When troubleshooting NSX IPSEC VPNs, a specific set of data must be gathered at the time of the event. This article details what documentation is required and how to gather it prior to opening a support request with Broadcom.
VMware NSX
When it comes to troubleshooting NSX IPSEC VPNs, there are several layers of troubleshooting involved. The purpose of this troubleshooting article is to list them so as to aid such troubleshooting.
IPSEC VPN is supported on both Tier 0 and Tier 1 GWs. However, they must be active/standby HA mode for IPSEC VPN.
-DNAT is not supported on tier-0 or tier-1 gateways where policy-based IPsec VPN are configured.
-The local and peer networks provided in the session must be configured symmetrically at both endpoints.
-Check the edge size and max number of tunnels supported.
-BGP Only.
-Dynamic routing for VTI is not supported on VPN that is based on Tier-1 gateways.
-Load balancer over IPSec VPN is not supported for route-based VPN terminated on Tier-1 gateways.
get ipsecvpn session summary Obtain the session id and review quickly the status.
get ipsecvpn session sessionid <session_id> Review local and remote peers and the DOWN reason.
get ipsecvpn ikesa <session_id> Review the algorithms config / IPSEC Phase 1:ISAKMP
get ipsecvpn sad <policy_id> || get ipsecvpn sad <UUID> Review the SPIs.
get ipsecvpn ipsecsa Review IPSEC Tunnel Phase 2
get ipsecvpn ipsecsa session-id <session_id> Review IPSEC SA info
get ipsecvpn tunnel stats Review IPSEC VPN statistics
get ipsecvpn config peer-endpoint Review IKE config
Check Edge /var/log/syslog and search for IKE
Known issues
If you are contacting Broadcom support about this issue, please provide the following:
NSX Edge log bundles for all Edges in the Edge Cluster containing the T0 or T1 where the IPSEC VPN is configured
Ensure log date range covers the full date of the event(s) being investigated. When in doubt, retrieve logs for all time.
NSX Manager log bundles
ESXi host log bundles for all hosts where the affected Edge VMs are running
Text of any error messages seen in NSX GUI or command lines pertinent to the investigation
The configuration and logs from the device on the other end of the IPSEC VPN