L2VPN Session Down on NSX Edge node due to "IKE SA down"
search cancel

L2VPN Session Down on NSX Edge node due to "IKE SA down"

book

Article ID: 414313

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • On NSX Manager GUI, when checked in VPN --> L2 VPN Sessions --> The tunnel status shows down while creating the L2VPN session between the VPN server and VPN client
  • When probing the Down status on the NSX UI further, an error is reported stating "IKE SA down"
  • Login to the appropriate Edge Node as user admin. Run the commands below

get l2vpn session 
get ipsecvpn session summary

The output of the L2VPN tunnel shows DOWN and it is stuck in IKE Negotiating state.

get l2vpn session
Session			: #######-####-####-####-#######
Tunnel			: #######-####-####-####-#######   
TCP MSS			: ##
IPSec Session	        : #######-####-####-####-#######
Status			: DOWN


get ipsecvpn session summary
Version   SID   Compliance   Suite   Type     Auth      Status 	       Local IP  Peer IP   Down Reason
----------------------------------------------------------------------------------------------------------------
IKEv2   ####   NONE                  Route    PSK      Negotiating     x.x.x.x    x.x.x.x         *
----------------------------------------------------------------------------------------------------------------

Environment

NSX

Cause

  • The parameter "All IPSec Local Endpoints" option is not enabled under the Route Advertisement settings of the TIER gateway on which the VPN Service is configured.

 

 

Resolution

  • Enabling "All IPSec Local Endpoints" ensures NSX auto-advertises the routes to all local IPsec endpoints defined on the gateway, thereby simplifying the setup and ensuring tunnel accessibility
  • Login to the NSX GUI, Go to Networking --> Choose the appropriate TIER Gateway -> Edit --> Expand Route Advertisement and Ensure "All IPSec Local Endpoints" is enabled as shown below.
Powered by Wolken Software