Route Based IPSec VPN session with BGP over VTI flaps continuously
search cancel

Route Based IPSec VPN session with BGP over VTI flaps continuously

book

Article ID: 339576

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

To assist in troubleshooting routing misconfiguration and to restore VPN connectivity.

Symptoms:
Due to routing misconfiguration, VPN session comes up, IPSec tunnels come up and DPD gets triggered due to the routing loop and session goes down. This process repeats until the routing configuration is fixed.

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center 3.x

Cause

Peer's IPSec Local IP is distributed over VTI of IPSec tunnel, causing a routing loop.

Resolution

The steps to correct the routing configuration depend on the environment. There are 4 scenarios:
  • Scenario 1. Route re-distribution is disabled for IPSec Local IP (local and remote), Add a static/default route for remote IPSec Endpoint IPs on uplink.
  • Scenario 2. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a specific static route to each remote IPSec Endpoint IP on uplink. This must be done for each remote IPSec endpoint IP and does not scale when multiple remote endpoints are in use.
  • Scenario 3. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a prefix list to block the LEPs to be published to VTI over BGP. This must be done on both local and remote sides.
  • Scenario 4. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a prefix with local IPSec Endpoint IP in the "Out Filter" and Remote IPSec Endpoint IP in the "In Filter" with deny action and default prefix with permit action.
Note: *For tier1, "IPSec Local IP" will be defined as "IPSec Local Endpoint".

Related documentation: