VPN Test from Remote diagnostics showing error "Branch-to-Branch VPN is disabled. Please enable it before running this test."
Article ID: 378889
Updated On:
Products
Issue/Introduction
When troubleshooting SD-WAN connectivity issues using the "VPN Test" option from Remote diagnostics, customers might get the error "Branch-to-Branch VPN is disabled. Please enable it before running this test."
Cause
The "VPN test" feature aims to identify reachability issues from the source edge to peer edges that are supposed to be reachable through VCMP tunnels in the Overlay. This test will send ICMP packets from the source edge to peer edges in the SD-WAN overlay, according to the configuration in the Cloud VPN section. The source IP and destination IP addresses used to reach peer edges will be automatically selected by the source edge depending on the available destination routes in the Overlay and the source edge own available interfaces
If the edge from where the test is ran has only "Branch to HUB" enabled under Cloud VPN, the edge will use its static (already built) VCMP tunnels towards the configured HUB/s to send the pings
If the edge has also "Dynamic Branch to Branch" enabled, it will build the dynamic paths (dynamic VCMP tunnels) to the peer spokes at that moment in order to send the pings to the destinations
This test is complex, thus is important to understand how the feature works and be aware of all possible issues that might generate this error while attempting to run it
Resolution
Resolution to several scenarios which can trigger this error message while running the "VPN test":
1. Cloud VPN is not enabled in the Segment selected for the test
- Ensure Cloud VPN is enabled for that segment and at least one option from "Branch to HUBs" or "Branch to Branch" is enabled
2. The Edge cannot select a valid IP as the Source IP to initiate the tunnel requests.
- The edge will auto select a source IP from an available UP and advertised interface (Advertise option enabled in the interface configuration). Ensure there is at least one interface which is UP and advertised
- If the edge has several UP and advertised interfaces, it will auto-select one of them to get the source IP for the test. However, there are scenarios in which there are sub-interfaces or VLANs configured in Routed ports and the parent interface does not have any IP assigned (it is either in DHCP mode and not getting an IP, or it just does not have an IP manually configured) . If this parent interface is selected as source, since there is no valid IP configured, the test will fail and show the error
3. The edge is not able to build VCMP tunnels to the Gateways (VCGs), thus, not getting the control plane information and routes from Overlay peers as expected from the Cloud VPN configuration. Check if there is an issue with the ISP or firewall preventing the edge to successfully build VCMP tunnels in UDP port 2426
Best practices to ensure this test is always ran successfully, and results are consistent and deterministic:
- Configure loopback IP addresses in all edges within the Enterprise. When running the "VPN Test", the edge will always prefer selecting loopback interfaces/IP addresses for the source and destinations
- Loopback interfaces are always UP and reachable interfaces. Loopback interfaces also have other benefits with several services. Check benefits in this documentation
- Check more details on configuring loopback interfaces on this documentation. Make sure the "Advertise" option is always enabled
Feedback
