NSX-T 3.1.x Policy-based IPSEC VPN communication times out after failing over T1 from Active T0 Edge Node to Standby T0 Edge Node residing on different ESXi Host.
search cancel

NSX-T 3.1.x Policy-based IPSEC VPN communication times out after failing over T1 from Active T0 Edge Node to Standby T0 Edge Node residing on different ESXi Host.

book

Article ID: 303359

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

When a VPN on a T1 is on the same edge node as the active T0 (A/S) Edge, ping works fine from VM Source to remote Destination, but as soon as the T1 is failed over to a different edge residing on a different ESXi host, the ping times out. When the two edge nodes are on the same host, ping works fine.


Environment

VMware NSX-T Data Center

Cause

When T1 VPN is moved to the edge residing on a different ESXi host, the ESP packet goes over the GENEVE tunnel to reach the T0 edge/ESXi host. The recalculation of offloaded checksum in the ESP-IP header is skipped due to GENEVE encapsulation, thereby resulting in packet drop.


Resolution

Issue is resolved in NSX-T 3.1.3.7 and above.


Workaround:
  • Rebuild T0 as Active/Active
  • Pin T1 to Active T0
  • Disconnect T1 from T0 and reconnect (may not be a valid workaround, worked for customer on SR#22323089304)


Additional Information

Impact/Risks:

VPN communication times out