Policy-Based VPN Flaps but the tunnel does not go down

Products

VMware NSX

Issue/Introduction

The VPN is a Policy based VPN
The remote VPN endpoint is Juniper
The VPN renegotiates the SA every 2 minutes
The VPN tunnel remains up
IKE is version 2
Every 2 minutes you will see the SA negotiated and the down time is about 5 seconds.

less nsx-event.log.5 |grep -e "status DOWN:" -e "status UP" |awk '{print $2 " " $3 " " $16 " " $17}' |less
Up and down occur every 2 minutes Down State lasts 5 seconds
2024-01-25T07:49:31.412Z EDGE-Node-FQDN status DOWN:
2024-01-25T07:49:36.564Z EDGE-Node-FQDN status UP","event_src_comp_id":"802027e0-5ee4-4145-bc72-e2472d373cee","event_sources":{"id":"8b1ccdbe-58bc-44e3-ba7a-f00571ffab13","local_ip":"X.X.X.X","peer_ip":"Y.Y.Y.Y"}}
2024-01-25T07:51:31.407Z EDGE-Node-FQDN status DOWN:
2024-01-25T07:51:36.565Z EDGE-Node-FQDN status UP","event_src_comp_id":"802027e0-5ee4-4145-bc72-e2472d373cee","event_sources":{"id":"8b1ccdbe-58bc-44e3-ba7a-f00571ffab13","local_ip":"X.X.X.X","peer_ip":"Y.Y.Y.Y"}}
2024-01-25T07:53:31.403Z EDGE-Node-FQDN status DOWN:
2024-01-25T07:53:36.710Z EDGE-Node-FQDN status UP","event_src_comp_id":"802027e0-5ee4-4145-bc72-e2472d373cee","event_sources":{"id":"8b1ccdbe-58bc-44e3-ba7a-f00571ffab13","local_ip":"X.X.X.X","peer_ip":"Y.Y.Y.Y"}}
2024-01-25T07:55:31.407Z EDGE-Node-FQDN status DOWN:
2024-01-25T07:55:36.675Z EDGE-Node-FQDN status UP","event_src_comp_id":"802027e0-5ee4-4145-bc72-e2472d373cee","event_sources":{"id":"8b1ccdbe-58bc-44e3-ba7a-f00571ffab13","local_ip":"X.X.X.X","peer_ip":"Y.Y.Y.Y"}}
2024-01-25T07:57:31.403Z EDGE-Node-FQDN status DOWN:
2024-01-25T07:57:36.566Z EDGE-Node-FQDN status UP","event_src_comp_id":"802027e0-5ee4-4145-bc72-e2472d373cee","event_sources":{"id":"8b1ccdbe-58bc-44e3-ba7a-f00571ffab13","local_ip":"X.X.X.X","peer_ip":"Y.Y.Y.Y"}}

The logs also show that it is being triggered by "IKE SA Ttimer expired."

NSXT_EdgeNode_/var/log/syslog.*
2024-01-24T15:21:16.491Z EDGE-Node-FQDN NSX 4060 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="jsonrpc" level="DBG"] unix: send reply, result="[{\"History\":[{\"time\":\"23-Jan-2024 22:38:31\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"},{\"time\":\"23-Jan-2024 22:38:25\",\"status\":\"IKE_STATUS_DOWN\",\"reason\":\"IKE SA timer expired\"},
{\"time\":\"17-Jan-2024 22:11:15\",\"status\":\"IKE_STATUS_UP\",\"reason\":\"\"},
{\"time\":\"17-Jan-2024 22:11:15\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"},
{\"time\":\"17-Jan-2024 22:11:15\",\"status\":\"IKE_STATUS_DOWN\",\"reason\":\"Peer not responding\"},
{\"time\":\"17-Jan-2024 22:05:54\",\"status\":\"IKE_STATUS_UP\",\"reason\":\"\"},
{\"time\":\"17-Jan-2024 22:05:54\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"},
{\"time\":\"17-Jan-2024 22:05:53\",\"status\":\"IKE_STATUS_DOWN\",\"reason\":\"IKE SA timer expired\"},

NSXT_EdgeNode_/var/log/li-syslog.1
<183>1 2024-01-25T19:05:32.862Z EDGE-Node-FQDN NSX 4060 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="jsonrpc" level="DBG"] unix: send reply, result="[{\"History\":[{\"time\":\"23-Jan-2024 22:38:31\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"},{\"time\":\"23-Jan-2024 22:38:25\",\"status\":\"IKE_STATUS_DOWN\",\"reason\":\"IKE SA timer expired\"},{\"time\":\"17-Jan-2024 22:11:15\",\"status\":\"IKE_STATUS_UP\",\"reason\":\"\"},{\"time\":\"17-Jan-2024 22:11:15\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"},{\"time\":\"17-Jan-2024 22:11:15\",\"status\":\"IKE_STATUS_DOWN\",\"reason\":\"Peer not responding\"},{\"time\":\"17-Jan-2024 22:05:54\",\"status\":\"IKE_STATUS_UP\",\"reason\":\"\"},{\"time\":\"17-Jan-2024 22:05:54\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"},{\"time\":\"17-Jan-2024 22:05:53\",\"status\":\"IKE_STATUS_DOWN\",\"reason\":\"IKE SA timer expired\"},{\"time\":\"17-Jan-2024 18:29:54\",\"status\":\"IKE_STATUS_UP\",\"reason\":\"\"},{\"time\":\"17-Jan-2024 18:29:54\",\"status\":\"IKE_STATUS_NEGO\",\"reason\":\"\"}],\"Enabled\":true,\"id\":\"8b1ccdbe-58bc-44e3-ba7a-f00571ffab13\",\"HA_Status\":\"Active\",\"Session_Refcount\":1,\"Compliance_Suite\":\"NONE\",\"Session_Down_Reason\":\"\",\"Type\":\"POLICY_BASED_SESSION\",\"Peer_Endpoint_Profile\":{\"Peer_ID\":\"192.168.1.45\",\"DPD_Profile\":{\"Enabled\":true,\"DPD_Probe_Mode\":\"Periodic\",\"id\":\"cb3549f5-c866-45db-b997-47ffd9b2d541\",\"Retry_Count\":10,\"DPD_Probe_Interval\":60},\"id\":\"c2b9ca04-69d7-43e0-bd26-9850cff1256e\",\"Peer_Address\":\"192.168.1.45\",\"Auth_Mode\":\"AUTH_MODE_PSK\",\"IKE_Profile\":{\"Encryption Algorithm\":[\"CRYPT_AES_128_CBC\"],\"IKE_Version\":\"IKE_V2\",\"id\":\"8cd0d7e1-fc7c-458f-9c6e-3bd8e4f82f5e\",\"HMAC_Algorithm\":[\"MAC_HMAC_SHA256\"],\"DH_Group\":[\"DH_GROUP_14\"],\"SA_Expiry_Time\":86400},\"IKE_Role\":\"IKE_ROLE_INITIATOR\",\"Peer_Type\":\"IPSEC_IP_ADDR_TYPE\",\"IPSec_Tunnel_Profile\":{\"Encryption Algorithm\":[\"CRYPT_AES_256_CBC\"],\"DF_Policy\":\"DF_COPY\",\"id\":

The history shows us of the VPN session shows the IKE SA Timer expired as the reason for the down status.

NSXT_EdgeNode_/edge/vpn-session
[
    {
       "History":[
            {
                "time": "23-Jan-2024 22:38:31",
                "status": "IKE_STATUS_NEGO",
                "reason": ""
            },
            {
                "time": "23-Jan-2024 22:38:25",
                "status": "IKE_STATUS_DOWN",
                "reason": "IKE SA timer expired"
            },
            {
                "time": "17-Jan-2024 22:11:15",
                "status": "IKE_STATUS_UP",
                "reason": ""
            },
            {
                "time": "17-Jan-2024 22:11:15",
                "status": "IKE_STATUS_NEGO",
                "reason": ""
            },
            {
                "time": "17-Jan-2024 22:11:15",
                "status": "IKE_STATUS_DOWN",
                "reason": "Peer not responding"
            },
            {
                "time": "17-Jan-2024 22:05:54",
                "status": "IKE_STATUS_UP",
                "reason": ""
            },
            {
                "time": "17-Jan-2024 22:05:54",
                "status": "IKE_STATUS_NEGO",
                "reason": ""
            },
            {
                "time": "17-Jan-2024 22:05:53",
                "status": "IKE_STATUS_DOWN",
                "reason": "IKE SA timer expired"
            },
            {
                "time": "17-Jan-2024 18:29:54",
                "status": "IKE_STATUS_UP",
                "reason": ""
            },
            {
                "time": "17-Jan-2024 18:29:54",
                "status": "IKE_STATUS_NEGO",
                "reason": ""
            }
        ],
        "Enabled": true,
        "id": "8b1ccdbe-58bc-44e3-ba7a-f00571ffab13",
        "HA_Status": "Active",
        "Session_Refcount": 1,
        "Compliance_Suite": "NONE",
        "Session_Down_Reason": "",
        "Type": "POLICY_BASED_SESSION",
        "Peer_Endpoint_Profile": {
            "Peer_ID": "192.168.1.45", <===Juniper Endpoint
            "DPD_Profile": {
                "Enabled": true,
                "DPD_Probe_Mode": "Periodic",
                "id": "cb3549f5-c866-45db-b997-47ffd9b2d541",
                "Retry_Count": 10,
                "DPD_Probe_Interval": 60

Environment

VMware NSX 4.x
VMware NSX-T Data Center 3.x

Cause

According to Juniper documentation, Policy-Based VPNs with IKEv2 is not supported.

It is recommended that you use route-based VPN when you want to configure a VPN between multiple remote sites. Route-based VPNs can provide the same capabilities as policy-based VPNs.

IPsec VPN User Guide
Limitations:

Policy-based IPSec VPNs are not supported with IKEv2.

Policy-Based IPsec VPNs

Resolution

Switching to IKEv1 will resolve the issue.