Route Based IPSec VPN session with BGP over VTI flaps continuously
Article ID: 339576
Updated On:
Products
VMware NSX
Issue/Introduction
To assist in troubleshooting routing misconfiguration and to restore VPN connectivity.
Symptoms:
Due to routing misconfiguration, VPN session comes up, IPSec tunnels come up and DPD gets triggered due to the routing loop and session goes down. This process repeats until the routing configuration is fixed.
Symptoms:
Due to routing misconfiguration, VPN session comes up, IPSec tunnels come up and DPD gets triggered due to the routing loop and session goes down. This process repeats until the routing configuration is fixed.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center 3.x
Cause
Peer's IPSec Local IP is distributed over VTI of IPSec tunnel, causing a routing loop.
Resolution
The steps to correct the routing configuration depend on the environment. There are 4 scenarios:
Related documentation:
- Scenario 1. Route re-distribution is disabled for IPSec Local IP (local and remote), Add a static/default route for remote IPSec Endpoint IPs on uplink.
- Scenario 2. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a specific static route to each remote IPSec Endpoint IP on uplink. This must be done for each remote IPSec endpoint IP and does not scale when multiple remote endpoints are in use.
- Scenario 3. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a prefix list to block the LEPs to be published to VTI over BGP. This must be done on both local and remote sides.
- Scenario 4. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a prefix with local IPSec Endpoint IP in the "Out Filter" and Remote IPSec Endpoint IP in the "In Filter" with deny action and default prefix with permit action.
Related documentation:
Feedback
Yes
No
Powered by
