To assist in troubleshooting routing misconfiguration and to restore VPN connectivity.

Symptoms:
Due to routing misconfiguration, VPN session comes up, IPSec tunnels come up and DPD gets triggered due to the routing loop and session goes down. This process repeats until the routing configuration is fixed.

VMware NSX-T Data Center
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center 3.x

Peer's IPSec Local IP is distributed over VTI of IPSec tunnel, causing a routing loop.

The steps to correct the routing configuration depend on the environment. There are 4 scenarios:

• Scenario 1. Route re-distribution is disabled for IPSec Local IP (local and remote), Add a static/default route for remote IPSec Endpoint IPs on uplink.
• Scenario 2. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a specific static route to each remote IPSec Endpoint IP on uplink. This must be done for each remote IPSec endpoint IP and does not scale when multiple remote endpoints are in use.
• Scenario 3. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a prefix list to block the LEPs to be published to VTI over BGP. This must be done on both local and remote sides.
• Scenario 4. Route re-distribution is enabled for IPSec Local IP (local and remote), Add a prefix with local IPSec Endpoint IP in the "Out Filter" and Remote IPSec Endpoint IP in the "In Filter" with deny action and default prefix with permit action.

Note: *For tier1, "IPSec Local IP" will be defined as "IPSec Local Endpoint".

Related documentation:

• How to configure static routes on Tier-0 gateways
• How to configure prefixes on Tier-0 gateways