zu7yIKljmUCjpVH
N2ax4MJkzt6Y0SrFF1M7WMW7KSyt4H9r/iCayMUpcWHHd0Rwl5yHHBJDjA/3DHrv
u0AypXmK0o512tLl81GJqUn+WOBEEdECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
IZa7TPJv7AdFDDWBkqHl6XE44TJywpkmpj29GXsDDf1CDtsyEC1oA4mPQX0f6dPb
IOEcKf8KXm+8TkW8hxI10/wIU5abYtY0i+JoLb/QSb0WbjShwN56SjzYmDJzBf5Q
9Cfxgx9LF6SrEm2/5pQP7HRikZsyhVSsrx2MuaWggwluzFRsqxs/y7ATqrP3QOyj
zGyZ1PmRT/EOgkTBVSb9SUkKHMp1tZoqoxxoqDzK6TPKiWas54IwF7rlMjIJMPAi
JVZ6mgIkPIIQlx5VKXDP3Y8SArhZDKWX6xWetNEkGrbqu33F4WZi3kHA97X1fhGz
MLDuUtAVBhVA85EfkntD+w==
-----END CERTIFICATE-----
LAB-VMANAGE1:~$ exit

LAB-VMANAGE1# request certificate install /home/admin/vmanage.crt
Installing certificate via VPN 0
Copying ... /home/admin/vmanage.crt via VPN 0
Same certificate is already installed.
Failed to install the certificate !!

https://codingpackets.com/blog/viptela-control-plane-setup

vBond Certificate installation

#request root-cert-chain install scp://admin@1.1.0.11:/home/admin/ROOTCA.pem vpn 0

LAB-VBOND1# request root-cert-chain install scp://admin@1.1.0.11:/home/admin/ROOTCA.pem vpn 0
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@1.1.0.11:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added '1.1.0.11' (ECDSA) to the list of known hosts.
viptela 18.4.3

admin@1.1.0.11's password:
ROOTCA.pem 100% 1269 40.2KB/s 00:00
Updating the root certificate chain..
Successfully installed the root certificate chain
### SIGNED FROM VMANGE
LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ cat > vbond.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UECxQLMjAxOV9WSVBMQUIxFDASBgNV
BAoTC3ZJUHRlbGEgSW5jMUMwQQYDVQQDEzp2bWFuYWdlLWJmMGM1NGIyLWRiOGUt
NDAwZi1hNGM3LTkzYmIyMjZhYzM5YS0yLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA05ofYt9O39qLpcD73D2yOl0e9XLeDtJtQqAqNlPrBcQvmkNKO2Jx
sGL7uLB0I5JLMWQnC58GHe+h8HPNMjFIoPD7lGVHs1lzgsZ/OkODGGbI+0mHENnS
lWOyqcrkKbg7lB7EcIc40MJF9fqhIIV6z0Lwmr0/hqIrzD0LanSUss1LcyJ1XAVF
oNUIhEUKZVkrEPMFuHpBPw2lSL2ghFHagNExVLwFwXfmVSqBr2bfO7vIgqWOZQKO
lUc3ZrHgwmTO3pjRKsUXUztYxbspLK3gf2v+IJrIxSlxYcd3RHCXnIccEkOMD/cM
eu+7QDKleYrSjnXa0uXzUYmpSf5Y4EQR0QIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ9ic9XKX3scnPi0UYRC288tJRwNDANBgkq
hkiG9w0BAQsFAAOCAQEARKSNvHrJloLvuOtsMqSpGrn/O6gv/HKMf7Z3N2IMwmBo
RFbH2lLe8VAoilODduJEUTVHKSYiA698g+Y1s5lvPK1pYzUMyAFOtKr5YPJnYOH5
yaOnLlKdRZHqrx8hRa/ISRwj86m1N6QnXs9a1Ctdf7uPIiDZlhK4ju/qchfSa1Iw
9566rxEmz+MpPbSiSjkFP82NghtH+H2A6NjtpNMxpPQhGJxhcSly9uKmFfWYi6OJ
oCTUPfLeHHdLK6EFcBR2zps1QkzTXQYRNTwQUmkJ9G1NpWNwOc+8TGk4miGkgWea
i2CnThLC/JhxnxIKyIbVDSZA4zGhbgsTMxEvxKK97g==
-----END CERTIFICATE REQUEST-----
LAB-VMANAGE1:~$
LAB-VMANAGE1:~$
LAB-VMANAGE1:~$ openssl x509 -req -in vbond.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vbond.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=2019_VIPLAB/O=vIPtela Inc/CN=vmanage-bf0c54b2-db8e-400f-a4c7-93bb226ac39a-2.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key

request certificate install scp://admin@1.1.0.11:/home/admin/vbond.crt vpn 0
LAB-VBOND1# request certificate install scp://admin@1.1.0.11:/home/admin/vbond.crt vpn 0
Installing certificate via VPN 0
Copying ... admin@1.1.0.11:/home/admin/vbond.crt via VPN 0
Warning: Permanently added '1.1.0.11' (ECDSA) to the list of known hosts.
viptela 18.4.3

admin@1.1.0.11's password:
vbond.crt 100% 1314 41.4KB/s 00:00
Error: CSR not generated.. Aborting !
Failed to install the certificate !!
LAB-VBOND1#