SSLVPN client disconnects when NSX Edge is configured using bulk config API
Article ID: 327384
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
In an NSX for vSphere 6.3.x and 6.4.x where the NSX Edge is configured using bulk config API, you see these symptoms:
SSLVPN client disconnects.
In an NSX for vSphere 6.3.x and 6.4.x where the NSX Edge is configured using bulk config API, you see these symptoms:
SSLVPN client disconnects.
Environment
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.3.x
Cause
This issue occurs when an NSX Edge is configured using bulk config API, the NSX Manager generates new IDs for the existing SSLVPN objects such as IP pools, private networks, users and client installation packages.
On The NSX Edge, these objects with new IDs are considered as new. Hence the config engine adds new IP pool configuration followed by the deletion of old IP pools. Because of this delete operation, IP assigned to the tap device on the NSX Edge is removed. This results in the disconnect of the SSLVPNĀ clients. All connected clients have route for private networks through the tap device. Hence the SSLVPN clients will never be able to connect to the SSLVPN server.
On The NSX Edge, these objects with new IDs are considered as new. Hence the config engine adds new IP pool configuration followed by the deletion of old IP pools. Because of this delete operation, IP assigned to the tap device on the NSX Edge is removed. This results in the disconnect of the SSLVPNĀ clients. All connected clients have route for private networks through the tap device. Hence the SSLVPN clients will never be able to connect to the SSLVPN server.
Resolution
This issue is resolved in VMware NSX for vSphere 6.3.6 and 6.4.1, available at VMware Downloads.
Workaround:
To work around this issue if you do not want to upgrade:
Workaround:
To work around this issue if you do not want to upgrade:
- Disable the SSLVPN service.
- Re-enable the SSLVPN service.
Feedback
Yes
No
Powered by
