Overlapping subnets in IPSec Policy based VPN returns error code 501399
search cancel

Overlapping subnets in IPSec Policy based VPN returns error code 501399

book

Article ID: 380952

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

If a user attempts to configure IPSec VPN policy rules with overlapping subnets across multiple sessions error code 501399 is returned. 
In the manager logs /var/log/syslog you see similar entry 

2024-10-30T20:28:59.112Z <site-name> NSX 5354 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM500060" level="ERROR" reqId="########-####-####-####-########0964" subcomp="manager" username="admin"] Errors {"moduleName":"Policy","errorCode":501399,"errorMessage":"Rule=[/infra/tier-0s/<vpn-name>/ipsec-vpn-services/<site-name>/sessions/<session-name>/rules/########-####-####-####-########3e6f] has source and destination networks overlapping with existing rule=[/infra/tier-0s/<vpn-name>/ipsec-vpn-services/<site-name>/sessions/<session-name>/rules/#######-####-####-####-########83e6]."} in IPSecVpnRule config /infra/tier-0s/<vpn-name>/ipsec-vpn-services/<site-name>/sessions/<session-name>/rules/#######-####-####-####-########3e6f

Environment

VMware NSX

Cause

This issue occurs as VMware NSX-T Data Center / VMware NSX currently does not allow overlapping subnets in IPSec Policy based VPNs across multiple sessions.

Resolution

Route based VPNs can be used to provide redundancy.

Additional Information