Monday, 29 December 2025

OMP in SD-WAN (Aruba / Viptela style explanation



1️⃣ What is OMP?
OMP (Overlay Management Protocol) is the control-plane protocol used in SD-WAN.
Think of OMP as the brain-to-brain communication between:
Controllers (Aruba Orchestrator / Cisco vSmart)
Edge devices (Branch / Gateway)
OMP is responsible for:
📌 Exchanging routes (overlay routes, service routes)
📌 Sharing TLOC information (Transport Locator: public IP, color, encapsulation)
📌 Distributing policies
📌 Maintaining tunnel information between sites
➡️ If OMP is down, the SD-WAN fabric cannot learn routes or build tunnels.
2️⃣ Why does OMP go DOWN?
Most common reasons 👇
🔴 Control connection issue
Orchestrator / vSmart not reachable
Internet/MPLS link down
Wrong DNS / IP / port
🔴 TLS / Certificate problems
Certificate expired
Time mismatch (NTP issue)
Certificate not installed or corrupted
🔴 Transport (TLOC) problem
Underlay interface down
IP address change
NAT / firewall blocking required ports
🔴 Policy or config mismatch
Control policy blocking routes
Wrong site-id / system-ip
Duplicate system-ip in network
🔴 Resource issue
High CPU / memory on device
Software bug or crash

3️⃣ How to Troubleshoot OMP (Step-by-Step)
✅ Step 1: Check control connection
Copy code
Bash
show control connections
Look for:
State = up
TLS = up
❌ If control connection is DOWN → OMP will be DOWN.
✅ Step 2: Check OMP status
Copy code
Bash
show omp status
Check:
OMP state = up
Routes received / sent
✅ Step 3: Verify certificates
Copy code
Bash
show certificate status
Check:
Certificate = installed
Validity = not expired
Also verify time:
Copy code
Bash
show clock
✅ Step 4: Check underlay connectivity
Copy code
Bash
ping <controller-ip> source <wan-interface>
Copy code
Bash
traceroute <controller-ip>
Ensure:
WAN interface is UP
No packet drop
✅ Step 5: Check TLOCs
Copy code
Bash
show omp tlocs
Verify:
Correct public IP
Correct color
Encapsulation (ipsec / gre)
✅ Step 6: Check routes
Copy code
Bash
show omp routes
If routes = 0 → OMP exchange is failing.
✅ Step 7: Logs & alarms
Copy code
Bash
show log | include omp
Or check alarms in Orchestrator GUI.
4️⃣ Quick Real-World Example
🧠 Scenario
Internet link is UP but OMP is DOWN.
🔍 Root cause
Firewall blocking TCP/UDP 12346 / 23456 (control ports).
🛠️ Fix
Allow required SD-WAN ports → OMP comes UP → routes restored.
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

🔥 The Hidden Risk of “Wide Open” Internal Policies — And How To Remove Them Safely

In one of my recent projects, I noticed a wide open internal traffic policy in place. Later, I was asked to work on this issue and remove th...