New Troubleshooting Tools Part 2: Secure Edge Access Implementation and Usage

 In this Blog we look into the necessary settings for allowing Secure Access to the EDGE via CLI.

This new feature allows priviledged secure access using script and shell and for Basic access there is a scripted procedure with a restricted set of commands.

In principle many of the information can also be retrieved using remote diagnostics BUT the CLI access is much quicker without waiting for the next hearbeat (~ 30 seconds) before getting the result.

These are the necessary steps to activate the new feature using key-based access

Step 1: Activating Secure Edge Access (once per customer)

Step 2: In the same window switch to Key Based Authentication

Step 3: any superuser can then define if Basic (script based only) or Priviledged (script or shell) should be allowed

NOTE: the CLI username is   <1 character e ... enterprise, o...operator><user-id><username (with "@" and "." converted to "_")>

Now the user can under "My Account"/"SSH Keys" create the SSH-key or upload a created SSH-key

If you create the private key on VCO, it will be downloaded to your device in openSSH (.pem) format, the public key will be forwarded to all edges belonging to that Customer.

If you are using windows based machine and PUTTY you need the following additional steps to successfully log into any Edge.(This is different to the information found in the documentation, as the documented procedure DID NOT work for me resulting in putty error messages regarding old key format).


  1. Using PUTTYGEN load the .pem file and save the private key as .ppk
  2. Start PAGEANT (it runs in the background) and load the key there
  3. Then you can start PUTTY select SSH and the destination address or URL and when requested the username specify the special SSH user name like o5admin_sc_lab  

NOTE: for Edge action commands like clear, shutdown,hardreset, reboot,... and shell command only works when you have been set to PRIVILEDGED mode

Here is a link to the VMware SD wan documentation (5.2) for Secure Edge CLI

Most efficient commands are debug and diag with hundreds of parameter to choose (run debug -h and/or diag -h for a list of those parameters)

NOTE: the SSH session has a rather short timeout for user input, but to change you need the PRIVILEDGED mode as you need to edit the /etc/ssh/sshd_config file


Comments

Post a Comment

Popular posts from this blog

Orchestrator Upgrade to Version 5.2

Image
 Recently I upgraded my VMware SD-WAN lab from version 5.0 to 5.2. Since some previous versions the official documentation  recommends to ask TAC for help in upgrading.   Docu 5.2: Orchestrator Upgrade  But if you have an unsupported implementation, like I do, you need to do it on your own: Trying to copy the new version to the VCO failed and I found out that I needed to increase a disk volume How to increase disk volume on VCO is described in this blog:   VCO Upgrade to 4.5.x After increasing the disk size my copy succeeded   NOTE: I did not copy direct to the installation directory including a renaming, as once an upgrade started that file gets deleted and if there are any problems to have to redo the copy from outside.  vcadmin@vco-lab-254:~$ ls -l total 2504488 drwxr-x--- 2 root    root          4096 Aug 31  2022 20220831130007 -rw-rw---- 1 vcadmin vcadmin 2564587520 Aug 10 07:57 vco-debs-signed-5.2.0.3-R5203-20230809-GA-ff5cd1917e.tar vcadmin@vco-lab-254:~$ sudo cp vco-debs-signed
Read more

Deep Dive on DMPO and its Performance Features (available and missing) Part 1

Image
 In the last year I got quite deep insight into ther vendors SD-WAN implementation and also have seen what various vendors are critizising about the VMware DMPO features. Also there are a lot of misconceptions on the market around some of these features. So let´s try and evaluate and look a little bit deeper into typical performance features and the VMware implementation of them Features discussed in this Blog (Part 1) Per Packet Load Balancing Forward Error Correction (FEC) Packet Replication Latency Remediation The following Features will be discussed in Part 2 of my blog TCP Optimization Techniques Dejitter Buffering SAAS Application Monitoring   Per Packet Load Balancing  Unfortunately this term can be quite easily misinterpreted, when you Google for the term and get the following result:  This behaviour (often criticized by other vendors about VMware) as described above would only work quite well when you have very similar or equal connections. If for example 2 links have  both 10
Read more

Deep Dive on DMPO and its Performance Features (available and missing) Part 2

Image
  The following Features will be discussed in this second part of my blog TCP Optimization Techniques Dejitter Buffering SAAS Application Monitoring   Before diving into the mechanism here an important basic fact:     Remediation is never done for applications classified as LOW priority     TCP optimization TCP has some embedded traffic management capabilities for reliable traffic delivery  (window.size, slow-start, RTT handling,...)  But there are a bunch of factors which can negatively influence the performance, like Latency TCP-slow-start Last Mile network problems Out of Sequence packets Busty losses end host TCP limitations (missing fatures like SACK, windows scaling or timestamp options)  Typically TCP optimization helps on the transmission side and improve the download time for large data transfers over latency-high and lossy WAN links. But it can also be used for improving perfomance when on the receiver side the amount of buffers is limited and/or when the client is n
Read more