When high number of VPN services are configured, reboot of an active edge can result in a longer time for HA & routing state to stabilize.
Article ID: 406472
Updated On:
Products
Issue/Introduction
- Hundreds of VPN services are configured.
- Hundreds of IPSec sessions were UP right before the reboot of the active edge.
- It is taking a long time for HA and routing state to stabilize after the active edge is rebooted.
-
If bgp summary is checked at both of the active and standby edge nodes inside SR vrf, it shows no output-
edge01(tier0_sr[#####])> get bgp neighbor summary<returns no output> -
High-availability status shows as 'down' at both active and standby edges:
edge01> vrf ###edge01(tier0_sr[###])> get high-availability statusService RouterUUID : 7990cb1c-8991-###########-###############state : Down <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<type : TIER0mode : A/Sfailover mode : Preemptiverank : 0service count : 1service score : n/aHA ports stateUUID : e88f391e-526e-########-#########-#####op_state : Downaddresses : #.#.#.#/24; - High-availability status eventually comes up and routing becomes stable after some time.
Environment
- VMware NSX-T 3.x
- VMware NSX 4.x
- VCF 9.0
Cause
The time taken for the configuration to stabilize is proportional to the number of IPSec services and the number of total namespaces to be created. It takes around 1 second for each namespace creation. With hundreds of IPsec services (which correspond to high number of namespaces those need to be created after reboot of active edge), the total time required to stabilize HA will be longer. This is expected behavior.
Resolution
The configuration should eventually get applied. The total time taken is proportional to the number of unique VPN services configured. No additional steps are required to stabilize HA state. This is expected behavior when there are a high number of VPN services running.
Feedback
