Symptoms:
IPSEC VPN tunnel Peers keep going down intermittently, on NSX Version: 6.4.0, Edges, where the remote peer is a Cisco ASA.
Messages like the following appear when IPsec logging is set to debug level on the NSX edge:
#.#.#.#_#.#.#.#/32-#.#.#.#_#.#.#.#/32: Tunnel LastAlert: Received Delete for IPSec-S
This message is generated when the remote peer deletes the Security Association. A VPN Tunnel idle timeout would generate such a message.
This is a known issue in NSX 6.4.0 and is resolved in NSX 6.4.1. This issue is documented in the NSX 6.4.1 release notes as follows:
Source: VMware NSX for vSphere 6.4.1 Release Notes
To resolve the issue, upgrade the environment, including NSX Edges, from version 6.4.0 to version 6.4.1.
Workaround:
The following workaround is worth testing, to verify a match with this known issue:
- Stop/Start the NSX Edge IPSec service instead of disabling/enabling a particular site.
- this will disconnect all VPNs configured on the edge, so you may want to perform this during a maintenance window
- the policy database will remain intact after disable/enable of IPsec service
- after the Stop/Start the IPSec service, it will not be affected with subsequent tunnels going up or down due to delete send by ASA.
- if customer does a configuration change to the site at some later time, then policies will be removed from SPD, and a Stop/Start of the IPsec service will be required again.