Recommended Action:

• Get the session down reason from UI/API/CLI:
  • Login to the NSX Manager UI, go to Networking Tab --> VPN --> IPSec Sessions and check particular session Status.
    Check IKE Status info icon, which will show session status along with the reason for the session being down.
    
    
  • For API, to get the session status details and fail_reason, use following:
    
    3.0.0 and higher 
    GET /policy/api/v1/infra/tier-0s/{tier-0-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics
    GET /policy/api/v1/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics
    
    4.2 and higher
    GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics
    
    9.1 and higher
    GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/transit-gateways/{transit-gateway-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics 
    
    In the above output, you will get to know the possible cause for the IPSec session / tunnel being down.
    
    
  • For CLI, use "get ipsecvpn session summary", "get ipsecvpn session sessionid <session-id>" CLIs to check the down reason.
• As per the down reason, check the necessary actions to resolve the alarm in table mentioned at Alarms When an IPsec VPN Session or Tunnel Is Down.

Maintenance window required for remediation? No