• Alarm Description:One or more policy based IPsec VPN tunnels in session <Session UUID> are down. 
• Purpose: Alarm is raised when one or more Policy Based IPSec VPN Tunnels for session with UUID <Session UUID> are Down.
• Impact: Datapath traffic stops working for configured local and remote networks.

Title: Alarm for ipsec_policy_based_tunnel_down
Event ID: vpn.ipsec_policy_based_tunnel_down

3.x , 4.x 

Recommended Action:

• Get the tunnel down reason from UI/API/CLI:
  • On UI, go to VPN→IPSec Sessions page and check particular session Status. Check IKE Status info icon, which will show session status along with the down reason.
  • For API, use "GET /policy/api/v1/infra/tier-0s/{tier-0-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics" or "GET /policy/api/v1/infra/tier-1s/{tier-1-id}/ipsec-vpn-services/{service-id}/sessions/{session-id}/statistics" to get the session status details. Check the fail_reason in the output.
  • For CLI, use "get ipsecvpn session summary", "get ipsecvpn session sessionid <session-id>" CLIs to check the down reason.
• As per the tunnel down reason, check the necessary actions to resolve the alarm in table mentioned at Alarms When an IPsec VPN Session or Tunnel Is Down.

Maintenance window required for remediation? No

Alarms When an IPsec VPN Session or Tunnel Is Down

Refer below to check IPsec profile configuration in NSXT for any possible mismatch between local and remote tunnel endpoints.

Add IP-Sec Profiles