CSS tunnels down due to L7 health check failure in SD-WAN Edge

search cancel

CSS tunnels down due to L7 health check failure in SD-WAN Edge

book

Article ID: 320678

calendar_today

Updated On:

Products

VMware VMware SD-WAN by VeloCloud

Issue/Introduction

Symptoms:

For users who have configured a loopback interface as the source interface for a Layer 7 (L7) Health Check on a VMware SD-WAN Edge, if a user changes any parameter of the loopback interface the L7 probes may fail and the IPsec tunnels associated with that L7 Health Check would report as down.
Customer will see the event "CSS_DOWN" in the VCO Events page for some or all CSS tunnels configured

Environment

VMware SD-WAN by VeloCloud
VMware SD-WAN

Cause

This problem is caused by Issue 106700
When the loopback interface configuration is changed in any way the original Loopback interface is deleted and recreated, but the L7 Health Check continues to try using the deleted interface designated as “None” with IP address 0.0.0.0 because we can’t find the interface to report the name and IP.
This makes the probes fail which results in the IPsec tunnel being marked as down.

Resolution

This issue (106700) is resolved in the versions below and later:

4.5.2 (R452-20230628-GA)
5.0.1.3 (R5013-20230322-GA)
5.2.0.0 (R5200-20230530-GA)

For information on how to upgrade please check the following article: https://kb.vmware.com/s/article/67152

Workaround:

There are two possible options:

Disable L7 health checks in the CSS configuration. Go to Configure > Network Services > Non SD-WAN Destinations via Edge > Select the CSS > Disable L7 Health Check:

Doing a service restart from Edge > Shortcuts > Remote Actions > Service Restart

Additional Information

To be alerted when this article is updated, click Subscribe to Article in the Actions box

Impact/Risks:
Disabling L7 health check in the CSS configuration has no impact. However, if performing a Service restart from Remote Actions, a brief service impact is expected

Feedback

thumb_up Yes

thumb_down No