Route based IPSec sessions not available in the scope of next hop of static route on Tier-1 gateway
search cancel

Route based IPSec sessions not available in the scope of next hop of static route on Tier-1 gateway

book

Article ID: 371072

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

While navigating the Networking >> Tier-1 Gateways >> Static route >> Next hops >> Scope, the route-based IPSec sessions are not present in the dropdown list, and the scope only lists the Tier-1 segments.

Environment

VMware NSX-T Data Center

Cause

The Search Aggregate query to fetch the Scope for Next Hops of Tier1 Static Routes has the wrong mapping for IPSecVpnService.parent_path to tier1

Resolution

This issue is resolved in VMware NSX-T Data Center 3.2.4

Additional Information

Workaround:

The scope of the route-based IPSec session can be configured using the PUT API call following the following steps:

  1. Configure the static route via UI on the T1 gateway without the scope.
  2. Get the configuration using the below GET API call:

    GET https://<nsx-manager-ip>/policy/api/v1/infra/tier-1s/<T1-gateway-ID>/static-routes/<static-route-id>


  3. Append the following content of scope in the Body and push the configuration using the PUT API call:

PUT https://<nsx-manager-ip>/policy/api/v1/infra/tier-1s/<T1-gateway-ID>/static-routes/<static-route-id>

"next_hops": [
        {
            "admin_distance": 1,
            "scope": [
                "/infra/tier-1s/<T1-gateway-id>/ipsec-vpn-services/<IPSec-VPN>/sessions/<session-id>"
            ]
        }
    ],
 
 
Note: The NSX UI will not show the scope that has been configured with the PUT API call. Use the GET call for verification of the scope configuration in the next hop:

GET https://<nsx-manager-ip>/policy/api/v1/infra/tier-1s/<T1-gateway-ID>/static-routes/<static-route-id>
Powered by Wolken Software