NSX 6.4.0 Edge IPsec VPN tunnel Peers are unstable where the remote peer is a Cisco ASA
search cancel

NSX 6.4.0 Edge IPsec VPN tunnel Peers are unstable where the remote peer is a Cisco ASA

book

Article ID: 306110

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
IPSEC VPN tunnel Peers keep going down intermittently, on NSX Version: 6.4.0, Edges, where the remote peer is a Cisco ASA.

Messages like the following appear when IPsec logging is set to debug level on the NSX edge:
#.#.#.#_#.#.#.#/32-#.#.#.#_#.#.#.#/32: Tunnel LastAlert: Received Delete for IPSec-S

This message is generated when the remote peer deletes the Security Association. A VPN Tunnel idle timeout would generate such a message. 



Environment

VMware NSX for vSphere 6.4.x

Cause

If the customer performs a configuration change to an existing VPN Site configuration, (example: editing the encryption domain for a particular tunnel) the policies will be removed from the Security Policy Database (SPD).
This issue was introduced in NSX 6.4.0, and can be observed from the Edge CLI using:

>show service ipsec sp

The expected Security Policy will not be present.

This issue appears on Edges that peer with Cisco ASA, where the VPN tunnel drops when the vpn-idle-timeout value (default 30 seconds) on the ASA sends a "DELETE IKE_SA" message to the Edge.

Since the IPsec policy is incorrectly removed from the SPD, the VPN Tunnel does not re-establish when traffic is initiated from behind the ESG .

Increasing the vpn-idle-timeout on the ASA to the maximum value, 35791394 minutes, may help with overall VPN tunnel stability.


Resolution

This is a known issue in NSX 6.4.0 and is resolved in NSX 6.4.1.  This issue is documented in the NSX 6.4.1 release notes as follows:

  • Fixed Issue 2084281: VPN Tunnel doesn’t come up when traffic is initiated from behind the ESG after a VPN idle timeout expiring VPN tunnel remains down due to faulty logic that was deleting the IPSEC spd entries.

Source: VMware NSX for vSphere 6.4.1 Release Notes

To resolve the issue, upgrade the environment, including NSX Edges, from version 6.4.0 to version 6.4.1.

Workaround:
The following workaround is worth testing, to verify a match with this known issue:

- Stop/Start the NSX Edge IPSec service instead of disabling/enabling a particular site.
- this will disconnect all VPNs configured on the edge, so you may want to perform this during a maintenance window
- the policy database will remain intact after disable/enable of IPsec service
- after the Stop/Start the IPSec service, it will not be affected with subsequent tunnels going up or down due to delete send by ASA.
- if customer does a configuration change to the site at some later time, then policies will be removed from SPD, and a Stop/Start of the IPsec service will be required again.