Purpose:

This document provides a structured, customer-facing troubleshooting guide to resolve connectivity issues between Versa Operating System (VOS) and Versa Management Server (VMS). Please follow the steps in the order listed below.

Step 1: Verify VMS Status on VOS

Check the VMS session status from the branch device:

show orgs org-services <Org-Name> vms status

Expected Result

• Status should display Connected

• If status shows Connected, VOS to VMS connectivity is up.

If status shows not connected, proceed to the next steps.

Step 2: Verify FQDN Resolution

Ensure the configured VMS FQDN resolves correctly from the appropriate routing instance:

ping <VMS-FQDN> routing-instance <Routing-Instance>

If resolution fails:

• Verify DNS configuration

• Confirm routing-instance reachability

• Check address manager resolution:

vsh connect vsmd
show vsf tenant all brief | grep <your tenant>
<collect tenant ID from above output>

vsh connect addrmgr
show address <Tenant ID>

Confirm:

• Correct IP address

• Resolved state

Step 3: Verify Network Reachability

3.1 ICMP Test

Get routing instance using following CLI on VOS:

Or from director GUI:

Ping using routing instance found using above CLI or GUI:

ping <VMS-FQDN> routing-instance <Routing-Instance>

If ICMP is blocked, test TCP connectivity.

3.2 TCP Port Test (Port 1376)

From the relevant namespace:

sudo ip netns exec <Routing-Instance> bash

Then run:

while true; do
  echo "$(date) - Checking port 1376..."
  nc -zv -w 3 <VMS-FQDN> 1376
  sleep 2
done

Expected Result

Connection to <VMS-FQDN> 1376 port [tcp/*] succeeded!

If unsuccessful, proceed to Controller validation.

Step 4: Validate Controller Path (If Traffic Traverses Controller)

If VMS connectivity is via Controller:

4.1 Check Session on Controller

• Verify session exists between branch device and VMS IP on port 1376.

• Use Monitor Dashboard or CLI 'show orgs org <org> sessions extensive | select destination-port 1376'

If session is not present:

• Traffic is not reaching Controller.

If session exists:

• Run tcpdump on egress interface toward VMS.

• Confirm packets are leaving Controller.

4.2 Firewall Validation

If packets reach Controller but are not forwarded:

• Check security policies.

• Update Allow-From-CPE-Ports policy.

• Add required VMS service (port 1376).

Step 5: Verify Packet Reception on VMS

On the VMS server:

• Run tcpdump on the appropriate interface.

• Confirm packets are received.

• Validate reverse routing path back to branch device.

Step 6: Validate Certificates (Common Root Cause)

If network reachability is confirmed but VOS–VMS session does not establish, verify certificates.

6.1 Check Server Certificate on VMS

On VMS:

openssl x509 -in /opt/versa/vms/certs/server-cert.pem -text -noout

Verify:

• Common Name (CN)

• Subject Alternative Name (SAN)

Example:

Subject: CN = inline-vms1.versa-test.net
X509v3 Subject Alternative Name:
DNS:inline-vms1.versa-test.net
DNS:inline-vms1-elastic.versa-test.net
DNS:inline-vms2.versa-test.net

Important

The IP or FQDN used for connection must match either CN or SAN.

6.2 Verify CA Installed on VOS

On VOS:

show orgs org-services <Org-Name> crypto pki ca-chains <CA-Name>
show orgs org-services <Org-Name> crypto pki ca-chains <CA-Name> | match "Issuer CN"
show orgs org-services <Org-Name> crypto pki ca-chains <CA-Name> | match "Subject Alternative Name"

Confirm:

• Issuer CN matches

• SAN values (if applicable)

Resolution

If CN or SAN does not match:

1. Regenerate the certificate with correct CN/SAN values.

2. Install updated certificate on VMS.

3. Install matching CA chain on VOS.

4. Restart services if required.

5. Re-validate connectivity.

Summary Checklist

✔ VMS status shows Connected
✔ FQDN resolves correctly
✔ Port 1376 reachable
✔ Controller not dropping traffic
✔ VMS receives and responds to packets
✔ CN/SAN matches connection FQDN
✔ Correct CA installed on VOS

Summary Checklist

Use this checklist to confirm all validation steps have been completed before closing the issue or escalating to Versa Support.