Hello colleagues. I need your help.
I have vCloud Director (hereinafter vcd), it is a cloud chode based on IaaS, inside I have Cisco C8000V (hub router), in the vcd itself there are local networks rfc1918, for hub router they are directly connected, so from it I can ping any network connected to it.
HUB router has FlexVPN + eBGP, working logic is dual hub, dual cloud, because I started this project recently, I faced the first problem that I can not solve.
Spoke router (the only one so far, it is also a test router) is establishing SA session via IKEv2 with HUB router, pings are going, everything is fine, both routers are exchanging routes, so from HUB router I can see the test loopback network coming from Spoke and can go to it via tunnel interface.
On the Spoke side I can see the BGP routes coming from the HUB router, in turn, I repeat, it has them directly connected and configured directly on the VCD NSX itself. And now the main problem, with Spoke router, I can not ping these networks and everything that is inside, only 1 address of this subnet, which is listed on the interface HUB router and everything that is inside, servers, etc. is not available, no ping comes, I can not understand what is wrong. What am I missing?
Hello Levon
If I have understood correctly, you have a dual hub dual cloud setup, where you are using FlexVPN and eBGP to establish connectivity between the dual hubs (which are C8000V routers) and the spoke. You have successfully created the connectivity between the hub and spoke, but the spoke is not able to communicate with the private networks found behind your hub. Did I get it right?
Based on your description it seems that the problem lies in the routing. Since it seems that the hub and spoke topology is successful, for some reason, the spoke either doesn’t see the destination networks beyond the hub, or if it does, the packets are being lost somewhere along the path.
In order to further troubleshoot this particular problem, you will have to examine various aspects of the topology at multiple locations including routing, possible access lists you may have issued that may be blocking certain traffic, as well as checking to ensure that the networks you are trying to reach are included in the encryption domain of the FlexVPN tunnel.
This is a complex issue with many parameters, and it is difficult to provide a definite solution without having a closer look at your exact configurations and network setup. However, I hope this information will help you in your attempt at troubleshooting and resolving the issue.
I hope this has been helpful!
Laz