Impact of Edge failover on IPSec VPN tunnels over NAT-T in NSX-T 2.5.1 and earlier versions
search cancel

Impact of Edge failover on IPSec VPN tunnels over NAT-T in NSX-T 2.5.1 and earlier versions

book

Article ID: 327393

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
After an Edge failover and in case the peer gateway is behind a NAT, you see this symptom:

IPSec VPN tunnel may go down.

Environment

VMware NSX-T Data Center
VMware NSX-T
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center 2.5.x

Cause

This behavior may be observed for topologies where peer VPN Gateway is behind a NAT (SNAT). In such cases post Edge failover, when the Edge initiates the IKE connection, the NAT device may drop incoming IKE packets on port 500 due to non matching NAT mapping. Only when the peer VPN Gateway, which is behind a NAT, initiates the connection, the NAT mapping is created. As a consequence, the tunnel may be down until the connection is initiated from the peer VPN Gateway. Therefore, for such scenarios, it is highly recommended to configure the peer VPN Gateway to initiate the SA negotiations.

Resolution

This is a limitation on customer topology vs the limitation on the Edge.

Workaround:
To work around this issue, initiate the tunnel from the peer VPN Gateway.

For the tunnel to be setup, peer VPN Gateway should initiate a new SA negotiation.