Troubleshooting NSX IPSEC VPN
search cancel

Troubleshooting NSX IPSEC VPN

book

Article ID: 379731

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When troubleshooting NSX IPSEC VPNs, a specific set of data must be gathered at the time of the event. This article details what documentation is required and how to gather it prior to opening a support request with Broadcom.

Environment

VMware NSX

Cause

When it comes to troubleshooting NSX IPSEC VPNs, there are several layers of troubleshooting involved. The purpose of this troubleshooting article is to list them so as to aid such troubleshooting.

Resolution

IPSEC VPN is supported on both Tier 0 and Tier 1 GWs. However, they must be active/standby HA mode for IPSEC VPN.

 

  • Check if new config or was working before. Ask for any changes if it was working.
  • At what Phase is it failing?
  • If failing at phase 1, check the IKE profiles config at both sides.
  • If failing at phase 2, check the IPSEC Profiles at both sides.
  • Is it Policy or Route Based VPN?
    • If Policy Based:

-DNAT is not supported on tier-0 or tier-1 gateways where policy-based IPsec VPN are configured.

-The local and peer networks provided in the session must be configured symmetrically at both endpoints.

-Check the edge size and max number of tunnels supported.

    • If Route Based:

-BGP Only.

-Dynamic routing for VTI is not supported on VPN that is based on Tier-1 gateways.

-Load balancer over IPSec VPN is not supported for route-based VPN terminated on Tier-1 gateways.

  • Verify IPSEC Tunnel status from the edge UI. If the status is DOWN, validate the local endpoint and the profiles.
    • Local endpoints: Validate local and remote peer IPs.
    • Profiles: Validate the configuration of the following profiles match at both sides:
    • IKE Profiles: Select the IKE version with encryption and the digest algorithm with the DiffieHellman Group.
    • IPSec Profiles: You can enable perfect forward secrecy with encryption and digest algorithm with the Diffie-Hellman Group select.
    • DPD Profiles: You can configure the Dead Peer Detection timer.

 

  • CLI Validation:

get ipsecvpn session summary  Obtain the session id and review quickly the status.

get ipsecvpn session sessionid <session_id>  Review local and remote peers and the DOWN reason. 

get ipsecvpn ikesa <session_id> Review the algorithms config / IPSEC Phase 1:ISAKMP

get ipsecvpn sad <policy_id> || get ipsecvpn sad <UUID>  Review the SPIs.

get ipsecvpn ipsecsa  Review IPSEC Tunnel Phase 2

get ipsecvpn ipsecsa session-id <session_id>   Review IPSEC SA info

get ipsecvpn tunnel stats   Review IPSEC VPN statistics

get ipsecvpn config peer-endpoint   Review IKE config

 

  • Logs

 Check Edge /var/log/syslog and search for IKE

Known issues

Additional Information

If you are contacting Broadcom support about this issue, please provide the following:

  • NSX Edge log bundles for all Edges in the Edge Cluster containing the T0 or T1 where the IPSEC VPN is configured

  • Ensure log date range covers the full date of the event(s) being investigated. When in doubt, retrieve logs for all time.

  • NSX Manager log bundles

  • ESXi host log bundles for all hosts where the affected Edge VMs are running

  • Text of any error messages seen in NSX GUI or command lines pertinent to the investigation

  • The configuration and logs from the device on the other end of the IPSEC VPN