Limitations with use of HA VIP IP as Local Endpoint IP for IPSec VPN or L2VPN
search cancel

Limitations with use of HA VIP IP as Local Endpoint IP for IPSec VPN or L2VPN

book

Article ID: 427104

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

 

This article details the known limitations and issues observed when a High Availability (HA) Virtual IP (VIP) is configured as the IPSec Local Endpoint. In general, use of HA VIP as IPsec Local Endpoint is not recommended due to the following potential operational impacts.

1. General Limitation (Policy Based and Route Based VPN):

While sessions using the HA VIP as a Local Endpoint may establish successfully, they do not support the IPSec Session Sync feature.

  • Impact: Upon failover, IPSec SA is negotited. Note that with IPSec Session Sync, upon failover, states for IPSec SA is carried from the previously active edge node and does not go through IPSec SA re-negotiation.

2. Issue (Route Based VPN):

A previously UP Route Based VPN (RBVPN) session goes down after a new Local Endpoint is added to the same IPSec VPN Service.

  • The session status displays "Peer not responding."

  • The HA VIP address disappears from the uplink interface and appear on the loopback interface before becoming unavailable.

  • The NSX Edge Syslog contains entries similar to the following:

2026-##-##T14:10:06.220Z ###-edge##.###.###.### NSX ### VPN [nsx@### comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] Local IP 10.XX.YY.ZZ unavailable.
2026-##-##T14:10:06.220Z ###-edge01.####.###.### NSX ###VPN [nsx@### comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] Message: IKE SA negotiation could not be initiated.

Environment

VMware NSX 4.x and VMware NSX 9.x

Cause

Regarding the Route Based VPN Disconnect

This issue occurs due to incorrect software handling by the system when an HA VIP is used for RBVPN:

  1. When the RBVPN session is established, the system incorrectly moves the HA VIP from the uplink interface to the loopback interface.

  2. The session remains up initially.

  3. However, when a new IPSec Local Endpoint is created on the same IPSec Service, the system attempts to validate endpoints and removes the HA VIP from the loopback interface.

  4. Consequently, the HA VIP becomes unavailable on both the uplink and the loopback, causing the session to terminate.

Resolution

Affected Versions

  • < 9.1, < 4.2.4 and 3.x

Resolution

This issue is resolved in the following software versions:

Version Branch

Fixed Version

4.x

4.2.4

9.x

9.1.1, 9.2

Workaround

You can restore connectivity using the following steps:

  1. Identify the affected IPSec VPN session.

  2. Change the Admin Status from UP to Down.

  3. Change the Admin Status back to UP.

  4. The session should re-negotiate and establish connectivity.

Note: This workaround restores service but does not prevent the issue from recurring if another Local Endpoint is added subsequently.

Additional Information

HA Synchronization Support

Note that while the Resolution above addresses the disconnection bug for RBVPN, the architectural limitation regarding HA Synchronization remains for both Policy Based (PBVPN) and Route Based (RBVPN) sessions using HA VIPs.

  • Sessions utilizing HA VIP as the Local Endpoint do sync state between Active and Standby edges. But upon failover session import fails due to a limitaion regarding uplink interface IP learning in VPN.

  • So, in the event of an Edge failover, traffic will be interrupted until the session is successfully re-negotiated on the new Active node.

Powered by Wolken Software