Appendix E: Troubleshooting Guide
E.1 Common Issues and Resolutions
Control Plane Issues
Issue: WAN Edge Not Connecting to Controllers
symptoms:
- "show sdwan control connections" shows no connections
- Device not appearing in vManage
diagnosis:
step_1:
check: "Verify vBond reachability"
command: "ping vbond.abhavtech.com"
step_2:
check: "Verify certificate"
command: "show sdwan certificate installed"
step_3:
check: "Verify system configuration"
command: "show sdwan running-config | section system"
step_4:
check: "Check control connection attempts"
command: "show sdwan control connections-history"
resolution:
- "Verify organization-name matches"
- "Verify vbond address is correct"
- "Check certificate validity"
- "Verify firewall allows DTLS (UDP 12346)"
- "Check DNS resolution for vBond"
Issue: BFD Sessions Flapping
symptoms:
- Intermittent connectivity
- BFD state changes in logs
- Tunnel statistics showing high packet loss
diagnosis:
step_1:
check: "View BFD session status"
command: "show sdwan bfd sessions"
step_2:
check: "Check BFD history"
command: "show sdwan bfd history"
step_3:
check: "Verify circuit quality"
command: "show sdwan tunnel statistics"
resolution:
- "Adjust BFD timers (increase multiplier)"
- "Check for circuit congestion"
- "Verify MTU settings"
- "Check for packet loss on transport"
- "Consider longer poll-interval"
Data Plane Issues
Issue: Traffic Not Following Expected Path
symptoms:
- Traffic using wrong tunnel/transport
- AAR not selecting expected path
diagnosis:
step_1:
check: "Verify policy attachment"
command: "show sdwan policy from-vsmart"
step_2:
check: "Check SLA metrics"
command: "show sdwan app-route statistics"
step_3:
check: "Verify application recognition"
command: "show sdwan app-fwd cflowd flows"
resolution:
- "Verify SLA class thresholds"
- "Check policy sequence order"
- "Verify application list contents"
- "Check preferred color configuration"
symptoms:
- User complaints about slow apps
- High latency reported
diagnosis:
step_1:
check: "Check path metrics"
command: "show sdwan app-route statistics"
step_2:
check: "Verify QoS configuration"
command: "show policy-map interface [int]"
step_3:
check: "Check for congestion"
command: "show interface [int] | include drops"
resolution:
- "Verify AAR policy for application"
- "Check QoS queue assignments"
- "Increase circuit bandwidth"
- "Optimize traffic engineering"
E.2 Troubleshooting Flowcharts
Control Connection Troubleshooting
START: Control Connection Issues
│
▼
┌───────────────────┐
│ Can ping vBond? │
└───────────────────┘
│
NO │ YES
▼ │ ▼
┌────────────┐ ┌───────────────────┐
│Check: │ │Certificate valid? │
│- DNS │ └───────────────────┘
│- Firewall │ │
│- Routing │ NO │ YES
└────────────┘ ▼ │ ▼
┌────────────┐ ┌──────────────┐
│Renew cert │ │Org-name match│
└────────────┘ └──────────────┘
│
NO │ YES
▼ │ ▼
┌────────────┐ ┌──────────┐
│Fix org-name│ │Check logs│
└────────────┘ └──────────┘
BFD Troubleshooting
START: BFD Session Issues
│
▼
┌───────────────────┐
│ Check BFD state │
│ show sdwan bfd │
└───────────────────┘
│
DOWN │ FLAPPING
▼ │ ▼
┌────────────┐ ┌───────────────────┐
│Check: │ │Check BFD history │
│- Tunnel │ │for flap pattern │
│- Transport │ └───────────────────┘
│- Routing │ │
└────────────┘ ┌────┴────┐
▼ ▼
┌─────────┐ ┌─────────────┐
│Circuit │ │Timer issue │
│quality │ │Adjust BFD │
└─────────┘ └─────────────┘
E.3 Debug Commands Reference
Safe Debug Commands
## Control plane debugging
debug sdwan control connections
debug sdwan omp events
debug sdwan bfd events
## Policy debugging
debug sdwan policy data-policy
debug sdwan policy app-route
## Certificate debugging
debug sdwan certificate events
Debug Output Analysis
debug_interpretation:
control_connections:
"DTLS handshake failed": "Check certificates and firewall"
"Connection rejected": "Verify organization name"
"No response from vBond": "Check vBond reachability"
bfd:
"Session down": "Transport issue or timer mismatch"
"Echo failed": "Path quality issue"
policy:
"No match": "Check policy sequence and match criteria"
"Action not applied": "Verify policy activation"
Appendix F: API Examples
F.1 Authentication Examples
Python Authentication
import requests
import urllib3
urllib3.disable_warnings()
def get_session(host, username, password):
"""Authenticate and return session with token"""
session = requests.Session()
session.verify = False
# Authenticate
auth_url = f"https://{host}/j_security_check"
session.post(auth_url, data={
'j_username': username,
'j_password': password
})
# Get token
token_url = f"https://{host}/dataservice/client/token"
token = session.get(token_url).text
session.headers['X-XSRF-TOKEN'] = token
return session
cURL Authentication
## Step 1: Authenticate
curl -k -c cookies.txt -X POST \
"https://vmanage.abhavtech.com/j_security_check" \
-d "j_username=admin&j_password=password"
## Step 2: Get token
XSRF_TOKEN=$(curl -k -b cookies.txt \
"https://vmanage.abhavtech.com/dataservice/client/token")
## Step 3: Make API call
curl -k -b cookies.txt \
-H "X-XSRF-TOKEN: $XSRF_TOKEN" \
"https://vmanage.abhavtech.com/dataservice/device"
F.2 Common API Operations
Get All Devices
def get_devices(session, host):
url = f"https://{host}/dataservice/device"
response = session.get(url)
return response.json()['data']
## Usage
devices = get_devices(session, "vmanage.abhavtech.com")
for device in devices:
print(f"{device['host-name']}: {device['reachability']}")
Get Device Statistics
def get_interface_stats(session, host, device_id):
url = f"https://{host}/dataservice/statistics/interface"
params = {'deviceId': device_id}
response = session.get(url, params=params)
return response.json()['data']
Get Active Alarms
def get_alarms(session, host, severity=None):
url = f"https://{host}/dataservice/alarms"
response = session.get(url)
alarms = response.json()['data']
if severity:
alarms = [a for a in alarms if a['severity'] == severity]
return alarms
F.3 Postman Collection
Collection Structure
{
"info": {
"name": "Abhavtech SD-WAN API",
"description": "vManage API collection"
},
"item": [
{
"name": "Authentication",
"item": [
{
"name": "Login",
"request": {
"method": "POST",
"url": "{{base_url}}/j_security_check",
"body": {
"mode": "urlencoded",
"urlencoded": [
{"key": "j_username", "value": "{{username}}"},
{"key": "j_password", "value": "{{password}}"}
]
}
}
},
{
"name": "Get Token",
"request": {
"method": "GET",
"url": "{{base_url}}/dataservice/client/token"
}
}
]
},
{
"name": "Devices",
"item": [
{
"name": "Get All Devices",
"request": {
"method": "GET",
"url": "{{base_url}}/dataservice/device"
}
}
]
}
]
}
Appendix G: Migration Checklists
G.1 Pre-Migration Checklist
Infrastructure Readiness
infrastructure_checklist:
controllers:
- "[ ] vManage cluster deployed and healthy"
- "[ ] vSmart controllers operational"
- "[ ] vBond accessible from all sites"
- "[ ] Controller certificates valid"
templates:
- "[ ] Feature templates created"
- "[ ] Device templates created"
- "[ ] Variables defined"
- "[ ] Templates tested in lab"
policies:
- "[ ] Control policies defined"
- "[ ] Data policies defined"
- "[ ] AAR policies configured"
- "[ ] Policies tested"
circuits:
- "[ ] New circuits provisioned"
- "[ ] Circuits tested (speed, latency)"
- "[ ] Backup circuits ready"
Site Readiness
site_checklist:
hardware:
- "[ ] WAN Edge device delivered"
- "[ ] Device staged and configured"
- "[ ] Power and rack space confirmed"
- "[ ] Cabling prepared"
network:
- "[ ] IP addressing allocated"
- "[ ] VLAN configuration ready"
- "[ ] Firewall rules updated"
- "[ ] DNS entries created"
documentation:
- "[ ] Migration runbook reviewed"
- "[ ] Rollback procedure documented"
- "[ ] Contact list updated"
- "[ ] Escalation path defined"
G.2 Migration Day Checklist
Pre-Migration (T-30 minutes)
pre_migration:
- "[ ] Team assembled on bridge"
- "[ ] Site contact available"
- "[ ] Current state documented"
- "[ ] Rollback procedure confirmed"
- "[ ] Go/No-go decision made"
During Migration
migration_steps:
- "[ ] WAN Edge powered on"
- "[ ] Control connections verified"
- "[ ] BFD tunnels established"
- "[ ] OMP routes received"
- "[ ] LAN connected"
- "[ ] Traffic validated"
- "[ ] Applications tested"
Post-Migration
post_migration:
- "[ ] Performance validated"
- "[ ] No critical alarms"
- "[ ] User confirmation received"
- "[ ] Documentation updated"
- "[ ] NOC notified"
G.3 Post-Migration Checklist
Day 1 Verification
day_1_checklist:
- "[ ] All tunnels stable"
- "[ ] No alarm escalations"
- "[ ] Application performance acceptable"
- "[ ] User feedback positive"
- "[ ] Monitoring configured"
Week 1 Verification
week_1_checklist:
- "[ ] Performance trends analyzed"
- "[ ] Capacity verified"
- "[ ] Issues documented"
- "[ ] Optimization opportunities identified"
- "[ ] Lessons learned captured"
Appendix H: Compliance Reference
H.1 Regulatory Mapping
PCI DSS 4.0 Compliance
| Requirement |
SD-WAN Implementation |
| 1.1 Network segmentation |
VPN/VRF segmentation |
| 1.2 Firewall configuration |
Zone-based firewall |
| 2.1 Change management |
Template versioning |
| 4.1 Encryption in transit |
IPsec AES-256-GCM |
| 10.1 Audit logging |
vManage audit logs |
| 10.7 Log retention |
1 year retention |
SOX Compliance
| Requirement |
SD-WAN Implementation |
| Access controls |
RBAC, TACACS+ |
| Change management |
Approval workflows |
| Audit trails |
Complete audit logging |
| Separation of duties |
Role-based access |
GDPR Compliance
| Requirement |
SD-WAN Implementation |
| Data protection |
Encryption in transit |
| Access logging |
Comprehensive audit logs |
| Data residency |
Regional traffic policies |
H.2 Security Baselines
Configuration Baseline
security_baseline:
encryption:
control_plane: "DTLS 1.2 AES-256-GCM"
data_plane: "IPsec AES-256-GCM SHA-256"
authentication:
method: "TACACS+ with local fallback"
password_policy:
min_length: 12
complexity: true
rotation: "90 days"
logging:
level: "Informational"
retention: "90 days active, 2 years archive"
forwarding: "Syslog to SIEM"
access_control:
model: "RBAC"
mfa: "Required for admin access"
Audit Requirements
audit_requirements:
frequency:
vulnerability_scan: "Weekly"
configuration_audit: "Monthly"
access_review: "Quarterly"
full_compliance: "Annual"
documentation:
required:
- "Network topology diagrams"
- "Security policy documents"
- "Access control lists"
- "Change records"
- "Incident reports"
Document version: 1.0
Last updated: 2025
Classification: Internal Use