Appendix: Troubleshooting SD-Branch Issues...asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init not-reached ready not-reached asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp

Appendix: Troubleshooting SD-Branch Issues

• PnP Server Troubleshooting Commands, on page 1• Generic PnP Service CLI Command, on page 9• Device Registration Fails Due to Incorrect CPE Day -1 Configuration , on page 10• Service Chain Deployment Stays in the 'Provisioning' State Indefinitely, on page 11• Troubleshooting On-boarding , on page 11

PnP Server Troubleshooting Commands

List of Devices in Contact with the PnP ServerTo view the list of CPEs in contact with the PnP server, run the following command:

admin@ncs-sm-vbranch> show pnp listSERIAL IP ADDRESS CONFIGURED ADDED SYNCED LAST CONTACT-------------------------------------------------------------------------------FTX1738AJME 173.36.207.85 true true true 2017-10-24 23:44:44FTX1738AJMG 173.36.207.81 true true true 2017-10-24 23:43:50FTX1740ALBX 173.36.207.80 true true true 2017-10-24 23:44:21SSI184904LG 173.36.207.82 true true true 2017-10-24 23:43:56SSI185104LT 173.36.207.84 true true true 2016-10-24 23:43:57[ok][2016-10-24 23:45:49]

The Last Contact column displays the last date and time when the PnP server was in contact with the CPE. Ifthe CPE has not been in recent contact with the PnP server then it might be due to a potential issue withconnectivity or reachability between the PnP server and the CPE.

Note

SD-Branch CPE in Contact with the PnP Server (without a service)The output below shows the NSO CLI output when no service is provisioned.

admin@ncs-sm-vbranch> show branch-infra:branch-infra branch-cpe%No entries found[ok][2016-10-24 23:45:49]

Appendix: Troubleshooting SD-Branch Issues1

SD-Branch CPE in Contact with the PnP Server (With a Service)The SD-Branch service provisioning may take up to several minutes from the point when the service isinstantiated to the point when the SD-Branch service comes up, end-to-end.

To view the status of the SD-Branch service, run the following command:

admin@ncs-sm-vbranch> show branch-infra:branch-infra-status branch-cpeamXqvXDO9zW2IZleho2cOBrD plan component state statusNAME STATE STATUS-------------------------------------------------self init reached

ready reachedamXqvXDO9zW2IZleho2cOBrD init reached

pnp-callhome reachedready reached

[ok][2017-10-25 14:20:40]

SD-Branch CPE in Contact with the PnP Server (Detailed)To view the details of the SD-Branch service, run the following command:

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponentplan component selftype selfstate initstatus reachedwhen 2017-10-25T14:15:20message ""state readystatus reachedwhen 2017-10-25T14:16:57message ""real-name amXqvXDO9zW2IZleho2cOBrDplan component amXqvXDO9zW2IZleho2cOBrDtype branch-cpestate initstatus reachedwhen 2017-10-25T14:15:20message ""state pnp-callhomestatus reachedwhen 2017-10-25T14:16:22message ""state readystatus reachedwhen 2017-10-25T14:16:57message Readyreal-name amXqvXDO9zW2IZleho2cOBrDprovider CiscoSystemsdevice amXqvXDO9zW2IZleho2cOBrD_ENCS[ok][2017-10-25 14:23:10]

View CPE DetailsTo view the details of CPEs for a service, run the following commands:


Appendix: Troubleshooting SD-Branch IssuesSD-Branch CPE in Contact with the PnP Server (With a Service)

vmsnso@ncs> show pnp list

SERIAL IP ADDRESS CONFIGURED ADDED SYNCED LAST CONTACT---------------------------------------------------------------------------FGL21388017 10.85.189.20 true true true 2017-10-25 14:24:07FGL2138801A 10.85.189.23 false false false 2017-10-25 14:21:16FGL2138801E 10.85.189.24 false false false 2017-10-25 14:21:40[ok][2017-10-25 14:24:20]

vmsnso@ncs> configure

Entering configuration mode private[ok][2017-10-25 14:24:31][edit]

vmsnso@ncs% show branch-infra:branch-infra branch-cpe serial FGL21388017branch-cpe amXqvXDO9zW2IZleho2cOBrD {

provider CiscoSystems;type ENCS;serial FGL21388017;var VBRANCH_DEVICE_TYPE {

val ENCS;}var contact {

val Customer;}var email {

val [email protected];}var phone {

val null;}

}[ok][2017-10-25 14:24:34][edit]vmsnso@ncs% exit[ok][2017-10-25 14:24:53]

Sample Service DeploymentThe Cisco MSX SD-Branch service provisioning may take up to several minutes from the point when theservice is instantiated to the point when the SD-Branch service comes up, end-to-end.

The output below shows a sample of the Cisco MSX SD-Branch service progress in the NSO CLI until thetime when the service is ready for use.

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS-------------------------------------------------self init reached



[ok][2017-10-25 14:24:57]vmsnso@ncs>System message at 2017-10-25 14:28:09...Commit performed by vmsnso via ssh using netconf

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plan


Appendix: Troubleshooting SD-Branch IssuesSample Service Deployment

component state statusNAME STATE STATUS--------------------------------------------------------self init reached

ready not-reachedamXqvXDO9zW2IZleho2cOBrD init reached


ASAv10_vBranch-ASAv-1.0 init reachedready not-reached

ISRv-small_vBranch-ISRv-1.0 init reachedready not-reached

[ok][2017-10-25 14:28:30]

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS--------------------------------------------------------self init reached

ready not-reachedamXqvXDO9zW2IZleho2cOBrD init reached


ASAv10_vBranch-ASAv-1.0 init reachedready reached

ISRv-small_vBranch-ISRv-1.0 init reachedready not-reached

[ok][2017-10-25 14:30:50]vmsnso@ncs>System message at 2017-10-25 14:31:13...Commit performed by vmsnso via ssh using netconf.

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS

--------------------------------------------------------------------------------------------self init reached

ready not-reached

amXqvXDO9zW2IZleho2cOBrD init reached

pnp-callhome reached

ready reached

ASAv10_vBranch-ASAv-1.0 init reached

ready reached

ISRv-small_vBranch-ISRv-1.0 init reached

ready reached

service-net init reached

ready reached

asalan_amXqvXDO9zW2IZleho2cOBrD init reached

vm-deployed reached

vm-alive not-reached


Appendix: Troubleshooting SD-Branch IssuesAppendix: Troubleshooting SD-Branch Issues

ready not-reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init not-reached

ready not-reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp init not-reached

ready not-reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ospf init not-reached

ready not-reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-syslog init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD init reached

vm-deployed reached


ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-base init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-lan init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-qos init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-wan init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-with-security init not-reached

ready not-reached

[ok][2017-10-25 14:31:59]

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS

--------------------------------------------------------------------------------------------self init reached

ready not-reached

amXqvXDO9zW2IZleho2cOBrD init reached

pnp-callhome reached

ready reached



ASAv10_vBranch-ASAv-1.0 init reached

ready reached

ISRv-small_vBranch-ISRv-1.0 init reached

ready reached

service-net init reached

ready reached

asalan_amXqvXDO9zW2IZleho2cOBrD init reached

vm-deployed reached

vm-alive reached

ready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init reached

ready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp init reached

ready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ospf init reached

ready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-syslog init reached

ready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD init reached

vm-deployed reached


ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-base init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-lan init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-qos init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-wan init not-reached

ready not-reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-with-security init not-reached

ready not-reached



[ok][2017-10-25 14:33:45]

vmsnso@ncs> show branch-infra:branch-infra-status branch-cpe amXqvXDO9zW2IZleho2cOBrD plancomponent state statusNAME STATE STATUS----------------------------------------------------------------------------------------self init reached



ASAv10_vBranch-ASAv-1.0 init reachedready reached

ISRv-small_vBranch-ISRv-1.0 init reachedready reached

service-net init reachedready reached

asalan_amXqvXDO9zW2IZleho2cOBrD init reachedvm-deployed reachedvm-alive reachedready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init reachedready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp init reachedready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ospf init reachedready reached

asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-syslog init reachedready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD init reachedvm-deployed reachedvm-alive reachedready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-base init reachedready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-lan init reachedready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-qos init reachedready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-wan init reachedready reached

isrlan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-isr-with-security init reachedready reached

Debugging Service Component DetailsTo view the details of the device configuration, run the following commands:

vmsnso@ncs> configureEntering configuration mode private[ok][2017-10-25 14:39:31][edit]

vmsnso@ncs% show branch-infra:branch-infra branch-cpe amXqvXDO9zW2IZleho2cOBrDprovider CiscoSystems;type ENCS;serial FGL21388017;var BGP_LOCAL_AS {

val 200;}var BGP_NEIGHBOR_ADDRESS {

val 192.168.253.1;


Appendix: Troubleshooting SD-Branch IssuesDebugging Service Component Details

}var BGP_REMOTE_AS {

val 300;}var PLATFORM_LAN_DATA_ADDRESS {

val 10.1.11.1;}var PLATFORM_LAN_DATA_MASK {

val 255.255.255.0;}var PLATFORM_LAN_DATA_NETWORK {

val 10.1.11.0;}var PLATFORM_LAN_DATA_VLAN {

val 901;}var PLATFORM_LAN_VOICE_ADDRESS {

val 10.1.12.1;}var PLATFORM_LAN_VOICE_MASK {

val 255.255.255.0;}var PLATFORM_LAN_VOICE_NETWORK {

val 10.1.12.0;}var PLATFORM_LAN_VOICE_VLAN {

val 902;}var PLATFORM_WAN_ADDRESS {

val 192.168.253.2;}var PLATFORM_WAN_MASK {

val 255.255.255.0;}var PLATFORM_WAN_VLAN {

val 801;}var VBRANCH_DEVICE_TYPE {

val ENCS;}var contact {

val customer;}var email {

val [email protected];}var phone {

val null;}network service-net;vnfd vBranch-ASAv-1.0 {

vdu ASAv10;}vnfd vBranch-ISRv-1.0 {

vdu ISRv-small;}vnf asalan {

var zmisc {val zmisc;

}deployment ASA;vnfd vBranch-ASAv-1.0;vdu ASAv10;network service-net 1;



network wan-net 2;config vbranch-mpls-sec-asa-interfaces;config vbranch-mpls-sec-asa-ntp;config vbranch-mpls-sec-asa-ospf;config vbranch-mpls-sec-asa-syslog;

}vnf isrlan {

var zmisc {val zmisc;

}deployment ISR-Security;vnfd vBranch-ISRv-1.0;vdu ISRv-small;network GE0-1-SRIOV-1 2;network lan-net 1;network service-net 3;config vbranch-mpls-isr-base;config vbranch-mpls-isr-lan;config vbranch-mpls-isr-qos;config vbranch-mpls-isr-wan;config vbranch-mpls-isr-with-security;

}[ok][2017-10-25 14:40:27][edit]vmsnso@ncs%

Generic PnP Service CLI Command

PnP Server to IP DeviceTo configure the PnP server to the IP Device, run the following command:show run | s pnpRouter#show run | s pnp pnp profile zero-touch transport https ipv4 203.35.248.89 port 443

remotecert ncs

PnP Server configured with HTTPS and SSLTo configure the PnP server with HTTPS and SSL, run the following command:

admin@ncs-sm-vbranch> show configuration pnp serverport 443;use-ssl true;[ok][2016-05-31 19:33:28]

PnP commands to reset the CPETo configure the PnP commands to reset the CPE, run the following command:

request pnp reset clean serial xxxxxxrequest pnp delete serial xxxxxxIf the day-1-config file need changing on CPE use the commands to create a new file andoverwrite the existing:tclsh


Appendix: Troubleshooting SD-Branch IssuesGeneric PnP Service CLI Command

puts [open "flash:day--1-config" w+] {aaa new-modelaaa authentication login default noneinterface GigabitEthernet0.....pnp profile zero-touchtransport https ipv4 x.x.x.x port 443 remotecert ncs}Tclquit

Viewing Device Information Through PnP-StateTo view the device information through the PnP state, run the following command:

admin@ncs-sm-vbranch> show pnp-state device FTX1738AJMEpnp-state device FTX1738AJMEudi PID:ISR4451-X/K9,VID:V02,SN:FTX1738AJMEdevice-info 15.5(3)S2ip-address 173.36.207.81mgmt-ip 10.254.0.1port 22name FTX1738AJMEusername user-site2password cisco223sec-password priv-cisco222snmp-community-ro ciscosalt ABCDremote-node ""wan-interface GigabitEthernet0/0/1lan-interface GigabitEthernet0/0/0configured truerequest configadded falsesynced falseis-netsim falseneed-clean falsepending-exec ""last-contact 2016-05-31 19:29:18last-clean 0reload-upon-delete false[ok][2016-05-31 19:29:23]

Device Registration Fails Due to Incorrect CPE Day -1Configuration

Problem

When you place an order for a service, the service comprises of devices for sites. These devices must beregistered with the Cisco MSX portal.

If the device fails to register with the PnP server, you need to verify that the Day -1 configuration on the CPEallows it to call home to the PnP server.

Solution

Step 1 Log in to the device and verify to which PNP server the device is connected to.


Appendix: Troubleshooting SD-Branch IssuesViewing Device Information Through PnP-State

Step 2 Run this command show run | s pnp to list the current PnP server that this device is talking to, and examine the output:

Router#show run | s pnp pnpRouter#profile zero-touch transport https ipv4 <IP address> port 443 remotecert ncs

Step 3 To change the IP address of the PNP server, switch to the configuration mode.

Router#config terminalRouter(config)#

Step 4 Enter text that you received as output in Step 2, replacing the IP address with the new one.

Router(config)#pnp profile zero-touchtransport https ipv4 <IP address> port 443 remotecert ncs

Step 5 Exit from the Router(config-pnp-init) mode and f Router(config) mode.Step 6 Copy the configuration into flash configuration, by running the following command:

Router#copy running-config flash:day--1-configDestination filename [day--1-config]?%Warning:There is a file already existing with this nameDo you want to over write? [confirm]4609 bytes copied in 0.876 secs (5261 bytes/sec)

Service Chain Deployment Stays in the 'Provisioning' StateIndefinitely

Problem

After deleting a device, if you perform a device deployment, the service chain deployment continues to be inthe 'Provisioning' state indefinitely. This may be because the subnet associated with the deleted device wasnot removed.

Solution

Step 1 Delete the device configuration manually.Step 2 Go to the Cisco MSX portal and manually delete the associated subnet.

Troubleshooting On-boardingThe table below lists the different troubleshooting errors and their solutions.


Appendix: Troubleshooting SD-Branch IssuesService Chain Deployment Stays in the 'Provisioning' State Indefinitely

Table 1: Troubleshooting Errors and their Solutions

ResolutionComment/SymptomsOn-boarding TypeIssue

Set the correct FQDN andcertificate

Device PnP configurationis not correct.

Single IP

2 Public IP Behind NAT

Open Network Policy

Deployment stuck with“pnp-callhome reached... Waiting for CPEReady” in NSO

Click the recycle button ifthe error exists whilerestarting the PnP agenton the device.

Check iPnP log forindications, if token issuesare identified, possiblyrestart ipnp

Check the PnP logs on thedevice for a “Not allowchange admin passwordusing the PnP after day0”error.

Device does not show inthe PnP list in NSO.

Single IP

2 Public IP /Behind NAT


1. Review if csr hub IP(emote-interface-ip-addr)is correct, andreachable fromdevice.

2. Review thatremote-system-ip-addexists on Cisco MSXand pingable.

3. SSH to device overlayip on port 830,security groups mightbe blocked

Check notifications on thedevice for Failure aroundsecure-overlay or connectto a device and checksecure tunnel status “showsecure-overlay”

Single IP

2 Public IP /Behind NAT


Check if the tunnel is upon the device, or if thetraffic is going through,try to test for intermittentconnectivity that mightrequire mtu/mss changecheck if day0 of single IPVNF allows NAT/PAT

Check to see if device isreachable on public IP. Ifnot, try to reach NFVISeither through the VNF(since now it has publicIP) or through anothermanagement interface(usually through a jumphost on the same network)

Single IPDeployment stuck with"booting VNF ..."

Sample Catalog to Show ENCS-Secure Device Entry

....<branch-cpe><name>ENCS-Secure</name><physical>false</physical><read-timeout>90</read-timeout>


Appendix: Troubleshooting SD-Branch IssuesSample Catalog to Show ENCS-Secure Device Entry

<write-timeout>90</write-timeout><enable-commit-queue>false</enable-commit-queue><branch-cpe-template>pnp-map-vCPE</branch-cpe-template><nfvis-tenant>admin</nfvis-tenant><day0><files>nfvis_day0.cfg</files><files>nfvis_day0_del_secure_overlay.cfg</files><files>nfvis_day0_del_intmgtsubnet.cfg</files><files>nfvis_day0_intmgtsubnet.cfg</files><files>nfvis_day0_vbranch_secure_overlay.cfg</files><cfg-common-ref>base-vcpe</cfg-common-ref>

</day0><cpe-onboarding><device-type>netconf</device-type><port>830</port>

</cpe-onboarding><network><name>GE0-0-SRIOV-1</name>

</network><network><name>GE0-0-SRIOV-2</name>



</network><network><name>LAN-SRIOV-1</name>






</network><network><name>int-mgmt-net</name>

</network><network><name>lan-net</name>

</network><network><name>wan-net</name>

</network><supported-interfaces><name>GE0-0</name>

</supported-interfaces><supported-interfaces><name>GE0-1</name>

</supported-interfaces><supported-interfaces><name>int-LAN</name>

</supported-interfaces>



</branch-cpe>...

Day-0s for the ENCS-Secure to Create the Tunnel

<config xmlns="http://tail-f.com/ns/config/1.0"><secure-overlays xmlns="http://www.cisco.com/nfvis/secure-overlay"><secure-overlay><name>mgmtvpn</name><local-system-ip-addr>${MGMT_IP_ADDRESS}</local-system-ip-addr><remote-interface-ip-addr>${MGMT_HUB_IP}</remote-interface-ip-addr><remote-system-ip-addr>${MGMTHUB_OVERLAY_IP_ADDR}</remote-system-ip-addr><local-bridge>${SOURCE-BRIDGE}</local-bridge><remote-system-ip-subnet>${MGMTHUB_OVERLAY_NET}</remote-system-ip-subnet><local-system-ip-subnet>${MGMT_NET}</local-system-ip-subnet><remote-id>${REMOTE_ID}</remote-id><psk><local-psk>${LOCAL_PRESHARED_KEY}</local-psk><remote-psk>${REMOTE_PRESHARED_KEY}</remote-psk>

</psk></secure-overlay>

</secure-overlays></config>

Configuration for Single IP ISRv Deployment

<config xmlns="http://tail-f.com/ns/config/1.0"><catalog xmlns="http://cisco.com/ns/branch-infra-common"><name>vBranch</name><deployment><name>ISR-Single-IP</name><bootup-time>600</bootup-time><recovery-wait-time>0</recovery-wait-time><single-ip-mode/><var><name>ngio</name><val>enable</val>

</var><vnfd><name>vBranch-ISRv-SIP</name><vdu><name>ISRv-small</name>

</vdu></vnfd><polling-frequency>15</polling-frequency><vnf-port>2022</vnf-port><port-start-range>22022</port-start-range><port-end-range>22024</port-end-range><vnf-authgroup>isr_authgroup</vnf-authgroup><config><name>example-vrf</name><cfg-template>example-vrf</cfg-template>

</config><day0-url xmlns="http://cisco.com/ns/branchinfra-nfvo"><dstFile>iosxe_config.txt</dstFile><url>{{ ISRV_SIP_DAY0_IOSXE_URL }}</url><var><name>NSO_LOGIN_PASSWORD</name><encrypted-val>$8$tCaCX0UyNYokiYYaenikSNOwHazQqGJahRJtrrJLCKg=</encrypted-val>


Appendix: Troubleshooting SD-Branch IssuesDay-0s for the ENCS-Secure to Create the Tunnel

</var><var><name>NSO_LOGIN_PORT</name><val>2022</val>

</var><var><name>PLATFORM_WAN_INTERFACE</name><val>3</val>

</var><var><name>SP_ENABLESECRET_VR</name><encrypted-val>$8$tCaCX0UyNYokiYYaenikSNOwHazQqGJahRJtrrJLCKg=</encrypted-val>

</var><var><name>SP_LICENSE_BANDWIDTH</name><val>500</val>

</var><var><name>SP_LICENSE_PROXY_IP</name><val>12.1.1.11</val>

</var><var><name>SP_LICENSE_PROXY_PORT</name><val>8080</val>

</var><var><name>SP_LICENSE_TOKEN</name>

<val>ZTVhMmIyZmYtNzg0Mi00NmFhLWE1NjAtMjRkZmE4YTc5MThjLTE1MDgzODk2%0AOTg1MTl8MTNUdnFIcTJMbXF5dS9yMTlZekRJd1FhdFFaMTUzUDN2RU1WTTB3%0AOCtQdz0%3D%0A</val>

</var></day0-url><day0-url xmlns="http://cisco.com/ns/branchinfra-nfvo"><dstFile>ovf-env.xml</dstFile><url>{{ ISRV_SIP_DAY0_OVF_URL }}</url><var><name>SSH_PASSWORD</name><encrypted-val>$8$tCaCX0UyNYokiYYaenikSNOwHazQqGJahRJtrrJLCKg=</encrypted-val>

</var><var><name>SSH_USERNAME</name><val>cisco</val>

</var><var><name>TECH_PACKAGE</name><val>ax</val>

</var></day0-url>

</deployment></catalog>

</config>

Sample Template for Single IP ISRv

{"allowedValues": [{"VBRANCH_DEVICE_TYPE": "ENCS","tag": "site-var"

}],"childElements": [


Appendix: Troubleshooting SD-Branch IssuesSample Template for Single IP ISRv

{"allowedValues": [],"config": [{"name": "example-vrf"

}],"deployment": "ISR-Single-IP","description": "ISRSIP","flavor": "vBranch-ISRv-SIP","image": "ISRv-small","inputType": "slider","label": "cv","mandatory": true,"name": "isrlan","nics": [{"id": "1","name": "wan-net","network": "wan-net"

}],"parentName": "vBranch Single IP","propertyName": "ISRSIP","section": "vBranch Single IP","supported": true,"type": "branch","value": "ISRSIP","vbranchOptions": {"billableSize": "125"

}}

],"columns": [],"flavors": [{"name": "vBranch-ISRv-SIP","vdus": [{"name": "ISRv-small"

}]

}],"images": [{"name": "ISRv"

}],"inputMetadata": [],"name": "vBranch Single IP With Config","networks": [],"section": "branch-templates","sizes": [{"description": "For 1-10 employees","id": "small","name": "Small Branch","offerIcon": "S","opExPrice": "N/A","recommended": true,"supportedServerIds": ["dev1"

]},{



"description": "For 10-100 employees","id": "medium","name": "Medium Branch","offerIcon": "M","opExPrice": "N/A","supportedServerIds": ["dev2"

]},{"description": "For 100-1000 employees","id": "large","name": "Large Branch","offerIcon": "L","opExPrice": "N/A","supportedServerIds": ["dev3"

]}

],"supported": true,"type": "branch","vbranchOptions": {"iconUrl": "services/vbranch/customizations/images/template-icons/retail.svg","notes": "A example of a single ip template for vBranch","opExPrice": "N/A","serviceIds": "internetAccess","topologyId": "vBranch_Single_IP-topology"

}}

Sample for Single IP ISRv Day-0

interface GigabitEthernet1ip nat insideno shut!interface GigabitEthernet2ip address ${HOST_WAN_IP} ${HOST_WAN_IP_MASK}ip nat outsideno shut!!--- This allows PAT to be used for regular Internet traffic.ip nat inside source static udp ${INT_MGMT_SUBNET_GW} 4500 interface GigabitEthernet2 4500!--- This permits IPSec traffic destined for the GigabitEthernet2!--- interface to be sent to the inside IP address INT_MGMT_SUBNET_GWip nat inside source static udp ${INT_MGMT_SUBNET_GW} 500 interface GigabitEthernet2 500ip nat inside source list NAT interface GigabitEthernet2 overload!--- This allows UDP traffic for the INT_MGMT_SUBNET_GW interface to be!--- statically mapped to the inside IP address INT_MGMT_SUBNET_GW.!--- This is required for the Internet Security Association!--- and Key Management Protocol (ISAKMP) negotiation to be!--- initiated.ip route 0.0.0.0 0.0.0.0 ${HOST_WAN_GATEWAY}ip route ${MGMTHUB_OVERLAY_NET_IP} ${MGMTHUB_OVERLAY_NET_MASK} ${INT_MGMT_SUBNET_GW}ip access-list standard NATpermit ${INT_MGMT_SUBNET_IP} ${INT_MGMT_SUBNET_INVERSE_MASK}


Appendix: Troubleshooting SD-Branch IssuesSample for Single IP ISRv Day-0


Appendix: Troubleshooting SD-Branch IssuesSample for Single IP ISRv Day-0

Documents

Appendix: Troubleshooting SD-Branch Issues...asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-interfaces init not-reached ready not-reached asalan_amXqvXDO9zW2IZleho2cOBrD_vbranch-mpls-sec-asa-ntp