Prisma Access
Integrate Prisma Access with Cisco Catalyst SD-WAN
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Integrate Prisma Access with Cisco Catalyst SD-WAN
Learn how to integrate Prisma Access automatically with Cisco Catalyst
SD-WAN.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can onboard a remote network using IPSec tunnels between Cisco Catalyst SD-WAN, formerly known as
Viptela SD-WAN, and Prisma Access automatically or manually. When you enable a
Cisco Catalyst SD-WAN for the integration, Prisma Access creates remote networks for
devices, based on the topology you configure, using IPSec tunnels. Prisma Access
identifies eligible interfaces on the Cisco Catalyst SD-WAN devices, and you can
select the interface to onboard the remote network using the tunnel.
To onboard the Cisco Catalyst SD-WAN networks manually, see Integrate Prisma Access with Catalyst
SD-WAN (Manual Integration).
Ensure you meet the following requirements before you integrate Prisma Access with
Cisco Catalyst SD-WAN:
Product | Requirement |
---|---|
Prisma Access
|
|
Cisco Catalyst SD-WAN
|
|
Cisco Catalyst SD-WAN supports the following deployment architectures for use with
Prisma Access.
Use Case | Architecture |
---|---|
Securing traffic from each branch site with 1 WAN link (Type 1) |
![]() |
Securing branch and HQ sites with active/backup SD-WAN connections |
![]() |
Securing branch and HQ sites with active/active SD-WAN connections |
![]() |
Securing branch and HQ sites with SD-WAN edge devices in HA mode |
![]() |
Securing traffic from one device using active/active WAN links, that is, 2 WAN links from the device, both will be active on different compute regions |
![]() |
For any other deployment architectures, use the manual integration
workflow.
Before you begin, ensure you configure the Cisco Catalyst SD-WAN devices based on the
requirements mentioned above. To secure a Cisco Catalyst SD-WAN with Prisma Access,
complete the following steps.
- In the Cisco vManage dashboard, go to ConfigurationTemplatesDevice Templates.
- Update the template descriptions of your devices based on the type of redundancy.
Topology Devices WAN Links (VPN 0) Tunnel Type Device Template Description Updates Single WAN Single Device 1 WAN Link 1 Tunnel to single Prisma Access region/IPSec Termination NodeNo changes Active/active tunnels Single Device 1 WAN Link 2 Tunnels (on the same WAN) to 2 different Prisma Access Regions/IPSec Termination NodesAppend PA-AA to the description 2 WAN Links Different Prisma Access regions or different IPSec Termination Node in the same region Append PA-AA to the description Active/backup tunnels Single Device 2 WAN Links Primary/Secondary on Prisma Access to same remote network Append PA-AB to the description 2 WAN Links Different regions/IPSec Termination Nodes in Prisma Access Append PA-AB to the description - In Prisma Access, if you have not already, allocate bandwidth for Prisma Access locations.
- Go to SettingsPrisma Access SetupRemote NetworksBandwidth Management.
- Edit the Assigned Bandwidth for the remote network’s compute location.
- Push the changes.
- Go to Cisco Catalyst SD-WAN Integration with Prisma Access settings.
- Select WorkflowsIntegrationsPrisma Access.
- Locate Cisco Catalyst SD-WAN Integration with Prisma Access.
- Enter the information needed to check the connectivity between Prisma Access and Cisco Catalyst SD-WAN by editing the Settings.
- Enter the hostname, username, and the password.
- Enter the PSK Seed, which is a string used to derive pre-shared keys (PSKs) per tunnel.
- (Optional) Enter an FQDN IKE identifier as the Local Identifier in the following syntax: name@domain.comThis identifier acts as a template to generate a unique ID per tunnel.
- (Optional) Enter an FQDN IKE identifier different from the local identifier as the Remote Identifier in the following syntax: name@domain.com
- Set the Admin State as Enabled.You can set Admin State in the following modes:
- Enabled: Enables the integration to discover new devices on Cisco Catalyst SD-WAN that are eligible for tunnel formation with Prisma Access. Additionally, this verifies current configurations.
- Disabled: Disable the integration to remove all configurations created in Prisma Access as well as in Cisco Catalyst SD-WAN, when a connection was set up between them.
- Paused: When you pause the integration, you can no longer add new devices or remove any unconfigured devices. However, the current configurations don't change.
- Check Connectivity to verify the connection.
- Save the changes.You can Save changes only after you Check Connectivity every time you change settings or configurations.After you save the changes, you can see the Cisco Catalyst SD-WAN networks eligible for tunnel formation with Prisma Access in Discovered Sites. Cisco Catalyst SD-WAN networks are displayed as sites here. It might take some time to view the discovered sites.
- Establish the tunnel setup between Prisma Access and Cisco Catalyst SD-WAN devices.
- View the discovered Cisco Catalyst SD-WAN networks and their information by clicking the site count.The integration checks for new Cisco Catalyst SD-WAN networks regularly. You can also initiate anon-demand site discovery.
- Select the InterfaceBy default, Prisma Access scans for devices and identifies interfaces from the Cisco Catalyst devices that are eligible to form tunnels with Prisma Access.
- (Optional) Select the nearest Prisma Access Location for the networks.
- (Optional) Select IPSec Termination Node for each site.If you select the same Prisma Access location for multiple networks, ensure to allocate the bandwidth equally by selecting different IPSec termination nodes for the networks sharing the same Prisma Access location.The integration assigns Prisma Access location and IPSec termination nodes automatically. However, you can choose other Prisma Access locations or IPSec termination nodes if needed.
Redundancy Type Number of Interfaces Number of Prisma Access Locations to Select Number of IPSec Termination Nodes to Select Single WAN 1 11 Active/active tunnels 222After you enable the device, Prisma Access creates 2 remote networks. Select the same IPSec termination nodes for both locations. These conditions are valid for HA deployments as well.Active/backup tunnels 2 (Primary/Secondary on Prisma Access to same remote network)The interface at the top is the primary tunnel.22After you enable the device, Prisma Access creates 1 remote network. This configuration provides redundancy at internet circuit level.2 (Different regions/IPSec Termination Nodes in Prisma Access)The interface at the top is the primary tunnel. The feature template you configure Cisco Catalyst SD-WAN devices assigns the interface as active or backup.2 2When the primary tunnel has connectivity issues, Prisma Access establishes a connection with the failover path, which is the secondary or backup tunnel. - Select the Cisco Catalyst SD-WAN device and toggle the Enable option to establish a tunnel formation with Prisma Access.
- Update the changes.You can view all the Enabled Sites and Configured Sites in Cisco Catalyst SD-WAN Integration with Prisma Access.When you click a site count, the hyperlink takes you to a filtered list of sites based on the site count you click. For example, if you click the site count of enabled sites, the list shows only the sites that are enabled and not all discovered sites.
- Verify the changes in Prisma Access.
- Go to WorkflowsPrisma Access SetupRemote Networks.Alternatively, you can click Remote Networks - Cisco Catalyst SD-WAN Integration with Prisma Access >.Verify the tunnel status. The integration creates remote networks automatically. Such remote networks have names in the following syntax: AUTO-CATALYST-Device_NameThe configuration status of Cisco Catalyst SD-WAN devices takes some time to be In sync.
- View the IPSec Tunnel, IKE gateway, IKE Crypto profile, and IPSec Crypto profile details.Select the remote network site to view these details.IPSec Tunnel details:
- Select Incidents and AlertsLog ViewerCommonAudit to view Cisco Catalyst SD-WAN Integration with Prisma Access logs.The logs specify if the changes were made in Prisma Access or in the Cisco Catalyst SD-WAN.
- (Optional) In the Cisco Catalyst SD-WAN integration app, view information, errors, or warnings in Messages.SeeTroubleshoot Integration Errorsto troubleshoot more errors.
- Verify the Cisco Catalyst SD-WAN configurations in Cisco vManage.
- Log in to the Cisco SD-WAN dashboard, and select MonitorDevices.
- Select ConfigurationTemplatesFeature Templates.The integration creates secure internet gateway (SIG) templates. The SIG template stores details of the IPSec tunnel and IKE values. Don't update these SIG templates manually.If there are multiple devices that are part of a device template, configure all devices for tunnel formation with Prisma Access.
- Check the running configuration for the interfaces.In Cisco vManage, select Configuration Devices WAN Edge List.View the Running Configuration of the corresponding devices.When you have multiple devices under a device template, devices that are not enabled will have dummy values.To avoid dummy values on other devices, move the devices, for those you want to enable connectivity, to a separate device template and enable the connectivity for each device in this device template. If you enable devices with dummy values, Prisma Access overwrites those dummy values with the tunnel configuration values. Prisma Access populates dummy values for the description, tunnel source interface, tunnel destination, pre-shared secret, and IKE local ID.If you add a new device to the device template that has a SIG, configure a few dummy values and attach the device to the device template. After the integration discovers this device, enable it.
- Verify the tunnel status in Cisco Catalyst SD-WAN Manager.Log in to the Cisco SD-WAN dashboard, and select MonitorDevices. Select the device and view the Interface. Verify the admin status and operational status of the tunnel that was auto created for this device.
On-Demand Site Discovery
You can initiate network discoveries anytime to view new networks added in the
Cisco vManage dashboard. You can also initiate network discoveries to resolve
any misconfiguration in the integration-created objects. To initiate on-demand
network discovery, perform the following steps:
- Select WorkflowsIntegrationsPrisma Access.
- Locate Cisco Catalyst SD-WAN Integration with Prisma Access.
- View the discovered Cisco Catalyst SD-WAN networks and their information by clicking the site count.
- Discover Sites to identify new eligible Cisco Catalyst SD-WAN networks when required.
Troubleshoot Integration Errors
- If Cisco Catalyst SD-WAN locks a template, don't perform any manual operations on the integration-created objects to avoid template lock due to multiple sessions.
- If your template is locked in edit mode while editing, relog in after
sometime and try to edit the template. If the issue persists, contact Cisco
Systems support.
- If your template edit request session expires, re-log in after sometime and
try to edit the template. If the issue persists, contact Cisco Systems
support.
- If your device does not exist in Cisco Catalyst SD-WAN Manager, try discoveringthe missing device.