NSX Edge IKED service crashes seen with VPN tunnels going down
search cancel

NSX Edge IKED service crashes seen with VPN tunnels going down

book

Article ID: 400108

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX IPSec VPNs are down. NSX UI System→Fabric→Nodes may show Open Critical Alarms for Edge nodes with Event Type: Application Crashed.


  • An IKED service core dump can be found on the NSX Edge under /var/log/core

    -rw-r--r--  1 root root 2.4M MM DD HR:MN core.iked.gz
  • Checking VPN session history may show IKE status down or flapping (IKE_STATUS_UP, IKE_STATUS_NEGO, IKE_STATUS_DOWN) 
    get ipsecvpn session ########-####-####-####-############ history

    Total Number of Sessions: 1

    IKE Session ID   : ###
    UUID             : ########-####-####-####-############
    SR ID            : ########-####-####-####-############
    Type             : Route
    Auth Mode        : PSK
    Compliance Suite : NONE

    Local IP         : ###.###.###.##            Peer IP          : ###.###.###.##
    Local ID         : ###.###.###.##            Peer ID          : ###.###.###.##
    Session Status   : Up
    Session Status History
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_NEGO
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_DOWN (IKE SA timer expired)
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_UP
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_NEGO
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_DOWN (IKE SA timer expired)
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_UP
        dd-mm-yyyy hr:mn:sc : IKE_STATUS_NEGO

    Policy Rules
        VTI UUID         : ########-####-####-####-############
        ToRule ID        : #########                 FromRule ID      : #########
        Local Subnet     : 0.0.0.0/0(N)              Peer Subnet      : 0.0.0.0/0(N)
        Tunnel Status    : Up                        Additional Info  : Has Narrowed Subnets
        Tunnel Status History
            Last Known Status : IPSEC_STATUS_DOWN
  • Log lines similar to the below are encountered on the NSX Edge node in /var/log/syslog 
    NSX ###### VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="nestdb-iked" level="INFO"] Session status change for ########-####-####-####-############ to status: IKE_STATUS_NEGO, reason: , current status: IKE_STATUS_DOWN, reason: Negotiation not started, refcount: 0
    .
    .
    .
    NSX 5047 - [nsx@#### comp="nsx-edge" subcomp="node-mgmt" username="root" level="ERROR" errorCode="NOD105"] Cannot find socket file: /var/run/vmware/edge/ike.ctl
  • Restarting IKED service using docker start service_iked on the NSX Edge nodes do not help.

Environment

VMware NSX-T Data Center
VMware NSX

Cause

The VPN peer is initiating an IKE_SA request without DH group in policy. A crash occurs due to a NULL pointer when IKED receives a payload from the VPN peer which contains a transform proposal without a DH group.

Resolution

This is a known issue impacting VMware NSX.

Workaround

  • Set the VPN peer to Responder for the IPSec VPN negotiation.
Powered by Wolken Software