After upgrading NSX Edge nodes, all IPSec VPN tunnels configured on a Tier-1 (T1) Gateway fail to establish and remain in a down state. This results in a production outage for any services relying on these VPN connections.

The VPN tunnels were functioning normally prior to the upgrade. No configuration changes were made to the VPN settings. The issue may occur on different T1 Edges across subsequent upgrades.

Symptoms include:

• VPN tunnel status shows as down in the NSX Manager UI under Networking > VPN > IPSec Sessions
• Traffic over the VPN is not passing
• The Edge nodes themselves appear healthy and show as upgraded in NSX Manager

VMware NSX

During the Edge node upgrade process, VPN services may attempt to re-establish connections before the Edge node has fully completed its post-upgrade initialization. This timing condition prevents the tunnels from coming up properly even though no configuration changes occurred.

To restore VPN tunnel connectivity, perform a controlled failover by placing each Edge node into maintenance mode:

1. Log in to NSX Manager.
2. Navigate to System > Fabric > Nodes > Edge Transport Nodes.
3. Select the first Edge node in the Edge Cluster hosting the affected T1 Gateway.
4. From the Actions menu, select Enter Maintenance Mode.
5. Wait for the Edge node to fully enter maintenance mode and for services to fail over to the standby Edge.
6. Verify VPN tunnel status under Networking > VPN > IPSec Sessions.
7. Exit maintenance mode on the first Edge node by selecting Exit Maintenance Mode from the Actions menu.
8. Repeat steps 3-7 for the second Edge node in the cluster.
9. Confirm all VPN tunnels are now established and traffic is flowing.

If the tunnels remain down after completing these steps, review the Edge node logs for any additional errors and contact Broadcom Support for further assistance.

When opening a support request, provide:

• NSX Manager and Edge node versions (before and after upgrade)
• Screenshot of VPN tunnel status from NSX Manager UI
• NSX Edge log bundles from all Edges in the affected Edge Cluster
• Timeline of the upgrade and when the issue was first observed

• Troubleshooting NSX IPSEC VPN
• Traffic failover when NSX Edge is placed in NSX Maintenance Mode
• Troubleshooting NSX Edge High Availability