NSD tunnel down after upgrade to 5.1.0 if mismatched parameters
search cancel

NSD tunnel down after upgrade to 5.1.0 if mismatched parameters

book

Article ID: 320680

calendar_today

Updated On:

Products

VMware VMware SD-WAN by VeloCloud

Issue/Introduction

Symptoms:
NSD tunnel is down after a SD-WAN Gateway (VCG) or Edge (VCE) is upgraded to 5.1.0 or greater. Customers and partners may experience service outages if there are mismatched parameters.

Environment

VMware SD-WAN by VeloCloud
VMware SD-WAN

Cause

When performing VCG/VCE upgrades to version 5.1.0 or greater, the product's crypto stack enhancements enforce stricter and more accurate validation of NSD parameter values such as DH groups, traffic selectors, and IKE authentication. If any of these values are incorrect, it may result in a mismatched configuration that could bring down the NSD tunnels when the proper configuration is enforced. 

Resolution

Please audit the configuration of the NSD and the peer end. Both ends must be configured correctly and matching each other. Mismatches can result in potential outages.
The configuration parameters that need to be checked are:
  • DH groups: Must have exact match on both sides (NSD via gateway, NSD via Edge, etc).
  • Traffic selectors: VCG/VCE must have a valid site subnet (NSD via gateway, NSD via Edge, etc).
  • IKE Authentication: Peer match on local ID as IP address or FQDN.


Starting after 5.2.x VCG upgrade, Security Polices now require traffic selectors to match exactly. Configuration parameters below:

  • For route based VPN,  the traffic selector/policy needs to be 0.0.0.0/0 -> 0.0.0.0/0 or "ANY / ANY "
  • In contrast , For specific selectors , tunnel should be configured as a policy based VPN. Any policies/selectors configured on peer end (those subnets) should also be included in NSD configuration. 


Additional Information

 

 


Impact/Risks:
NSD tunnel may flap when correcting any mismatched parameters

Powered by Wolken Software