[VMConAWS] VPN status is reported down in SDDC v1.20 and later versions
book
Article ID: 313626
calendar_today
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
To help remediate and bring the VPN tunnel up
Symptoms:
PBVPN/RBPVN status is reported down. Trying to bring up the VPN fails and NSX UI -> VPN -> IPSecSessions displays "IPSec negotiation not started" and "Configuration Failed" as shown below.
/var/log/syslog in active edge shows similar events
syslog.56.gz:2023-09-21T12:26:32.290Z NSX-Edge-1-10-209-252-8 NSX 12550 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-event" level="WARN" eventId="vmwNSXVpnIkeSessionStatus"] {"event_state":0,"event_external_reason":"IKE session status DOWN: Configuration failed","event_src_comp_id":"a31e3dd4-3307-11eb-a8fb-000c297bfb55","event_sources":{"id":"83dcd287-a414-4620-a52e-2ed1e7628824","local_ip":"0.0.0.0","peer_ip":"0.0.0.0"}}
syslog.56.gz:2023-09-21T12:26:51.989Z NSX-Edge-1-10-209-252-8 NSX 12550 - [nsx@6876 comp="nsx-edge" s2comp="nsx-monitoring" entId="83dcd287-a414-4620-a52e-2ed1e7628824" tid="12576" level="WARNING" eventState="On" eventFeatureName="vpn" eventSev="warning" eventType="ipsec_policy_based_session_down"] The policy based IPsec VPN session 83dcd287-a414-4620-a52e-2ed1e7628824 is down. Reason: Configuration failed: Failed to send message to main thread.
Cause
This is caused due to a memory corruption in iked process with in NSX.
Resolution
The issue is expected to be fixed in future SDDC patch release.
Workaround: An edge failover will remediate the issue and bring the tunnel back up. Engage VMware Support for assistance.
Additional Information
Impact/Risks: Failure to establish VPN sessions to endpoints.