IPSec VPN session negotiation fails with the reason "Invalid Syntax".
search cancel

IPSec VPN session negotiation fails with the reason "Invalid Syntax".

book

Article ID: 371129

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

  • IPSec VPN session does not get established.
  • On the edge node, running the command "get ipsecvpn session summary" reports the status as 'Negotiating' or 'Down' and the down reason as 'Invalid syntax*':

    edge-node> get ipsecvpn session summary

    Version  SID  Compliance Suite Type    Auth  Status        Local IP         Peer IP          Down Reason
    ----------------------------------------------------------------------------------------------------------------------------
    IKEv2    8202 NONE             Policy  PSK   Negotiating   x.x.x.x          x.x.x.x          Invalid syntax*
    ----------------------------------------------------------------------------------------------------------------------------

  • In the edge node's /var/log/syslog.log, we may see errors similar to the below:

    2024-06-18T10:57:02.810Z edge-node-fqdn NSX 13556 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] Tue Jun 18 2024 10:57:02: IKE_INVALID_TRAFFIC_SELECTORS: SPI #################b814d7bea17741: Src x.x.x.x: Dst x.x.x.x: Traffic selectors do not match
    [..]
    2024-06-18T10:57:02.810Z edge-node-fqdn NSX 13556 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : tunnel: 8202, rule: 536#####, local_ip: x.x.x.x, peer_ip: x.x.x.x inbound_spi: 0x0, outbound_spi: 0x0 status: IPSEC_STATUS_DOWN, error: Invalid syntax

Environment

VMware NSX
VMware NSX-T Data Center

Cause

For policy-based IPSec VPN, the local and peer networks provided in the session must be configured symmetrically at both endpoints. For example, if the cloud-SDDC has the local networks configured as X, Y, Z subnets and the peer network is A, then the on-premises VPN configuration must have A as the local network and X, Y, Z as the peer network. This case is true even when A is set to ANY (0.0.0.0/0). For example, if the cloud-SDDC policy-based VPN session has the local network configured as 10.1.1.0/24 and the peer network as 0.0.0.0/0, at the on-premises VPN endpoint, the VPN configuration must have 0.0.0.0/0 as the local network and 10.1.1.0/24 as the peer network.

Resolution

Review and rectify the configuration on both local and remote VPN endpoint to ensure the local and peer networks provided in the session are symmetrically configured.

Powered by Wolken Software