A Cisco SD-WAN WAN Edge router loses all control connections after a certificate renewal. Which issue is the most likely cause?

Study for the CCNP Software-Defined Wide Area Network (SD-WAN) Exam. Master key concepts with flashcards and multiple choice questions, each complete with hints and explanations. Gear up to ace your exam!

Multiple Choice

A Cisco SD-WAN WAN Edge router loses all control connections after a certificate renewal. Which issue is the most likely cause?

Explanation:
The issue tests how control-plane authentication works in Cisco SD-WAN. The WAN Edge and the controllers (vSmart/vBond) establish TLS-based control connections, and the edge’s identity is tied to its certificate. When a certificate is renewed, the edge presents a new certificate with a new serial number. If the controllers don’t have that new serial number in sync with the edge’s renewed identity (i.e., their trust database or enrollment records don’t reflect the new certificate), the TLS handshake fails and the edge loses all control connections. In short, the serial number on the renewed certificate must be recognized by the controllers for the control plane to remain connected. The other issues don’t fit this failure mode: STP topology instability affects layer 2 reachability, CAPWAP fragmentation relates to data-plane encapsulation, and EtherChannel mismatch concerns link aggregation. They don’t directly cause control-plane TLS authentication problems after a certificate renewal. To fix it, re-enroll or update the edge’s certificate so the controllers recognize the new serial number, and ensure the controllers trust the issuing CA and have the new certificate information registered.

The issue tests how control-plane authentication works in Cisco SD-WAN. The WAN Edge and the controllers (vSmart/vBond) establish TLS-based control connections, and the edge’s identity is tied to its certificate. When a certificate is renewed, the edge presents a new certificate with a new serial number. If the controllers don’t have that new serial number in sync with the edge’s renewed identity (i.e., their trust database or enrollment records don’t reflect the new certificate), the TLS handshake fails and the edge loses all control connections. In short, the serial number on the renewed certificate must be recognized by the controllers for the control plane to remain connected.

The other issues don’t fit this failure mode: STP topology instability affects layer 2 reachability, CAPWAP fragmentation relates to data-plane encapsulation, and EtherChannel mismatch concerns link aggregation. They don’t directly cause control-plane TLS authentication problems after a certificate renewal.

To fix it, re-enroll or update the edge’s certificate so the controllers recognize the new serial number, and ensure the controllers trust the issuing CA and have the new certificate information registered.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy