Monitoring, Troubleshooting, and Lifecycle Management

Learning Objectives

Building, deploying, and securing a Catalyst 8000 edge fabric is only the beginning. The real test of any network is what happens on an ordinary Tuesday afternoon when a branch goes quiet, an application crawls, or a software release reaches the end of its supported life. This chapter brings together the operational disciplines that keep a Catalyst 8000 SD-WAN fabric healthy over its lifetime: watching it (monitoring and telemetry), fixing it (structured troubleshooting), and renewing it (lifecycle management).

1. Monitoring and Telemetry

Pre-Reading Check — Monitoring and Telemetry

1. A network operator wants to detect a five-second burst of packet loss that a 5-minute SNMP poll would smooth over. Which approach best fits this need?

Open the SD-WAN Manager Overview dashboard more frequently Configure model-driven telemetry with a short sample interval streaming to a collector Increase the SNMP polling community string priority Generate an admin-tech bundle every five minutes

2. Users report Office 365 feels slow, but ping to the router is fine. Why is a ThousandEyes Enterprise Agent on the router more useful here than the SD-WAN Manager dashboard alone?

It replaces the need for the overlay control plane It measures end-to-end experience along the path to the SaaS target, isolating where the problem lives It reboots the router automatically when latency rises It disables SNMP so the dashboard becomes more accurate

3. On the SD-WAN Manager Overview page, what is the intended first action when scanning for problems?

Immediately generate admin-tech for every device Scan for red or orange indicators under Network/Transport Health or Alarms, then drill down Roll back the most recent software image Clear all control connections to reset the fabric

4. In a model-driven telemetry dial-out session, which device initiates the connection?

The collector initiates the subscription toward the router SD-WAN Manager initiates on behalf of both The router pushes updates to one or more collectors The vBond orchestrator brokers each sample

5. Why is telemetry described as a complement to SD-WAN Manager rather than a replacement?

Telemetry can only run on controllers, not edge routers Manager provides overlay control context (OMP, SLA decisions) that raw sensor streams lack Telemetry is less frequent than dashboard polling Manager cannot display any per-device health metrics

Key Points

You cannot troubleshoot what you cannot see. Effective operations begin with layered visibility: a control plane that tells you the fabric's overall state, streaming telemetry that captures the fine detail, and synthetic tests that measure the experience your users actually receive.

SD-WAN Manager monitoring dashboards

Cisco Catalyst SD-WAN Manager is the central point for monitoring and maintaining a Catalyst SD-WAN fabric, including all of its Catalyst 8000 edge routers. The Overview / Dashboard pages summarize the whole fabric at a glance: healthy versus unhealthy sites and devices, control-plane status (OMP and control connections), transport health (loss, latency, jitter by circuit), and alarm counts by severity. The analogy is an aircraft cockpit: a wall of green tells you to relax, while a single amber light tells you exactly where to look next.

A typical day-to-day monitoring flow: start on the main dashboard and scan for red or orange indicators; if a site looks degraded, drill into Monitor > Network > Devices and filter by model (8300/8500) to see CPU, memory, interface, and tunnel status; use the time-range selector to distinguish a sustained trend from a spike; use the Real Time view to confirm whether a problem is still happening now.

PanelWhat it showsWhy it matters
System healthCPU, memory, uptimeDetects resource exhaustion and unexpected reloads
Control connectionsOMP / control state to controllers, last changeConfirms the router is fully onboarded
BFD / tunnel healthLoss, latency, jitter per transport and tunnelFeeds application-aware routing decisions
Interface statisticsRate, drops, errors, CRCs, queue dropsPinpoints physical or congestion problems
VPN / route statisticsPer-VPN traffic, learned routes, route changesReveals routing instability
Cellular healthSignal strength, operator, SIM status, throughputMonitors LTE/5G-enabled branches

Alongside dashboards, SD-WAN Manager generates alarms and logs events (OMP Peer Down, BFD Session Down, high CPU, interface flaps). This is what lets you turn a vague user report ("the branch was down around 10:05") into a precise correlation with the exact control-plane, tunnel, or interface event that caused it.

Model-driven telemetry

Dashboards are excellent for human eyes, but their charts are coarse and SNMP polling is periodic. Model-Driven Telemetry (MDT) is a streaming framework that continuously pushes device data to external collectors using YANG data models. Key concepts: subscriptions define which YANG data paths (sensors) to monitor; data is encoded as GPB or JSON over gRPC/gNMI or TCP; in a dial-out session the router pushes updates to collectors, while in dial-in the collector initiates the subscription toward the router. If SNMP is taking a photograph every five minutes, MDT is shooting continuous video.

A practical pattern: identify critical sensors (interface counters, CPU/memory, BFD/tunnel SLA stats); create subscriptions (e.g. 30-second general health, 10-second critical tunnel/BFD); configure a dial-out collector destination (InfluxDB/Prometheus via Telegraf, or a commercial NPM/APM platform); then verify the router is streaming and the collector is parsing. Beware over-sampling, and protect the transport with TLS. Treat telemetry as a complement to SD-WAN Manager, not a replacement — Manager still provides the overlay control context that raw telemetry cannot.

ThousandEyes integration

ThousandEyes closes the gap between "how the fabric is behaving" and "how it feels to a user reaching Microsoft 365 across the public internet" with synthetic, end-to-end testing. SD-WAN Manager can install a ThousandEyes Enterprise Agent on selected Catalyst 8000 routers, letting the device itself initiate synthetic tests toward SaaS apps. WAN Insights uses SD-WAN telemetry to produce proactive path recommendations.

Worked example — slow Office 365 from a Catalyst 8300 branch. Ping looks fine and the branch has both MPLS and DIA. From the embedded agent, HTTP/network tests show high latency and retransmits in the upstream ISP segment near the SaaS provider; SD-WAN Manager's transport dashboard shows internet-tunnel loss spiking at the same time; WAN Insights suggests an alternate path; you adjust the SLA class or preferred path in policy and re-check both. The power is correlation: ThousandEyes tells you where on the path the problem lives, and SD-WAN Manager tells you whether the overlay reacted correctly.

Key Takeaway: SD-WAN Manager is your single pane of glass; model-driven telemetry adds sub-minute streaming resolution to catch microbursts; ThousandEyes Enterprise Agents on the router measure real end-to-end experience — correlating all three pinpoints whether a problem is in the branch, the underlay, or the application provider.
Post-Reading Check — Monitoring and Telemetry

1. A network operator wants to detect a five-second burst of packet loss that a 5-minute SNMP poll would smooth over. Which approach best fits this need?

Open the SD-WAN Manager Overview dashboard more frequently Configure model-driven telemetry with a short sample interval streaming to a collector Increase the SNMP polling community string priority Generate an admin-tech bundle every five minutes

2. Users report Office 365 feels slow, but ping to the router is fine. Why is a ThousandEyes Enterprise Agent on the router more useful here than the SD-WAN Manager dashboard alone?

It replaces the need for the overlay control plane It measures end-to-end experience along the path to the SaaS target, isolating where the problem lives It reboots the router automatically when latency rises It disables SNMP so the dashboard becomes more accurate

3. On the SD-WAN Manager Overview page, what is the intended first action when scanning for problems?

Immediately generate admin-tech for every device Scan for red or orange indicators under Network/Transport Health or Alarms, then drill down Roll back the most recent software image Clear all control connections to reset the fabric

4. In a model-driven telemetry dial-out session, which device initiates the connection?

The collector initiates the subscription toward the router SD-WAN Manager initiates on behalf of both The router pushes updates to one or more collectors The vBond orchestrator brokers each sample

5. Why is telemetry described as a complement to SD-WAN Manager rather than a replacement?

Telemetry can only run on controllers, not edge routers Manager provides overlay control context (OMP, SLA decisions) that raw sensor streams lack Telemetry is less frequent than dashboard polling Manager cannot display any per-device health metrics

2. Troubleshooting

Pre-Reading Check — Troubleshooting

1. Why does the recommended methodology insist on proving the control plane before investigating BFD or SLA policy?

Control connections consume the most CPU, so they fail first If a lower layer is broken, every layer above it appears broken too — fix the foundation first SLA policy cannot be inspected while control is up BFD must always be cleared before checking control

2. A cEdge shows control connections to vBond, vSmart, and vManage all up, but BFD to one remote site/color is down. What does this most directly indicate?

A controller certificate has expired The organization-name is mismatched A data-plane problem: tunnel, crypto, or underlay for that path The site-ID is duplicated across the fabric

3. Connections are stuck at certificate-verify and the history shows repeated Certificate Validation Failure. Besides certificates, which factor is a classic root cause to check?

Interface queue drops NTP / clock skew, which can make a valid certificate appear expired App-route SLA class definitions The software release train

4. Control is clean and stable, underlay and IPsec are correct, yet BFD stays down across multiple sites and colors. What should you now suspect?

A mismatched organization-name on every router A software defect on that IOS XE train; check release notes and plan an upgrade A duplicate system-IP shared by all routers An expired root CA certificate on the agents

5. For an intermittent crash that live show commands cannot explain, what is the primary diagnostic artifact to collect for TAC, and when?

A screenshot of the dashboard, taken any time later An admin-tech bundle, generated while the problem is occurring and from each device in the control chain A single show version after the next reload A telemetry subscription created after the incident

Key Points

When something breaks, ad hoc poking wastes time. The discipline that consistently resolves Catalyst 8000 SD-WAN issues is to follow the dependency chain from the bottom up: prove the control plane first, then OMP and TLOCs, then tunnels, then BFD, and finally app-route/SLA policy. If a lower layer is broken, every layer above it will look broken too — so always start at the foundation.

Figure 10.1: Bottom-up SD-WAN troubleshooting dependency chain

flowchart TD A["Layer 1: Control connections
(DTLS/TLS to vBond/vSmart/vManage)"] --> B["Layer 2: OMP and TLOCs
(overlay routing established)"] B --> C["Layer 3: Tunnels
(IPsec/GRE per color)"] C --> D["Layer 4: BFD sessions
(liveliness + loss/latency/jitter)"] D --> E["Layer 5: App-route / SLA policy
(path selection)"] A -. "If broken, every layer above looks broken" .-> E
L1 Control connections (DTLS/TLS) L2 OMP / TLOCs (overlay routing) L3 Tunnels (IPsec/GRE per color) L4 BFD sessions (liveliness + SLA) L5 App-route / SLA policy Chain halts: failure at L4 blocks verification above it.
Each layer is verified green in sequence from the bottom up. A BFD failure at Layer 4 halts the chain — everything above it cannot be trusted until the foundation is fixed.

Control connection troubleshooting

A Catalyst 8000 cEdge cannot do anything useful in the overlay until it has stable control connections. Step 1 — verify current state with show sdwan control connections (look for state up). No entries or all down suggests underlay/DNS/controller-IP problems; only vBond up means an onboarding failure; frequent short-uptime flaps point to underlay loss, MTU, firewall/ALG, or unstable WAN.

Router# show sdwan control connections
Router# show sdwan control local-properties
Router# show sdwan control connections-history

Step 2show sdwan control local-properties shows identity: verify system-ip, unique site-id, exact case-sensitive organization-name, correct vbond, and valid certificates. Step 3 — the connections-history table gives actionable reason codes (Certificate Validation Failure, DTLS negotiation failed, TCP timeout, No route to peer). Step 4 — validate certificates and NTP/clock (skew can make a valid cert appear expired). Step 5 — confirm underlay reachability with ping, traceroute, show ip route. After a fix, force renegotiation with clear sdwan control connections, then confirm OMP with show sdwan omp peers.

Figure 10.2: Control connection troubleshooting decision flow

flowchart TD Start(["show sdwan control connections"]) --> Q1{"Any connections up?"} Q1 -- "None / all down" --> R1["Suspect underlay reachability,
DNS, or controller-IP problem"] Q1 -- "Only vBond up" --> R2["Onboarding failure:
certificate, org-name, or policy"] Q1 -- "Frequent flaps,
short uptime" --> R3["Underlay loss, MTU,
firewall/ALG, unstable WAN"] R1 --> Local["show sdwan control local-properties"] R2 --> Local R3 --> Local Local --> Q2{"system-IP, site-ID,
org-name, vBond,
certs all correct?"} Q2 -- "No" --> Fix1["Correct identity / cert mismatch"] Q2 -- "Yes" --> Hist["show sdwan control connections-history"] Hist --> Q3{"Reason code?"} Q3 -- "Certificate Validation Failure" --> Cert["show sdwan certificate
+ verify NTP / clock skew"] Q3 -- "TCP timeout / No route" --> Under["ping / traceroute / show ip route
check NAT, firewall, ports"] Fix1 --> Clear["clear sdwan control connections"] Cert --> Clear Under --> Clear Clear --> Done(["Confirm OMP:
show sdwan omp peers / tlocs"])

Data plane (BFD/IPsec) issues

Once control and OMP are stable, BFD sessions for the SD-WAN IPsec tunnels should form automatically. BFD is enabled by default and monitors both liveliness and performance. Baseline with show sdwan bfd sessions (per-TLOC state, color, encap). The crucial shortcut: if BFD is down while control to the same peer is up, the problem is in the data plane — the tunnel, crypto, or underlay. Correlate with show sdwan tunnel, read show sdwan bfd history for transition reasons, and relate to SLA with show sdwan app-route statistics. If control is clean yet BFD stays stuck down across many sites/colors, suspect a software defect and plan an upgrade.

Figure 10.3: Data-plane (BFD/IPsec) troubleshooting flow

flowchart TD Start(["show sdwan bfd sessions"]) --> Q1{"BFD up to peer?"} Q1 -- "Up" --> SLA["show sdwan app-route statistics"] SLA --> Q4{"Chronic high loss
on a path?"} Q4 -- "Yes" --> Steer["Policy may steer away
despite tunnel alive"] Q4 -- "No" --> OK(["Data plane healthy"]) Q1 -- "Down (control up)" --> DP["Data-plane problem:
tunnel, crypto, or underlay"] DP --> Tun["show sdwan tunnel"] Tun --> Q2{"Tunnel building?"} Q2 -- "No" --> Underlay["Troubleshoot underlay for color:
routes, NAT, firewall ports, MTU"] Q2 -- "Yes" --> Hist["show sdwan bfd history"] Hist --> Q3{"Pattern?"} Q3 -- "Repeated timeout / loss" --> Path["Underlay instability or
firewall dropping keepalives"] Q3 -- "Stuck down across
many sites / colors" --> Bug["Suspect software defect:
check release notes, plan upgrade"]

Useful show and admin-tech commands

Some problems outrun what live show commands reveal. For these you collect an admin-tech bundle: a comprehensive snapshot of configuration, routing tables, control state, logs, core files, and system info. Generate it from SD-WAN Manager via Tools > Operational Commands (Generate Admin Tech for Manager, or per-device). Two tips: generate it while the problem is occurring, and for control-plane problems collect it from the affected Catalyst 8000 and from vSmart, vBond, and SD-WAN Manager.

CommandPurpose
show sdwan control connectionsCurrent DTLS/TLS state to vBond/vSmart/vManage
show sdwan control connections-historyDisconnect reasons and timestamps
show sdwan control local-propertiesSystem-IP, site-ID, org-name, vBond, certs
show sdwan certificateCertificate validity and trust chain
show sdwan omp peers / omp tlocsOMP peering and learned TLOCs/routes
show sdwan bfd sessionsPer-TLOC tunnel state, color, encap
show sdwan bfd historyBFD up/down transitions and reasons
show sdwan tunnelIPsec/GRE tunnel status and counters
show sdwan app-route statisticsLoss/latency/jitter per path for SLA decisions
clear sdwan control connections / bfd sessionsForce renegotiation after a fix
Key Takeaway: Always fix the control plane first, then validate the data plane with BFD → tunnel → BFD history. BFD-down-while-control-up means a data-plane problem; for hard cases, generate an admin-tech bundle while the problem is live and attach it to your TAC case.
Post-Reading Check — Troubleshooting

1. Why does the recommended methodology insist on proving the control plane before investigating BFD or SLA policy?

Control connections consume the most CPU, so they fail first If a lower layer is broken, every layer above it appears broken too — fix the foundation first SLA policy cannot be inspected while control is up BFD must always be cleared before checking control

2. A cEdge shows control connections to vBond, vSmart, and vManage all up, but BFD to one remote site/color is down. What does this most directly indicate?

A controller certificate has expired The organization-name is mismatched A data-plane problem: tunnel, crypto, or underlay for that path The site-ID is duplicated across the fabric

3. Connections are stuck at certificate-verify and the history shows repeated Certificate Validation Failure. Besides certificates, which factor is a classic root cause to check?

Interface queue drops NTP / clock skew, which can make a valid certificate appear expired App-route SLA class definitions The software release train

4. Control is clean and stable, underlay and IPsec are correct, yet BFD stays down across multiple sites and colors. What should you now suspect?

A mismatched organization-name on every router A software defect on that IOS XE train; check release notes and plan an upgrade A duplicate system-IP shared by all routers An expired root CA certificate on the agents

5. For an intermittent crash that live show commands cannot explain, what is the primary diagnostic artifact to collect for TAC, and when?

A screenshot of the dashboard, taken any time later An admin-tech bundle, generated while the problem is occurring and from each device in the control chain A single show version after the next reload A telemetry subscription created after the incident

3. Lifecycle Management

Pre-Reading Check — Lifecycle Management

1. In install mode, what is the role of the commit step in install add file ... activate commit?

It loads the image into the install repository It switches the active package set without reloading It makes the newly activated package set the permanent boot set It downloads the image from the SD-WAN Manager repository

2. When upgrading an SD-WAN fabric, what is the correct order recommended by Cisco?

Upgrade all edges first, then the controllers Upgrade controllers (Manager, vSmart, vBond) first, then the edges Upgrade everything simultaneously to stay in sync Upgrade only the edges; controllers never need upgrading

3. A branch sits on a release that has reached End of Software Maintenance (EoSM). What does this mean operationally?

It still receives limited new features No routine fixes arrive; migrate now because severe issues may go unaddressed TAC support is fully available indefinitely The hardware has reached end of sale

4. After an upgrade, an activated image causes a regression but you have not yet committed. Which is the fastest software safety net?

configure replace to restore the prior config install rollback to committed, which reverts to the previously committed image and reloads once Re-flash via ROMMON over TFTP Clear the control connections

5. Why is deploying branches as dual C8300s with dual tunnels relevant to upgrade downtime?

It enables true zero-downtime ISSU on single-RP routers It lets traffic shift to the peer during a reload, minimizing disruption when you drain and upgrade one router It removes the need to read release notes It eliminates the reload step entirely

Key Points

A fabric is never "finished." Software releases mature and retire, hardware reaches end of sale, and the safe-and-supported version of today becomes the unpatched liability of tomorrow. Lifecycle management is the practice of renewing the platform on a deliberate schedule rather than reacting to an outage or a security advisory.

Software upgrade workflows

Catalyst 8000 platforms run IOS XE in install mode, where a .bin image is unpacked into packages and packages.conf becomes the boot file. Before any upgrade, capture current state with show version and show install summary, back up the running config, read the target release notes for caveats and minimum ROMMON, and check free space with dir bootflash:.

Via SD-WAN Manager (recommended for fleets): stage the image into Maintenance > Software Repository; scope the job by site/region/role and upgrade controllers before edges; execute under Maintenance > Software Upgrade with optional pre/post checks and download-only pre-staging. Via CLI:

Router# copy scp://user@server/path/c8000-universalk9_ias.XX.Y.Z.SPA.bin bootflash:
Router# verify /md5 bootflash:c8000-universalk9_ias.XX.Y.Z.SPA.bin
Router# install add file bootflash:c8000-universalk9_ias.XX.Y.Z.SPA.bin activate commit

Here add loads the image into the install repository, activate switches the active package set (one reload), and commit makes it the permanent boot set. For more control, run the three phases separately and install commit only after validation.

Figure 10.4: Install-mode upgrade and rollback state machine

stateDiagram-v2 [*] --> Committed: Current image Committed --> Added: install add file Added --> Activated: install activate (reload) Activated --> NewCommitted: install commit Activated --> Committed: install rollback to committed (reload) NewCommitted --> [*]: New image permanent NewCommitted --> Committed: install rollback to (reload) note right of Added Image unpacked into install repository end note note right of Activated New package set running, not yet permanent end note
add file activate (reload) commit Committed Added Activated NewCommitted install rollback to committed (reload) install rollback to <id> (reload)
The image advances Committed → Added → Activated → New Committed (one reload at activate). Orange dashed paths show the rollback escape routes back to the previously committed image.

Minimizing downtime. True zero-downtime ISSU is limited on the single-RP branch routers common in Catalyst 8000 deployments. Instead, minimize disruption through HA design — deploy branches in pairs (dual C8300s) with dual SD-WAN tunnels so traffic shifts to the peer during a reload — and drain traffic from a router via SD-WAN policy before upgrading it in small, verified batches.

Backup and recovery

Every upgrade needs a safety net. IOS XE install mode provides two independent ones. Software rollback reverts to a previously committed image:

Router# show install rollback
Router# install rollback to committed

You can also roll back to a specific stored instance with install rollback to <id>; rollback restores the earlier package set and reloads once. Configuration rollback is separate: save a checkpoint before the change, and if something regresses use configure replace or archive-based rollback. For the worst case — a corrupted image that won't boot — recovery uses ROMMON with USB or TFTP to load a known-good IOS XE image, after which you re-enter install mode.

End-of-life planning and roadmap

Cisco's Software Lifecycle Support Statement for IOS XE defines how long each release receives maintenance and security updates; from IOS XE 26.1.1, Cisco plans roughly two releases per year with defined lifecycle stages.

StageWhat you still getOperational meaning
Active maintenanceBug fixes, security patches, limited new featuresPreferred state for production
Maintenance-only / extendedCritical bug fixes and security updates onlyPlan your successor release
End of Software Maintenance (EoSM)No routine fixesMigrate now; severe issues may go unaddressed
End of Support (EoS)Nothing — TAC support and updates ceaseRunning here means unpatched vulnerabilities

Figure 10.5: IOS XE release lifecycle stages

timeline title IOS XE Release Lifecycle Progression Active maintenance : Bug fixes, security patches, limited new features : Preferred state for production Maintenance-only / extended : Critical bug fixes and security updates only : Plan your successor release End of Software Maintenance (EoSM) : No routine fixes : Migrate now; severe issues may go unaddressed End of Support (EoS) : No TAC support or updates : Running here means unpatched vulnerabilities
today Active fixes + features Maintenance-only critical fixes only EoSM no routine fixes EoS no support ◀ Preferred state — standardize here Migrate before reaching this end ▶
The "today" marker advances along the lifecycle as a release ages: Active (blue) → Maintenance-only (blue) → EoSM (amber) → EoS (red). Plan migration with months of lead time before the marker reaches the danger zone.

A practical strategy: maintain an inventory mapping each Catalyst 8000 to its IOS XE release, image type, model, and serial (exportable from SD-WAN Manager); look up release status and EoL/EoS dates; standardize on a recommended "safe/preferred" release; and plan with months of lead time before EoSM/EoS. Running past EoSM/EoS leaves you exposed to unpatched vulnerabilities and risks incompatibility with newer controllers.

Key Takeaway: Anchor upgrade planning to Cisco's published IOS XE lifecycle stages (Active → Maintenance → EoSM → EoS), keep an accurate inventory mapped to EoL/EoS dates, standardize on a supported release, and migrate in tested batches with months of lead time before maintenance ends.
Post-Reading Check — Lifecycle Management

1. In install mode, what is the role of the commit step in install add file ... activate commit?

It loads the image into the install repository It switches the active package set without reloading It makes the newly activated package set the permanent boot set It downloads the image from the SD-WAN Manager repository

2. When upgrading an SD-WAN fabric, what is the correct order recommended by Cisco?

Upgrade all edges first, then the controllers Upgrade controllers (Manager, vSmart, vBond) first, then the edges Upgrade everything simultaneously to stay in sync Upgrade only the edges; controllers never need upgrading

3. A branch sits on a release that has reached End of Software Maintenance (EoSM). What does this mean operationally?

It still receives limited new features No routine fixes arrive; migrate now because severe issues may go unaddressed TAC support is fully available indefinitely The hardware has reached end of sale

4. After an upgrade, an activated image causes a regression but you have not yet committed. Which is the fastest software safety net?

configure replace to restore the prior config install rollback to committed, which reverts to the previously committed image and reloads once Re-flash via ROMMON over TFTP Clear the control connections

5. Why is deploying branches as dual C8300s with dual tunnels relevant to upgrade downtime?

It enables true zero-downtime ISSU on single-RP routers It lets traffic shift to the peer during a reload, minimizing disruption when you drain and upgrade one router It removes the need to read release notes It eliminates the reload step entirely

Your Progress

Answer Explanations