HCX Interconnect (IX) services may experience operational issues that prevent normal functionality, including:

• Failed upgrade attempts
• Unsuccessful appliance redeployments
• Service disruptions
• OVF deployment failures with network mapping errors
• Tunnel status showing as "DOWN"
• Failed interconnect service workflows

Common symptoms include:

• HCX tunnel status showing as down
• Inability to establish new tunnel connections
• Intermittent tunnel disconnections
• Service disruptions despite correct firewall rules
• Failed appliance deployments with OvfNetworkMappingNotSupported errors

A Possible Error Message Is

DeployAppliance Failed. Reason: Interconnect Service Workflow OvfUpload failed. Error: Errors encountered during ImportSpec creation: com.vmware.vim.binding.vim.fault.OvfNetworkMappingNotSupported:The provided network mapping between OVF networks and the system network is not supported by any host. Cause: null.

• VMware HCX
• Environments where HCX tunnels traverse firewalls

Several factors can contribute to HCX Interconnect tunnel connectivity issues:

1. Firewall Session Management
   • Premature termination of tunnel sessions by firewalls
   • Aggressive session timeout settings
   • Improper session handling for HCX protocols
2. Network Configuration
   • Incomplete or incorrect firewall rules
   • Session state tracking issues
   • Network path inconsistencies
3. Security Policies
   • Overly restrictive session limits
   • Security policy conflicts
   • Default session timeouts affecting tunnel stability

Service Mesh Verification and Diagnostics

Important: Service Mesh operations must be performed from the source site (HCX Connector) only, not from the cloud destination side.

1. Log in to the HCX Manager at the source site (https://hcxmgr-ip-or-fqdn:443)
2. Run Service Mesh Diagnostics:
   • Navigate to Interconnect > Service Mesh
   • Click "Run Diagnostics" to perform health check
   • Review diagnostic results thoroughly
   • Optionally, view current topology via Service Mesh > View Topology
3. Check if Resync is Required:
   • Review recent changes to Compute Profile, Network Profile, or Service Mesh
   • If no recent changes, proceed directly to Regular Redeployment
   • If changes exist, continue with Resync process
4. If Resync is Required:
   • Click "Resync" button
   • Note: Resync should only be used in healthy Service Mesh environments
   • Do not use Resync for troubleshooting Service Mesh error states
   • Wait for Resync operation to complete
   • Verify changes appear in Service Mesh configuration

Initial Verification Steps

1. Verify basic connectivity between source and destination
2. Confirm firewall rules are properly configured for HCX ports
3. Check for any recent network or security policy changes

Remediation Steps

1. Attempt Regular Redeploy
   • Access the HCX interface from source site
   • Select the affected service
   • Choose "Redeploy"
   • Monitor deployment progress
   • Verify service status after redeployment

Firewall Session Analysis

1. Review firewall session management policies
2. Check session timeout settings
3. Verify session tracking for HCX protocols

Additional Remediation Steps

1. Reset firewall sessions related to HCX connections
2. Monitor tunnel stability after session reset
3. Document successful session management configurations

If issues persist after trying these steps, please reach out to Broadcom Support for additional assistance.

Best Practices

• Always perform Service Mesh operations from the source site
• Run Service Mesh Diagnostics before making any changes
• Only perform Resync when necessary (after Compute/Network Profile changes)
• Regularly monitor IX tunnel health status
• Implement proper firewall session management
• Document all firewall configuration changes
• Maintain consistent security policies across environments
• Regular validation of tunnel connectivity
• Use Resync only in healthy Service Mesh environments