Impact of Edge failover on IPSec VPN tunnels over NAT-T in NSX-T 2.5.1 and earlier versions
book
Article ID: 327393
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms: After an Edge failover and in case the peer gateway is behind a NAT, you see this symptom:
IPSec VPN tunnel may go down.
Environment
VMware NSX-T Data Center VMware NSX-T VMware NSX-T Data Center 2.x VMware NSX-T Data Center 2.5.x
Cause
This behavior may be observed for topologies where peer VPN Gateway is behind a NAT (SNAT). In such cases post Edge failover, when the Edge initiates the IKE connection, the NAT device may drop incoming IKE packets on port 500 due to non matching NAT mapping. Only when the peer VPN Gateway, which is behind a NAT, initiates the connection, the NAT mapping is created. As a consequence, the tunnel may be down until the connection is initiated from the peer VPN Gateway. Therefore, for such scenarios, it is highly recommended to configure the peer VPN Gateway to initiate the SA negotiations.
Resolution
This is a limitation on customer topology vs the limitation on the Edge.
Workaround: To work around this issue, initiate the tunnel from the peer VPN Gateway.
For the tunnel to be setup, peer VPN Gateway should initiate a new SA negotiation.