Route Based IPSEC VPN session failed. "Reason: No Proposal chosen"
search cancel

Route Based IPSEC VPN session failed. "Reason: No Proposal chosen"

book

Article ID: 423235

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Route Based IPSEC vpn session status failed.
    Down Reason: No proposal chosen.
  • Local Endpoint IP modification has not realized since the old endpoint deletion was stuck in progress.

    Example of realization error log-
    /var/log/proton/nsxapi* on nsx-managers

    2024-10-30T07:10:36.429Z INFO providerTaskExecutor-1-27 LRPortValidator 112237 ROUTING [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error occurred while creating lrport [{"moduleName":"ROUTING","errorCode":10202,"errorMessage":"[Routing] Static route f35#####-04e2-####-a321-a2e9d#### next hop IP is LRPort 975f####-####-4a2c-####-e6f7e33##### IP."}]

Environment

VMware NSX
VMware NSX-T Data Center

Cause

An IP address conflict exists between the static route next-hop and the IPsec VTI interface. This overlap prevents the successful realization of the IPsec local endpoint configuration/modification

Resolution

Delete the static route which has same next hop as the VTI port.

To validate VTI interface ip:
SSH to active edge
"get gateways" to find the ipsec terminated Gateway.
vrf <vrf-id>
get interfaces, trace to VTI interface

LAB ref:
  Interface     : 08####9a-###-4ed4-###-f281ee11####
    Ifuid         : 291
    Mode          : vti
    Port-type     : vti
    IP/Mask       : 10.10.10.10/30
    Urpf-mode     : PORT_CHECK
    Admin         : up
  Op_state      : up

To validate static route:
NSX UI --> Tier-1Gateway (IPSEC Terminated gateway) --> Static Route

Additional Information



Powered by Wolken Software