IPSec Service Down in NSX Edge alarm
Article ID: 370172
Updated On:
Products
VMware NSX
Issue/Introduction
Title: Alarm for ipsec_service_down
Event ID: vpn.ipsec_service_down
Alarm Description
The IPsec service <Service UUID> is down.
- Purpose: Alarm is raised when a particular IPSec VPN Service status is Down.
- Impact: All the sessions associated with the service will be in Down state, due to which datapath traffic to and from configured subnets stops working.
Environment
VMware NSX-T Data Center
VMware NSX
Edge Form factors:
- Bare Metal Edge
- VM Edge
Resolution
Steps to Resolve
Recommended Action:
- Check service down reason string using any one of the following ways
Edge CLI - "get ipsecvpn service". It should be "Service Routing Instance creation failed".
UI - Go to the Alarms page, specific IPsec Service Down Alarm and check "View Runtime Details".
API - Use "GET /api/v1/alarms/<alarm_id>"API and check "runtime_data" field in the output. - If there is no resource crunch at the edge, Disable and Enable the IPSec service from UI/API.
UI: Go to VPN→VPN Services page. Edit service for which this particular alarm is raised. Change Admin Status to Down and Save. Then again Edit, change Admin Status to Up and Save.
API: Use following APIs to update "enabled" parameter.
3.2.0 and higher:
"PUT /policy/api/v1/infra/tier-0s/{tier-0-id}/ipsec-vpn-services/{service-id}"
"PUT /policy/api/v1/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}"
4.2.0 and higher:
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}/
9.1.0 and higher:
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/transit-gateways/{transit-gateway-id}/ipsec-vpn-services/{service-id}/
Maintenance window required for remediation? No
Feedback
Yes
No
Powered by
