Slow Migrations Or HCX Tunnel Down When Configuring The HCX Appliances To Use The Policy Based or Route Based VPN
Article ID: 345375
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
Symptoms:
- The HCX Interconnect and Network Extension Tunnels frequently flop between Down and Up.
- The transfer speed(s) are slower than they should be.
Cause
Configuring an HCX tunnel over a VPN is not supported - https://docs.vmware.com/en/VMware-HCX/services/user-guide/GUID-00F9E524-7CBE-4E27-B631-1B03DB747358.html
"HCX Interconnect and HCX Network Extension tunnels can be established through INET and AWS Direct Connect only. Connectivity through a VPN tunnel terminated on the NSX Edge for the SDDC is not supported"
"HCX Interconnect and HCX Network Extension tunnels can be established through INET and AWS Direct Connect only. Connectivity through a VPN tunnel terminated on the NSX Edge for the SDDC is not supported"
Resolution
In order to resolve this issue the Site Pair and Service Mesh will need to be re-created and the SDDC VPN Configuration will need to be altered to exclude any IP addresses used by the HCX Manager or Appliances:
First, if the network is stretched, un-stretch it. Delete the Service Mesh, and remove the Site Pairing.
Once the Site Pairing has been removed, navigate to the SDDC Network And Security page > VPN and if using a Policy Based VPN remove the HCX IP range (the IPs of the HCX Manager/Interconnect/Network Extension) from the "Remote Networks" field. If using a Route Based VPN un-advertise the HCX IP range. Validate that none of the IPs available to the HCX Manager and Appliances are listed in the VPN.
After re-configuring the VPN Tunnel, re-create the Site Pairing, and the Service Mesh.
To test available bandwidth of the HCX Tunnels please refer to kb 56211.
Workaround:
There is no workaround
First, if the network is stretched, un-stretch it. Delete the Service Mesh, and remove the Site Pairing.
Once the Site Pairing has been removed, navigate to the SDDC Network And Security page > VPN and if using a Policy Based VPN remove the HCX IP range (the IPs of the HCX Manager/Interconnect/Network Extension) from the "Remote Networks" field. If using a Route Based VPN un-advertise the HCX IP range. Validate that none of the IPs available to the HCX Manager and Appliances are listed in the VPN.
After re-configuring the VPN Tunnel, re-create the Site Pairing, and the Service Mesh.
To test available bandwidth of the HCX Tunnels please refer to kb 56211.
Workaround:
There is no workaround
Additional Information
https://docs.vmware.com/en/VMware-HCX/services/user-guide/GUID-00F9E524-7CBE-4E27-B631-1B03DB747358.html
Impact/Risks:
Impact/Risks:
- If the Network is stretched, it will need to be un-stretched.
- The Service Mesh will need be re-created.
- The Site Pair will need be re-created.
Feedback
Yes
No
Powered by
