- IPsec VPN is configured in the NSX environment towards Fortigate Firewall

- Phase1 is established

- Phase2 is also established correctly

- But traffic between both networks (network behind NSX and network behind Fortigate) fail to communicate

- While executing the command, we can see the Tx packets going out but none matching on the Rx packets stats as shown below:

get ipsecvpn tunnel stats

VMware NSX

Packets were dropped at the physical environment causing the endpoint communication issue on IPSec as there is no return traffic seen at the uplinks of the ESXi host where Edge VM is present

Analyze the packet captures for the IPSec traffic:

1. Packet captures will need to be performed to verify if the traffic is leaving the Edge and Host when trying to ping from source VM in NSX towards destination IP which is in physical environment 

ESXi uplinks capture:

pktcap-uw --uplink vmnicX --capture UplinkSndKernel,UplinkRcvKernel --ip <source-vm-ip> -o - | tcpdump-uw -enr

Edge IPSec packet capture: 

edge01> start capture interface <ipsec-uuid>

2. Verify from the packet captures on the ESXi host uplinks if the return traffic is also seen

3. If the return traffic is not seen, then its dropped in the physical environment

4. If return traffic is seen at ESXi uplinks, then please open a support request with Broadcom to investigate further and refer this KB article ( Refer to Creating and Managing Broadcom Support Cases for instructions on how to open a support request)

Troubleshooting IPSEC VPN - NSX