Deploy Using Cisco Global Launchpad 2.0.x

Automated deployment using Cisco Global Launchpad

This chapter explains how to deploy Catalyst Center on AWS using Cisco Global Launchpad.

In this automated deployment method, you provide Cisco Global Launchpad with the required details to create the AWS infrastructure in your AWS account. The AWS infrastructure includes

  • a VPC

  • an IPsec VPN tunnel

  • gateways

  • subnets, and

  • security groups.

As a result, Cisco Global Launchpad deploys the Catalyst Center AMI as an Amazon EC2 instance with the prescribed configuration in a separate VPC. This configuration includes

  • subnets

  • transit gateways, and

  • other essential resources like AWS CloudFormation for monitoring, Amazon DynamoDB for state storage, and security groups.

With Cisco Global Launchpad, you can also access and manage your VAs and user settings. For information, see the Cisco Global Launchpad Administrator Guide.

Automated deployment workflow

Follow these high-level steps to deploy Catalyst Center on AWS using Cisco Global Launchpad:

  1. Meet the prerequisites. See Prerequisites for automated deployment.

  2. (Optional) Integrate Cisco ISE on AWS and your Catalyst Center VA together. See Guidelines for integrating Cisco ISE on AWS with Catalyst Center on AWS.

  3. Install Cisco Global Launchpad or access Cisco Global Launchpad hosted by Cisco Systems, Inc. See Install Cisco Global Launchpad or Access hosted Cisco Global Launchpad.

  4. Create a new VA pod to contain your Catalyst Center VA instance. See Create a new VA pod.

  5. If you're using an existing Transit Gateway (TGW) and existing attachments, such as a VPC, as your preferred on-premises connectivity option, manually configure the TGW routing table on AWS. Then add the routing configuration to your existing Customer Gateway (CGW). See Manually configure routing on your existing gateway or direct-connect attachment.

  6. Create your new instance of Catalyst Center. See Create a new Catalyst Center VA.

  7. (Optional) If necessary, troubleshoot any issues that arise during the deployment. See Deployment troubleshooting.

  8. Manage your Catalyst Center VA using Cisco Global Launchpad. See the Cisco Global Launchpad Administrator Guide.

Prerequisites for automated deployment

Before deploying Catalyst Center on AWS using Cisco Global Launchpad, ensure that you meet these Cisco Global Launchpad, Catalyst Center, and AWS requirements.

Cisco Global Launchpad requirements

You must install Docker Community Edition (CE) on your platform.

Cisco Global Launchpad supports Docker CE on Mac, Windows, and Linux platforms. See the documentation on the Docker website for the specific procedure for your platform.

Catalyst Center instance requirements

The Catalyst Center must meet these minimum resource requirements regardless of how you access Cisco Global Launchpad:

  • r5a.8xlarge


    Important

    Catalyst Center supports only the r5a.8xlarge instance size. Any changes to this configuration aren't supported. Additionally, the r5a.8xlarge instance size isn't supported in specific availability zones. To view the list of unsupported availability zones, see the Release Notes for Cisco Global Launchpad.

  • 32 virtual CPUs (vCPUs)

  • 256-GB RAM

  • 4-terabyte (TB) storage (EBS-gp3)

  • 2500 disk input and output operations per second (IOPS)

  • 180-MBps disk bandwidth

Catalyst Center backup instance requirements

The Catalyst Center backup instance must meet these minimum resource requirements:

  • t3.micro

  • 2 vCPUs

  • 1-GB RAM

  • 500-GB storage

AWS account requirements

You must meet these AWS account requirements:

  • You have valid credentials to access your AWS account.

  • Your AWS account is a subaccount (a child account) to maintain resource independence and isolation. A subaccount ensures that the Catalyst Center deployment doesn't impact your existing resources.

  • Important: Your AWS account is subscribed to Cisco Catalyst Center Virtual Appliance - Bring Your Own License (BYOL) in AWS Marketplace.

  • If you're an admin user, you have administrator access permission for your AWS account. In AWS, the policy name is displayed as AdministratorAccess.

    The administrator access policy is attached directly to your AWS account, not to a group. The application doesn't enumerate through a group policy. If you are added to a group with the administrator access permission, you cannot create the required infrastructure.

    In the AWS Identity and Access Management (IAM) dashboard, you can find user permission policies. The administrator access policy displays as "AdministratorAccess".

  • If you're a subuser, your administrator has added you to the CiscoDNACenter user group.

    When an admin user logs in to Cisco Global Launchpad for the first time, the CiscoDNACenter user group is created on their AWS account and all the required policies are attached to the group. The admin user can add subusers to this group, so subusers can log in to Cisco Global Launchpad.

    The CiscoDNACenter user group includes these policies:

    • AmazonDynamoDBFullAccess

    • IAMReadOnlyAccess

    • AmazonEC2FullAccess

    • AWSCloudFormationFullAccess

    • AWSLambda_FullAccess

    • CloudWatchFullAccess

    • ServiceQuotasFullAccess

    • AmazonEventBridgeFullAccess

    • service-role/AWS_ConfigRole

    • AmazonS3FullAccess

    • ClientVPNServiceRolePolicy (Version: 2012-10-17)

      This policy allows these rules:

      • ec2:CreateNetworkInterface

      • ec2:CreateNetworkInterfacePermission

      • ec2:DescribeSecurityGroups

      • ec2:DescribeVpcs

      • ec2:DescribeSubnets

      • ec2:DescribeInternetGateways

      • ec2:ModifyNetworkInterfaceAttribute

      • ec2:DeleteNetworkInterface

      • ec2:DescribeAccountAttributes

      • ds:AuthorizeApplication

      • ds:DescribeDirectories

      • ds:GetDirectoryLimits

      • ds:UnauthorizeApplication

      • logs:DescribeLogStreams

      • logs:CreateLogStream

      • logs:PutLogEvents

      • logs:DescribeLogGroups

      • acm:GetCertificate

      • acm:DescribeCertificate

      • iam:GetSAMLProvider

      • lambda:GetFunctionConfiguration

    • ConfigPermission (Version: 2012-10-17, Sid: VisualEditor0)

      This policy allows these rules:

      • config:Get

      • config:*

      • config:*ConfigurationRecorder

      • config:Describe*

      • config:Deliver*

      • config:List*

      • config:Select*

      • tag:GetResources

      • tag:GetTagKeys

      • cloudtrail:DescribeTrails

      • cloudtrail:GetTrailStatus

      • cloudtrail:LookupEvents

      • config:PutConfigRule

      • config:DeleteConfigRule

      • config:DeleteEvaluationResults

    • PassRole (Version: 2012-10-17, Sid: VisualEditor0)

      This policy allows these rules:

      • iam:GetRole

      • iam:PassRole

Install Cisco Global Launchpad

Follow these steps to install Cisco Global Launchpad using Docker containers for the server and client applications.

Before you begin

Make sure that you have Docker CE installed on your machine.

Procedure

Step 1

Go to the Cisco Software Download site and download these files:

  • Launchpad-desktop-client-2.0.1.tar.gz

  • Launchpad-desktop-server-2.0.1.tar.gz

Step 2

Verify that the TAR file is genuine and from Cisco Systems, Inc.

Step 3

Load the Docker images from the downloaded files:

docker load < Launchpad-desktop-client-2.0.1.tar.gz

docker load < Launchpad-desktop-server-2.0.1.tar.gz

Step 4

Use the docker images command to display a list of the Docker images in the repository. Verify that you have the latest copies of the server and client applications.

In the files, the TAG column should display the numbers starting with 2.0. For example:

$ docker images

The output of $ docker images displays a list of the Docker images in the repository, along with the TAG column listing the number starting with 2.0.

Step 5

Run the server application:

docker run -d -p <server-port-number>:8080 -e DEBUG=true --name server <server_image_id>

For example:

$ docker run -d -p 9090:8080 -e DEBUG=true --name server f4f625f2411b

Step 6

Run the client application:

docker run -d -p <client-port-number>:80 -e CHOKIDAR_USEPOLLING=true -e REACT_APP_API_URL=http://localhost:<server-port-number> --name client <client_image_id>

For example:

$ docker run -d -p 90:80 -e CHOKIDAR_USEPOLLING=true 
-e REACT_APP_API_URL=http://localhost:9090 --name client b7e2a0b1d3db

Note

 

Make sure that the exposed server port number and the REACT_APP_API_URL port number are the same. In the preceding steps, port number 9090 is used in both examples.

Step 7

Use the docker ps -a command to verify that the server and client applications are running.

The STATUS column should show that the applications are up. For example:

$ docker ps -a

The output of $ docker ps -a shows that both the server and client applications are up.

Note

 

If you encounter an issue while running the server or client applications, see Docker errors and possible solutions.

Step 8

Verify that the server application is accessible by entering the URL in this format:

http://<localhost>:<server-port-number>/api/valaunchpad/aws/v1/api-docs/

For example:

http://192.0.2.2:9090/api/valaunchpad/aws/v1/api-docs/

The APIs being used for the Catalyst Center VA are displayed in the window.

Step 9

Verify that the client application is accessible by entering the URL in this format:

http://<localhost>:<client-port-number>/valaunchpad

For example:

http://192.0.2.1:90/valaunchpad

The Cisco Global Launchpad login window is displayed.

Note

 

It can take a few minutes to load the Cisco Global Launchpad login window while the client and server applications load the artifacts.

Access hosted Cisco Global Launchpad

This section explains how to access hosted Cisco Global Launchpad through Cisco DNA Portal. The instructions vary based on your familiarity with Cisco DNA Portal.

  • If you are new to Cisco DNA Portal, you must create a Cisco account and a Cisco DNA Portal account. Then you can log in to Cisco DNA Portal to access Cisco Global Launchpad.

  • If you already have a Cisco account and a Cisco DNA Portal account, you can log in to Cisco DNA Portal to access Cisco Global Launchpad.

Create a Cisco account

Follow these steps to create a Cisco account.


Note

You need a Cisco account to access Cisco Global Launchpad through Cisco DNA Portal.

Procedure

Step 1

In your browser address bar, enter this URL:

dna.cisco.com

The Cisco DNA Portal login window is displayed.

The Cisco DNA Portal login window displays the options to log in with Cisco or create a new account.

Step 2

Click Create a new account.

Step 3

On the Cisco DNA Portal Welcome window, click Create a Cisco account.

Step 4

On the Create Account window, complete the required fields and then click Register.

Step 5

Verify your account by completing these steps:

  1. Go to the email that you used to register your account.

  2. Open the email from Cisco and click Activate Account.

    A Cisco email requests that you activate your account by clicking Activate Account.

Create a Cisco DNA Portal account

Follow these steps to create a Cisco DNA Portal account.


Note

You need a Cisco DNA Portal account to access Cisco Global Launchpad through Cisco DNA Portal.

Before you begin

Ensure that you already have a Cisco account. For instructions, see Create a Cisco account.

Procedure

Step 1

In your browser address bar, enter this URL:

dna.cisco.com

The Cisco DNA Portal login window is displayed.

The Cisco DNA Portal login window displays the option to log in with Cisco.

Step 2

Click Log In With Cisco.

Step 3

On the Log in page, log in to your Cisco account.

  1. In the Email field, enter your Cisco account email.

  2. Click Next.

  3. In the Password field, enter your Cisco account password.

  4. Click Log in.

Step 4

On the Cisco DNA Portal Welcome page, enter the name of your organization or team in the Name your account field. Then click Continue.

Step 5

On the Cisco DNA Portal Confirm CCO Profile page, complete these steps to create your account:

  1. Verify the details are correct.

  2. Read the conditions. Then check the check box to agree with and acknowledge the conditions.

  3. Click Create Account.

    After you create your account, the Cisco DNA Portal home page is displayed.

    The Cisco DNA Portal home page is displayed with this message, "Subscribe and maintain your offers more efficiently with Cisco DNA Portal. Select an offer below and enjoy your trip with Cisco DNA Portal."

Log in to the Cisco DNA Portal with Cisco

Follow these steps to log in to Cisco DNA Portal so that you can access Cisco Global Launchpad.

Before you begin

Ensure that you have a Cisco account and a Cisco DNA Portal account. For more information, see Create a Cisco account and Create a Cisco DNA Portal account.

Procedure

Step 1

In your browser address bar, enter this URL:

dna.cisco.com

The Cisco DNA Portal login window is displayed.

The Cisco DNA Portal login window displays the option to log in with Cisco.

Step 2

Click Log In With Cisco.

Step 3

On the Log in page, log in to your Cisco account.

  1. In the Email field, enter your Cisco account email.

  2. Click Next.

  3. In the Password field, enter your Cisco account password.

  4. Click Log in.

    If you have only one Cisco DNA Portal account, the Cisco DNA Portal home page is displayed.

  5. (Optional) If you have multiple Cisco DNA Portal accounts, click Continue for the account that you want to log in to.

    The Cisco DNA Portal home page is displayed.

    The Cisco DNA Portal home page is displayed with the message, "Subscribe and maintain your offers more efficiently with Cisco DNA Portal. Select an offer below and enjoy your trip with Cisco DNA Portal."

Create a new VA pod

A VA pod is the AWS hosting environment for the Catalyst Center VA. This hosting environment includes AWS resources, such as the

  • Catalyst Center VA EC2 instance

  • Amazon Elastic Block Storage (EBS)

  • backup NFS server

  • security groups

  • routing tables

  • Amazon CloudWatch logs

  • Amazon Simple Notification System (SNS)

  • VPN Gateway (VPN GW), and

  • TGW.

With Cisco Global Launchpad, you can create multiple VA pods—one VA pod for each Catalyst Center VA.


Note

  • The AWS Super Admin user can set a limit on the number of VA pods that can be created in each region. The VPCs used for resources outside of Cisco Global Launchpad contribute to this number too. For example, if your AWS account has a limit of five VPCs and two are in use, you can only create three more VA pods in the selected region.

  • On some steps, all the resources must be set up successfully to proceed to the next step. If all the resources aren't set up successfully, the proceed button is disabled. If all the resources are set up successfully and the proceed button is disabled, wait a few seconds while the resources finish loading. After all the configurations are complete, the button is enabled.

  • Your VA pod configuration doesn't change when you

    • update Cisco Global Launchpad to a later release

    • downgrade to an earlier Cisco Global Launchpad release, or

    • update the region setup where your VA pod is located.

    For example, if you created a VA pod in Cisco Global Launchpad Release 2.0.x, the backup password is a combination of the backup instance stack name and the backup server IP address. If you access this VA pod in an earlier release, such as Cisco Global Launchpad Release 1.9.0, the backup password doesn't change.

Complete these steps to create a new VA pod.

Before you begin

Ensure that your AWS account has administrator access permission. For more information, see Prerequisites for automated deployment.

Procedure

Step 1

Log in to Cisco Global Launchpad using one of these methods:

  • IAM Login: This method uses user roles to define user access privileges.

    Cisco Global Launchpad supports multifactor authentication (MFA) as an optional, additional form of authentication if your company requires it. For more information, see "Log In to Cisco Global Launchpad Using IAM" in the Cisco Global Launchpad Administrator Guide.

  • Federated Login: This method uses one identity to gain access to networks or applications managed by other operators.

    For more information, see "Generate Federated User Credentials Using saml2aws" or "Generate Federated User Credentials Using AWS CLI" in the Cisco Global Launchpad Administrator Guide.

For information about how to get an access key ID and secret access key, see the AWS Managing access keys for IAM users topic in the AWS Identity and Access Management User Guide on the AWS website.

If you encounter any login errors, resolve them and log in again. For troubleshooting information, see Login errors and possible solutions.

Step 2

If you are an admin user logging in for the first time, enter your email address in the Email ID field and click Submit.

You can subscribe to Amazon SNS to receive alerts about deployed resources, changes, and resource over-utilization. Alarms can be set up to notify you if Amazon CloudWatch detects any unusual behavior in Cisco Global Launchpad. In addition, AWS Config evaluates your configured resources and sends audit logs of the results. For more information, see "Subscribe to the Amazon SNS Email Subscription" and "View Amazon CloudWatch Alarms" in the Cisco Global Launchpad Administrator Guide.

After you enter your email, several processes happen:

  • The CiscoDNACenter user group is created in your AWS account with all the required policies attached. The admin user can add subusers to this group to allow subusers to log in to Cisco Global Launchpad.

  • An Amazon S3 bucket is automatically created to store the state of the deployment. We recommend that you do not delete this bucket or any other bucket from the AWS account, either globally or for each region. Deleting this or another bucket could impact the Cisco Global Launchpad deployment workflow.

  • If you are logging in to a region for the first time, Cisco Global Launchpad creates several resources in AWS. This process can take some time, depending on if the region is already enabled. Until the process completes, you cannot create a new VA pod. During this time, this message is displayed:

    "Setting up the initial region configuration. This might take a couple of minutes."

After you log in successfully, the Dashboard pane is displayed.

Note

 

If you're prompted to update the region setup, follow the prompts to complete the update. For more information, see "Update a Region Setup" in the Cisco Global Launchpad Administrator Guide.

By default, Cisco Global Launchpad displays the navigation pane on the left and the Dashboard pane on the right. The Dashboard pane displays a map of the regions and information about the VA pods in the selected region.

Step 3

Click + Add a VA pod.

Step 4

Configure the AWS infrastructure (including the region, VPC, private subnet, routing table, security group, virtual gateway, and CGW) by completing these steps:

  1. Configure these VA pod environment details fields:

    • Region name: From this drop-down list, choose a region.

    • VA pod name: Assign a name to the new VA pod.

      Note

       

      The VA pod name must meet these requirements:

      • The name must be unique within the region. (This means that you can use the same name across multiple regions.)

      • The name must be between four to 12 characters.

      • The name can include letters (A through Z), numbers (0 to 9), and dashes (-).

    • Availability zone: From this drop-down list, choose an availability zone.

      An availability zone is an isolated location within your selected region.

    • AWS VPC CIDR: Enter a unique VPC subnet to use to launch the AWS resources.

      Note

       

      Keep these guidelines in mind:

      • The recommended CIDR range is /25.

      • In IPv4 CIDR notation, the last octet (the fourth octet) of the IP address can be either 0 or 128.

      • This subnet should not overlap with your corporate subnet.

  2. Under Transit gateway (TGW), choose a gateway option.

    If you have...

    And you want to...

    Then choose...

    a single VA pod,

    use a VPN gateway,

    VPN GW.

    A VPN GW is the VPN endpoint on the Amazon side of your Site-to-Site VPN connection. It can be attached to only one VPC.

    multiple VA pods or VPCs,

    use the TGW as a transit hub to interconnect multiple VPCs and on-premises networks,

    New VPN GW + New TGW.

    Note

     

    • It can also be used as a VPN endpoint for the Amazon side of the Site-to-Site VPN connection.

    • You can create only one TGW for each region.

    an existing TGW,

    use the existing TGW,

    		 Existing TGW.

    If you chose Existing TGW, under VPN/Direct Connect Attachment, choose a gateway option.

    If you want to...

    Then choose...

    create a new VPN gateway for your existing TGW,

    New VPN GW.

    use an existing VPN or direct-connect attachment,

    Existing attachment.

    From the Select attachment ID drop-down list, choose an attachment ID.

    Note

     

    To view the direct connect gateway name in the drop-down list, you must log in to Cisco Global Launchpad with an administrator account to grant the required permissions.

    If you choose this option, you must also configure routing on your existing gateway or direct connect attachment. For instructions, see Manually configure routing on your existing gateway or direct-connect attachment.

  3. Complete this step depending on your gateway selection.

    If you chose...

    Then...

    Existing TGW and Existing attachments as your preferred connectivity options,

    continue to Step 4.d.

    VPN GW, New VPN GW + New TGW, or Existing TGW + New VPN GW,

    provide these VPN details:

    • Customer gateway (Enterprise firewall/router): Enter the IP address of your enterprise firewall or router to form an IPsec tunnel with the AWS VPN gateway.

    • VPN vendor: From this drop-down list, choose a VPN vendor.

      Barracuda, Sophos, Vyatta, and Zyxel are not supported VPN vendors. For more information, see VA pod configuration errors and possible solutions.

    • Platform: From this drop-down list, choose a platform.

    • Software: From this drop-down list, choose a software.

  4. For the Customer profile size, leave the default Medium setting.

    The customer profile size applies to both the Catalyst Center VA instance and the backup instance. For information about the Catalyst Center instance size and Catalyst Center backup instance size, see Prerequisites for automated deployment.

  5. For the Backup target (NFS), choose a destination for your backups.

    If you want...

    Then choose...

    the backup to be stored in the on-premises servers,

    Enterprise backup.

    For information about the backup storage requirements, see “Backup storage requirements” in the Cisco Catalyst Center Administrator Guide.

    the backup to be stored in AWS,

    Cloud backup.

    If you chose Cloud backup, record this information because you will use it later to log in to the cloud backup server:

    • SSH IP address: <BACKUP VM IP>

    • SSH port: 22

    • Server path: /var/catalyst-backup/

    • Username: maglev

    • Password: <xxxx##########>

      Your backup server password is dynamically created. The password is composed of the first four characters of the VA pod name and the backup server IP address without the periods.

      For example, if the VA pod name is DNAC-SJC and the backup server IP address is 10.0.0.1, the backup server password is DNAC10001.

      Note

       

      • You can find the VA pod name on the Dashboard pane after you choose the region that it's deployed in.

      • You can find the backup server IP address on the View Catalyst Center pane. For more information, see "View Catalyst Center VA Details" in the Cisco Global Launchpad Administrator Guide.

    • Passphrase: <Passphrase>

      Your passphrase is used to encrypt the security-sensitive components of the backup. These security-sensitive components include certificates and credentials.

      This passphrase is required. When you restore the backup files, you are prompted to enter this passphrase. You cannot restore backup files without this passphrase.

    • Open ports: 22, 2049, 873, and 111

  6. Click Next.

  7. On the Summary pane, review the environment and VPN details that you entered. When you're satisfied, click Start configuring AWS infrastructure.

    Important

     

    This setup takes about 20 minutes to complete.

    You can navigate from this screen to another page in Cisco Global Launchpad, and the process continues in the background. If you close the tab or window, or refresh the page, any active background process pauses.

    After the AWS infrastructure is successfully configured, the AWS Infrastructure Configured pane is displayed.

    The Add a VA Pod pane displays fields that must be configured to create a VA pod. In step three, Cisco Global Launchpad checks the IPsec tunnel connectivity.

    If the AWS infrastructure configuration fails, exit Cisco Global Launchpad and see VA pod configuration errors and possible solutions.

    The AWS infrastructure configuration fails, and the AWS infrastructure diagram is red.

Step 5

Download the on-premises configuration file by completing these steps:

  1. After the AWS infrastructure is successfully configured, click Proceed to on-premises configuration.

  2. In the Configure the On-Premises Tunnel Endpoint pane, click Download configuration file. Forward this file to your network administrator to configure the on-premises-side IPsec tunnel.

    This file is generated based on the on-premises vendor, platform, and version that were selected during the AWS infrastructure configuration. The file contains the unique VPN connection IDs that were created for the VPC. Only a few things need to be modified according to the on-premises firewall or router. For example, if you have an ASA firewall or router, you need to modify the static route configuration to the selected VPC subnet. 

    route Tunnel-int-vpn-0bbef6e1331a37048-0 10.0.0.0 255.255.0.0 169.254.184.85 100

    Make sure your network administrator configures only one IPsec tunnel.

    Note

     

    • The network administrator can make the necessary changes to this configuration file and apply it to your enterprise firewall or router to bring up the IPsec tunnels.

      The provided configuration file enables you to bring up two tunnels between AWS and the enterprise router or firewall.

    • Most virtual private gateway solutions have one tunnel up and the other down. You can have both tunnels up and use the Equal Cost Multiple Path (ECMP) networking feature. ECMP processing enables the firewall or router to use equal-cost routes to transmit traffic to the same destination. To do this, your router or firewall must support ECMP. Without ECMP, we recommend that you either keep one tunnel down and manually failover or use a solution, such as an IP SLA, to automatically bring up the tunnel in a failover scenario.

  3. Click Proceed to network connectivity check.

Step 6

Check the status of your network configuration based on the on-premises connectivity preferences that you selected during the AWS infrastructure configuration.

  • If you chose VPN GW as your preferred on-premises connectivity option, the IPsec tunnel configuration status is displayed.

    • If the network administrator hasn't configured the IPsec tunnel yet, a padlock is displayed on the IPsec tunnel.

      The IPsec tunnel connecting the VA pod and enterprise firewall or router is gray with a padlock, meaning it's not configured.

    • Ask your network administrator to verify that the IPsec tunnel on the enterprise firewall or router is up. After the IPsec tunnel comes up, the IPsec tunnel turns green.

      The IPsec tunnel connecting the VA pod and enterprise firewall or router is green, meaning the tunnel is up.

    Note

     

    If the IPsec tunnel is up and you cannot access Catalyst Center VA from the CGW, check that the correct values were passed during the IPsec tunnel configuration. Cisco Global Launchpad reports the tunnel status from AWS and doesn't perform additional checks.

  • If you chose New VPN GW + New TGW or Existing TGW and new VPN GW as your preferred on-premises connectivity option, Cisco Global Launchpad checks whether your VPC is connected to the TGW, which in turn is connected to your on-premises firewall or router.

    Note

     

    For the TGW-to-enterprise firewall or router connection to succeed, your network administrator must add the configuration to your on-premises firewall or router.

    • If the connection from the TGW to your on-premises firewall or router isn't connected yet, it's grayed out.

      The connection between the TGW and your on-premises firewall or router is gray, meaning they're not connected.

    • After TGW connectivity is successfully established, the TGW connection is green.

      The connection between the TGW and your on-premises firewall or router is green, meaning they're connected.

  • If you chose Existing TGW and Existing Attachment as your preferred on-premises connectivity option, make sure that routing is configured between the existing TGW and the newly attached VPC, where Catalyst Center VA is launched. For information, see Manually configure routing on your existing gateway or direct-connect attachment.

    • If your VPC is not attached to the TGW, the TGW connection is grayed out.

      The connection between the VA pod and the TGW is gray, meaning they're not connected.

    • After TGW connectivity is successfully established, the TGW connection is green.

      The connection between the VA pod and the TGW is green, meaning they're connected.

Step 7

Click Go to dashboard to return to the Dashboard pane, where you can create more VA pods and manage your existing ones.

Manually configure routing on your existing gateway or direct-connect attachment

If you chose Existing Transit Gateway and Existing Attachments as your preferred connectivity option while creating a new VA pod, Cisco Global Launchpad creates a VPC to launch Catalyst Center and attaches this VPC to your existing TGW.

For Cisco Global Launchpad to establish the TGW connection, you must manually configure the TGW routing table on AWS and add the routing configuration of your existing CGW or direct-connect attachment. Follow these steps to configure the routing.

Procedure

Step 1

From the AWS console, go to VPC service.

Step 2

In the left navigation pane, under Transit Gateways, choose Transit gateway route tables and select the existing TGW route table.

Step 3

In the Transit gateway route tables page, complete these steps:

  1. Click Associations.

  2. From the drop-down list, choose the attachment to associate.

  3. Click Create association.

The association can be your existing CGW or direct-connect attachment.

In the Transit gateway route tables page, the Create association button is in the upper-right corner of the Associations pane.

Step 4

In the Transit gateway route tables page, click the Propagations tab and then click Create propagation.

In the Transit gateway route tables page, the Create propagation button is in the upper-right corner of the Propagations pane.

Step 5

In the Transit gateway route tables page, ensure that the static route between the respective VPC and VPN is active by completing these steps:

  1. Click Routes.

  2. Click Create static route.

Step 6

Ensure that your on-premises router configuration is updated to route the network traffic destined for the CIDR ranges that are allocated to your CGW or direct-connect attachment in your AWS environment.

For example: route tunnel-int-vpn-0b57b508d80a07291-1 10.0.0.0 255.255.0.0 192.168.44.37 200

Create a new Catalyst Center VA

Follow these steps to configure a new Catalyst Center VA.

Procedure

Step 1

In the Dashboard pane, locate the VA pod where you want to create your Catalyst Center VA.

The Dashboard pane displays a map of all the regions and, below the map, displays a list of all existing VA pods.

Step 2

In the VA pod card, click Create/Manage Catalyst Center(s).

Step 3

In the VA Pod Dashboard pane, click + Create a new Catalyst Center.

Step 4

Enter these details:

  • Catalyst Center version: From the drop-down list, choose a version.

  • Enterprise DNS: Enter the IP address of your enterprise DNS

    Ensure that the enterprise DNS is reachable from the VA pod in which you're creating the Catalyst Center VA.

    Note

     

    • Cisco Global Launchpad checks the on-premises network connection using UDP port 53 with the DNS server IP address that you entered.

    • After you deploy the Catalyst Center VA on AWS, the DNS server cannot be updated through Cisco Global Launchpad. You can update the DNS server using the AWS console. For more information, see Update the DNS server on your Catalyst Center VA using the AWS console.

  • FQDN: Enter the Fully Qualified Domain Name (FQDN) for the Catalyst Center VA as configured on your DNS server.

    Note

     

    • The Catalyst Center IP address is displayed under this field.

    • To access Catalyst Center using its domain name, add an A record (also known as an address record) to the enterprise DNS with the FQDN and this IP address.

  • Proxy details: Select one of these HTTPS network proxy options:

    • No proxy: No proxy server is used.

    • Unauthenticated: The proxy server does not require authentication. Enter the URL and port number of the proxy server.

    • Proxy authentication: The proxy server requires authentication. Enter the URL, port number, username, and password details for the proxy server.

  • CLI password: Enter a CLI password to use to log in to the Catalyst Center VA.

    This table lists the password requirements and restrictions.

    Password requirements

    Password restrictions

    The password must

    • be 9 to 64 characters long, and

    • contain characters from at least three of these categories:

      • Uppercase letters (A through Z)

      • Lowercase letters (a through z)

      • Numbers (0 to 9)

      • Special characters (for example, !, $, and #)

    The password must not include

    • the username or any two consecutive characters of the username

    • context-specific words, such as the service name, username, or derivatives

    • four consecutive characters, except for special characters, and

    • any tabs or line breaks.

    Record this password, so you can use it to log in later.

    Note

     

    The username is maglev.

  • Customer CIDR to access the Catalyst Center: Enter the CIDR block of your local network gateway to access the Catalyst Center VA.

    This CIDR block is added to the allowed list for the Catalyst Center network.

    If you don't know the CIDR, enter 0.0.0.0/0, provided it complies with the security policies of your cloud accounts.

Step 5

Click Validate to validate the Enterprise DNS server and FQDN configured on the DNS server.

Note

 

If the DNS server, proxy server, or FQDN checks fail, continue with your configuration based on which check fails:

  • If the DNS server validation fails, you cannot continue creating your Catalyst Center VA. Make sure that the entered DNS server IP address is reachable from the VA pod.

  • If the proxy server validation fails, you can continue with your configuration because even if the invalid proxy details aren’t fixed, the Catalyst Center VA works.

  • If the FQDN validation fails, you can continue creating your Catalyst Center VA. However, you need to fix the FQDN configuration.

Step 6

In the Summary page, review the configuration details.

Note

 

The Catalyst Center IP address is a statically assigned IP address that is maintained across AWS availability zone outages to ensure uninterrupted connectivity and to minimize disruptions during critical network operations.

Step 7

Click Generate PEM key file.

Step 8

In the Download PEM key file dialog box, click Download PEM key file.

If you click Cancel, the system returns you to the Summary page.

Important

 

You need to download the PEM key because it isn't stored in your AWS account and you need it to access the Catalyst Center VA that is being created.

Step 9

Click Start Catalyst Center configuration.

Cisco Global Launchpad configures the Catalyst Center VA environment. After the environment is configured, Catalyst Center VA boots. Initially, Cisco Global Launchpad displays the outer ring in gray. When Port 2222 is validated, the image turns amber. When Port 443 is validated, the image turns green.

Note

 

  • This process takes 45 to 60 minutes.

  • You can navigate from this screen to another page in Cisco Global Launchpad, and the process continues in the background. If you close the tab or window, or refresh the page, any active background process pauses.

  • While the Catalyst Center configuration in progress page is displayed, record the backup server IP address for later use. Your backup server password is a combination of the first four characters of the VA pod name and the backup server IP address without the periods.

The Catalyst Center Configuration In Progress page displays Catalyst Center details and a diagram where the outer ring is green and the inner ring is amber.

When the Catalyst Center VA finishes booting, the configuration is complete. You can now view your Catalyst Center VA details.

If the configuration fails, return to the VA pod dashboard pane. For troubleshooting information, see Catalyst Center VA errors and possible solutions.

If the configuration fails, the Cisco Catalyst Center Configuration In Progress page displays "Environment Setup failed" and a diagram where the outer ring is green and the inner ring is red.

Step 10

Click Back to VA Pod dashboard to return to the VA Pod Dashboard pane.

Deployment troubleshooting

Cisco Global Launchpad is designed to help you seamlessly configure Catalyst Center on AWS with minimal intervention. This section shows you how to troubleshoot common issues during the automated deployment of Catalyst Center on AWS.


Note

We recommend against making manual changes with Cisco Global Launchpad through the AWS console. Manual changes can lead to issues that Cisco Global Launchpad cannot resolve.

If you have any issues that are not addressed in this section, contact Cisco TAC.

Docker errors and possible solutions

If the error port is already in use occurs while running the Docker images for Cisco Global Launchpad, you can troubleshoot it with possible solutions.

This table lists Docker error scenarios and their possible solutions.

Error scenario

Possible solution

If you receive the port is already in use error while running the server application, review the possible solution.

On Docker, run the server application.

docker run -d -p <server-port-number>:8080 -e SECRET_KEY=<your-secret-key> --name server --pull=always dockerhub.cisco.com/maglev-docker/server:x.x.x-latest

Note

 

You can use any available server port.

While running the server application, run the client application.

docker run -d -p 90:80 -e REACT_APP_API_URL=http://localhost:<client-port-number> --name client --pull=always dockerhub.cisco.com/maglev- docker/client:x.x.x

Note

 

You must use the same port number that you used to run the server application.

If you receive the port is already in use error while running the client application, review the possible solution.

On Docker, run the client application:

docker run -d -p <client-port-name>:80 --name client --pull=always dockerhub.cisco.com/maglev-docker/client:x.x.x

Note

 

You can use any available server port.

Login errors and possible solutions

When you log in to Cisco Global Launchpad, you may encounter a login error.

This table lists common login errors and their possible reasons and solutions.

Error Possible reason and solution

Invalid credentials.

Re-enter your credentials and check that they are entered correctly.

You don't have enough access.

If you are an admin, verify that your account has administrator access permission.

If you are a subuser, verify that your admin added you to the CiscoDNACenter user group.

An operation to delete is in progress, please try again after some time.

If an admin user deletes the <AccountId>-cisco-dna-center global bucket from your AWS account and then tries to log in, this login error can occur. Wait 5 minutes for the deletion to complete.

Hosted Cisco Global Launchpad error and possible solutions

When you trigger a root cause analysis (RCA) from the Trigger RCA pane on hosted Cisco Global Launchpad, you may encounter the Rate exceeded error. This error occurs when the region receives the maximum number of API requests: 10,000 requests per second.

To resolve this error, review these possible solutions:

  • Increase the limit in AWS with the Service Quotas service.

  • Retry the operation after a few seconds.

Region issues and possible solutions

This table lists region issues and their possible solutions.

Issue Possible solution

While creating a VA pod in a new region, Cisco Global Launchpad displays either

  • an error message, or

  • the screen freezes for more than 5 minutes and does not display a configuration-in-progress message.

Make sure that any manual process on the AWS console has completed successfully. Then retry this step. If the problem persists, contact Cisco TAC.

Note

 

To avoid such conflicts, don't make any manual changes to the VA pods. Instead, use the Cisco Global Launchpad for all actions.

Your region setup fails and Cisco Global Launchpad displays a Bucket [name] did not stabilize error similar to this error.

Bucket 059356112352-cisco-dna-center-eu-south-1.va.storage did not stabilize.

Open a case with AWS and ask that they delete the failed resources from the back end.

VA pod configuration errors and possible solutions

This table lists VA pod configuration errors and their possible reasons and solutions.

Error Possible reason and solution

+ Create VA Pod button disabled.

Hover your cursor over the disabled button to learn why it's disabled.

You may not be able create a new VA pod for these reasons:

  • You have reached the limit of VPC service quota: For each region, your AWS admin sets a limit for how many VPCs can be created. Usually, each region allows five VPCs, and each VPC supports only one VA pod. Contact your AWS administrator for the exact number.

    Any VPC used for resources outside of Cisco Global Launchpad also counts toward this limit. For example, if your AWS account has a limit of five VPCs and two are in use, you can create only three more VA pods in that region.

    To create more VA pods, ask your AWS administrator to change the limit or delete some existing VA pods or VPCs on your AWS account. For more information, see the AWS Creating a service quota increase topic in the AWS Support User Guide on the AWS website.

  • Pod deletion in progress: The last VA pod in the region is being deleted. Wait a few minutes. Then retry creating a new VA pod.

AMI ID for this region is not available for your account.

When you click + Create a new VA pod, Cisco Global Launchpad validates the AMI ID for your selected region.

If you receive this error, the validation failed and you cannot create a new pod in this region. Contact Cisco TAC for assistance.

Your VPN configuration is invalid. At this step you cannot update it so please delete the instance and create a new one.

When configuring a VA pod, these VPN vendors are not supported:

  • Barracuda

  • Sophos

  • Vyatta

  • Zyxel

If you are using an unsupported VPN vendor, this error message is displayed on the Configure the on-premises tunnel endpoint page. 

Your VPN configuration is invalid. At this step, you cannot update it, 
so please delete the instance and create a new one.

CustomerGateway with type "ipsec.1", ip-address "xx.xx.xx.xx", and bgp-asn "65000" already exists (RequestToken: f78ad45d-b4f8-d02b-9040-f29e5f5f86cf, HandlerErrorCode: AlreadyExists)

Delete the failed VA pod and create a new one. Ensure that you create only one VA pod at a time.

You may receive this error if you try to create more than one VA pod at a time.

AWS infrastructure failed.

Return to the Dashboard pane and create a new VA pod. For more information, see Create a new VA pod.

Note

 

You can delete the VA pod that failed to configure.

AWS configuration fails when editing a VA Pod.

Make sure that any manual process on the AWS console has completed successfully. Then retry this step. If the problem persists, contact Cisco TAC.

Note

 

To avoid such conflicts, do not make any manual changes to the VA pods. Instead, use Cisco Global Launchpad for all actions.

Deleting VA Pod has failed.

Make sure that any manual process on the AWS console has completed successfully. Then retry this step. If the problem persists, contact Cisco TAC.

Note

 

To avoid such conflicts, do not make any manual changes to the VA pods. Instead, use Cisco Global Launchpad for all actions.

The resource you are trying to delete has been modified recently. Please refresh the page to get the latest changes and try again.

If you receive this error while deleting a VA pod, contact Cisco TAC.

Network connectivity issues and possible solutions

This table lists network connectivity issues and their possible solutions.

Issue

Possible solution

While creating the VA pod, the IPsec tunnel or TGW connection is not established.

Verify that the tunnel is up on your on-premises firewall or router.

The tunnel from the VA pod to TWG is green, and the tunnel from the TWG to CGW is gray.

The diagram displays the two tunnels connecting the VA pod to the TGW to your on-premises firewall or router. The tunnel between the VA pod and TGW is green, meaning this tunnel is up. The tunnel between the TGW and your on-premises firewall or router is gray, meaning this tunnel isn't up.

Verify that these actions are successfully completed.

  • You forwarded the correct configuration file to your network administrator.

  • Your network administrator made the necessary changes to the configuration file.

  • Your network administrator finished applying this configuration to your enterprise firewall or router.

  • If you chose Existing TGW and Existing Attachments as your network connectivity preference, make sure that you correctly followed Manually configure routing on your existing gateway or direct-connect attachment.

Catalyst Center VA errors and possible solutions

This table lists errors that can occur while configuring or deleting a Catalyst Center VA and lists their possible solutions.

Error Possible solution

Environment Setup failed.

  1. On Cisco Global Launchpad, return to the Create/Manage Cisco Catalyst Center(s) pane.

  2. Delete the Catalyst Center VA.

  3. Create a new Catalyst Center VA.

Delete Failed.

If the Catalyst Center VA deletion fails, contact Cisco TAC.

Concurrency errors and possible solutions

This table lists concurrency errors related to your VA pods or Catalyst Center VAs and their possible reasons and solutions.

Error

Possible reason and solution

Unable to delete a Pod or a Catalyst Center created by another user.

You cannot delete a component, such as a VA pod or Catalyst Center VA, if

  • another user created it, and

  • a different action is in progress on the component.

After the action completes, you or another user can delete the component.

For example, you cannot delete a VA pod or Catalyst Center VA while it is in any of these processes or states:

  • Another user is currently creating the Catalyst Center VA.

  • Another user is currently deleting the Catalyst Center VA.

  • The Catalyst Center VA is currently in a failed state after a deletion attempt.

The status of a Pod has been changed recently.

If you tried to delete a VA pod, the original user account that created it may have performed a concurrent action. This concurrency issue changes the status of the selected VA pod.

To view the updated status of the VA pod, click Refresh.

TGW attachment errors and possible solutions

This table lists TGW attachment errors and their possible reasons and solutions.

Error Possible reason and solution

The transit gateway attachment for this VA pod is in "modifying" state. Check the attachment on your AWS console to resolve this issue.

If you receive this error while creating a VA pod, it means that the TGW attachment was modified on the AWS portal.

The TGW attachment for the VA pod is in the Modifying state.

Wait for the state to change from Modifying to Complete. When the state is Complete, you can continue creating the VA pod.

The transit gateway attachment for this VA pod is not found.

This errors means that the TGW attachment was manually deleted. To resolve this, delete this VA pod and create a new one with the TGW attachment.

Other deployment issues and possible solutions

This table lists other Catalyst Center on AWS deployment issues and their possible reasons and solutions.

Issue

Possible reason and solution

Resources are green, but the Proceed button is disabled.

On some steps, you can proceed only after all the resources are successfully set up. To ensure the integrity of the deployment, the Proceed button remains disabled until the setup is complete and all the resources are configured and loaded.

Sometimes, the screen shows that the resources are successfully set up, but the Proceed button is still disabled. Wait a few more seconds for the remaining resources to load. After all the resources are configured and loaded, the Proceed button is enabled.

Failure when deploying multiple VA pods with the same CGW in single region.

Make sure that:

  • The CGW IP address is the IP address of your enterprise firewall or router.

  • The CGW IP address is a valid public address.

  • The CGW IP address isn't being used for another VA pod within the same region. In each region, multiple VA pods cannot have the same CGW IP address. To use the same CGW IP address for more than one VA pod, deploy each VA pod in a different region.

Unable to SSH or ping the Catalyst Center VA.

If the tunnel is up and the application is complete (green), but you cannot ping or connect through SSH to the Catalyst Center VA, verify the CGW configuration and try again.

This issue might occur if the on-premises CGW is configured incorrectly.

Session ended.

If your session times out while operations are in progress, such as triggering an RCA, the operations may abruptly end and display a Session ended notification.

If your session times out, click Ok, log back in, and restart the operations.