Edge node alarm: IPSec Policy Based Tunnel Down
search cancel

Edge node alarm: IPSec Policy Based Tunnel Down

book

Article ID: 370176

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Title: Alarm for ipsec_policy_based_tunnel_down
Event ID: vpn.ipsec_policy_based_tunnel_down

  • Alarm Description:One or more policy based IPsec VPN tunnels in session <Session UUID> are down. 
  • Purpose: Alarm is raised when one or more Policy Based IPSec VPN Tunnels for session with UUID <Session UUID> are Down.
  • Impact: Datapath traffic stops working for configured local and remote networks.

 

Environment

VMware NSX-T Data Center
VMware NSX

Edge Form factors:

  • Bare Metal Edge
  • VM Edge

Resolution

Recommended Action:

  • Get the session down reason from UI/API/CLI: 
    • Login to the NSX Manager UI, go to Networking Tab --> VPN --> IPSec Sessions and check particular session Status.
      Check IKE Status info icon, which will show session status along with the reason for the session being down.

    • For API, to get the session status details and fail_reason, use following:

      3.0.0 and higher 
      GET /policy/api/v1/infra/tier-0s/{tier-0-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics
      GET /policy/api/v1/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics

      4.2 and higher
      GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics

      9.1 and higher
      GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/transit-gateways/{transit-gateway-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics 

      In the above output, you will get to know the possible cause for the IPSec session / tunnel being down.

       

    • Further, login to the Edge node as user admin and run the command below
      get ipsecvpn session summary
      get ipsecvpn session sessionid <session-id>  :- You get the session-id from the previous command

  • Once you get the entire description of the IPSECVPN session being down, refer to the documentation to know the "Possible Cause" and "Necessary Actions to Resolve the Alarm Message" Alarms When an IPsec VPN Session or Tunnel Is Down

Maintenance window required for remediation? No

Additional Information

Alarms When an IPsec VPN Session or Tunnel Is Down

Refer below to check IPsec profile configuration in NSXT for any possible mismatch between local and remote tunnel endpoints.

Add IP-Sec Profiles

Powered by Wolken Software