Impact of Edge failover on IPSec VPN tunnels over NAT-T in NSX-T 2.5.1 and earlier versions
Article ID: 327393
Updated On: 02-11-2025
Products
VMware NSX
Issue/Introduction
Symptoms:
IPSec VPN tunnel may go down, after an Edge failover and in case the peer gateway is behind a NAT.
IPSec VPN tunnel may go down, after an Edge failover and in case the peer gateway is behind a NAT.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 2.x
Cause
This behavior may be observed for topologies where peer VPN Gateway is behind a NAT (SNAT). In such cases post Edge failover, when the Edge initiates the IKE connection, the NAT device may drop incoming IKE packets on port 500 due to non matching NAT mapping. Only when the peer VPN Gateway, which is behind a NAT, initiates the connection, the NAT mapping is created. As a consequence, the tunnel may be down until the connection is initiated from the peer VPN Gateway. Therefore, for such scenarios, it is highly recommended to configure the peer VPN Gateway to initiate the SA negotiations.
Resolution
This is a limitation on customer topology vs the limitation on the Edge.
Workaround:
To work around this issue, initiate the tunnel from the peer VPN Gateway.
For the tunnel to be setup, peer VPN Gateway should initiate a new SA negotiation.
Workaround:
To work around this issue, initiate the tunnel from the peer VPN Gateway.
For the tunnel to be setup, peer VPN Gateway should initiate a new SA negotiation.
Feedback
Yes
No
Powered by
