VCD's Security Profile changed automatically causing the NSX IPSec tunnel to go down
Article ID: 407609
Updated On:
Products
Issue/Introduction
- You have VCD in the environment with Edges and IPSec setup
- VCD and NSX are in sync
- The security profile of the Edge is changed from User Defined to System Default in VMware Cloud Director without user intervention, causing the IPSec in NSX to go down
From NSX logs, you can see that configuration of IPSec is updated meaning the changes in VCD are pushed to NSX:
53347:2025-08-05T02:27:03.234Z INFO http-nio-127.0.0.1-7440-exec-318 PolicyIPSecVpnFacadeImpl 4681 POLICY [nsx@6876 comp="nsx-manager" level="INFO" reqId="#######-######-####" subcomp="manager" username="admin"] IPSecVpnSession with id #######-######-######52b1 created / updated
--> Session going DOWN after the default profile application:
54396:2025-08-05T02:27:27.002Z INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-0 ConsolidatedRealizedStateServiceImpl 4681 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath:/infra/tier-1s/#####-#######-########5/ipsec-vpn-services/#####-#######-########5/sessions/#####-#######-########52b1 to:DOWN
Environment
VMware NSX
VMware Cloud Director (VCD)
Cause
Possible causes:
- Automated deployments or management scripts might reset Edge Gateway configurations or apply default settings if not properly configured to maintain existing settings
- NSX-T and VCD synchronization failures can cause profile resets
- Edge Gateway redeploys
Resolution
To resolve this issue:
- Change the security profile from System Default to User Defined profile in the VMware Cloud Director (VCD) so as to restore the IPSec tunnel connectivity with the remote peer
Feedback
