NSX IPSec VPN Tunnel is Down
search cancel

NSX IPSec VPN Tunnel is Down

book

Article ID: 420185

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX Edge IPSec tunnel is down.
  • Edge logs shows retransmitted IPSec Packets.

    /var/log/syslog
    [Timestamp] [Edge] NSX 3237894 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S([IP]:500 -> [IP]:500): mID=0 (retransmit count=1)
    [Timestamp] [Edge] NSX 3237894 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S([IP]:500 -> [IP]:500): mID=0 (retransmit count=2)
    [Timestamp] [Edge] NSX 3237894 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S([IP]:500 -> [IP]:500): mID=0 (retransmit count=3)
    [Timestamp] [Edge] NSX 3237894 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S([IP]:500 -> [IP]:500): mID=0 (retransmit count=4)

  • Edge logs shows tunnel going down.

    /var/log/syslog
    [Timestamp] [Edge] NSX  VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : tunnel: [Tunnel ID], rule: [Rule], local_ip: [IP], peer_ip: [IP] inbound_spi: 0x0, outbound_spi: 0x0 status: IPSEC_STATUS_DOWN, error: Peer not reachable
    [Timestamp] [Edge] NSX  VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : tunnel: [Tunnel ID], rule: [Rule], local_ip: [IP], peer_ip: [IP] inbound_spi: 0x0, outbound_spi: 0x0 status: IPSEC_STATUS_DOWN, error: Peer not reachable

  • Packet capture on the ESX host where the Edge is running shows the traffic egressing the physical NICs, no response received.

    pktcap-uw --uplink vmnic[X] --capture UplinkSndKernel,UplinkRcvKernel -o - | tcpdump-uw -enr -


  • Toggling IPSec status does not resolve the issue.

    NSX UI > Networking > VPN > IPsec Sessions > Admin Status

Environment

VMware NSX

Resolution

If you believe you have encountered this issue, please open a support case with Broadcom Support and provide logs for the NSX Manager, NSX Edge, ESX and packet captures from the ESX and TOR Switch.

For more information, see Creating and managing Broadcom support cases.

Workaround: 

1. Create a new tunnel.
2. Assign a new local IP to the new tunnel, use the same remote IP as the problematic tunnel.
3. Assign old local IP to the new tunnel. Confirm it comes up.
4. Remove the new tunnel and re-enable the old tunnel with original local and remote IPs.

Powered by Wolken Software