BGP neighbor connections over IPSec VPN tunnels fail to establish on NSX Edge, showing "Connect" state with "never" for Up/DownTime, 0 messages in/out and 0 prefixes exchanged. The IPSec tunnel appears operationally up in the UI, but BGP traffic cannot pass through the tunnel.

This issue commonly occurs after:

• DR testing or failback procedures
• Network outages or disruptions
• Edge node failovers
• WAN connectivity issues

Key symptom: IPSec Phase 2 (data plane) is down while Phase 1 (control plane) remains established, causing the tunnel to appear operational in the UI despite being unable to pass traffic.

BGP neighbor status shows:

Neighbor                     AS          State    Up/DownTime  InMsgs  OutMsgs  InPfx  OutPfx
###.###.###.##              #####       Connect  never        0       0        0      0

To identify this issue, check for BGP neighbor problems in /var/log/syslog

grep -r -i '<bgp-neighbor' /var/log/syslog

Check for IKE/IPSec issues:

grep -r -i 'ike' /var/log/syslog

The following errors will appear in the logs:

BGP FSM failures in /var/log/messages or /var/log/syslog:

bgpd - [EC 33554465] ###.###.###.## [FSM] Failure handling event BGP_Start in state Idle, prior events TCP_fatal_error, TCP_fatal_error, fd -1
bgpd - [EC 33554465] ###.###.###.## [FSM] Trying to start suppressed peer - this is never supposed to happen!

BGP advertisement issues in NSX Edge logs:

NSX - [nsx@6876 comp="nsx-edge" subcomp="agg-service"] [UpdateFrrAdvertisedRouteTable] Got 0 BGP advertised-routes for neighbor ###.###.###.## for LR: ########-####-####-####-############

IPSec/IKE failures in /var/log/syslog:

NSX VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"] Failed creating routing instance plr_sr, id -1 pointer 0.

BGP down alarm in NSX monitoring logs:

NSX - [nsx@6876 eventType="bgp_down"] Context report: {"bgp_neighbor_ip":"###.###.###.##","failure_reason":"BGP session has not come up"}

For additional BGP troubleshooting steps, see Troubleshooting BGP on NSX-T Edge Nodes.

For IPSec VPN troubleshooting guidance, see Troubleshooting NSX IPSec VPN.

• VMware NSX-T Edge Node
• BGP over IPSec VPN configuration
• IPSec VPN tunnel with Phase 1 established

IPSec VPN tunnel Phase 2 Security Associations (SAs) fail to properly establish or become stale after network disruptions, while Phase 1 remains active. This creates a misleading state where the tunnel appears operational in the management interface but cannot pass data traffic. The IKE daemon cannot create the required routing instance, preventing TCP connectivity on port 179 (BGP). This causes the BGP neighbor to remain stuck in "Connect" state indefinitely ("never" established) with continuous failures when attempting to transition the BGP session.

1. Reset the IPSec tunnel administratively to force Phase 2 re-establishment:
   • Navigate to the IPSec tunnel configuration in NSX Manager
   • Change admin status from Up to Down
   • Wait 10 seconds
   • Change admin status from Down to Up
2. Verify BGP session establishment:

   show bgp vrf default ipv4 neighbors ###.###.###.##

   • State should change from "Connect" to "Established"
   • InMsgs/OutMsgs counters should be incrementing
   • Prefixes should be advertised/received
3. Confirm route advertisements are restored:

   show bgp vrf default ipv4 neighbors ###.###.###.## advertised-routes

If the error persists after following these steps, contact Broadcom Support for further assistance.

Please provide the below information when opening a support request with Broadcom for this issue:

• NSX Edge node logs from /var/log/
• BGP neighbor status output
• IPSec tunnel status (Phase 1 and Phase 2)
• Time of network event or failover
• Output of show ipsec sa command