VMware SD-WAN: VCE Links DEAD briefly after certificate renewal
search cancel

VMware SD-WAN: VCE Links DEAD briefly after certificate renewal

book

Article ID: 324616

calendar_today

Updated On:

Products

VMware SD-WAN by VeloCloud VMware VeloCloud SD-WAN

Issue/Introduction

Symptoms:
  • VCE Links will flap and will be shown as DEAD briefly after certificate renewal:
image.png
  • Multipath traffic will be briefly interrupted.


Environment

VMware VeloCloud SD-WAN all software releases

Cause

The VCO issues certs that expire after 90 days but renew automatically every 30 days by default if there's communication between VCO and the VCE.

All tunnels are torn down and re-established with the new key upon renewal, independently of the number of links.

This is the expected behavior operation.

Resolution

For dedicated or On-prem VCOs

 

Option 1: Configuring the "edge.certificate.renewal.window" and "gateway.certificate.renewal.window" system properties on VCO can be used to set the renewal window outside of business critical hours. Operators can define multiple windows to restrict the days and hours of the day during which Edge renewals are enabled. Please refer to below example :

 

 

{
    "enabled": true,
    "windows": [
       {
         "enabled": true,
         "timezone": timezone for first window,
         "days": days for first window,
         "start": start time for first window,
         "end": end time for first window
       },
       {
         "enabled": true,
         "timezone": timezone for second window,
         "days": days for second window,
         "start": start time for second window,
         "end": end time for second window
       }
    ]
}

 

Please refer to below document for detail attributes requirement.

https://docs.vmware.com/en/VMware-SD-WAN/5.4/sd-wan-orchestrator-deployment-and-monitoring-guide/GUID-755BABD7-4AC6-4505-B61D-3D74472DA32C.html?hWord=N4IghgNiBcIKYBMDmcB0BjOAnALgSwDM90wc0s4A7OAd0lRr0oQHsaQBfIA

 

 

Option 2: Certificate validity period can be changed by VCO system properties "ca.edge.certificate.life.days" and "ca.gateway.certificate.life.days". 

Note: A certificate validity period that is too long will increase the risk of leakage.

 

 

Option 3: Certificate renew threshold can be adjusted by VCO system properties  "ca.edge.certificate.life.threshold.percent" and "ca.gateway.certificate.life.threshold.percent".

Note: Renew edge certificates when this percentage or less of certificate life remains. 




For customers on shared VCOs



For shared VCOs, related VCO system property is disabled by default and can't be modified. The certificate can be renewed manually out of critical business hours:


Once it's been manually renewed, the next automatic renewals will occur closer to the desired time window.

 



Additional Information

Impact/Risks:
The impact of the workaround is the same, the links will briefly go DEAD, however, this will occur during the chosen time window.