Incomplete IPSec VPN Configuration downloaded from NSX
search cancel

Incomplete IPSec VPN Configuration downloaded from NSX

book

Article ID: 429872

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • When attempting to download the IPSec Session configuration via the NSX Manager UI or API for either Policy or Route-based sessions, the generated configuration is incomplete
  • The output file only contains a few lines:
    # Suggestive peer configuration for Policy IPSec Vpn Session
    #
    # IPSec VPN session path          : /infra/tier-1s/<tier-1 name>/ipsec-vpn-services/VPN-1/sessions/<session name>
    # IPSec VPN session name          : <session name>
    # IPSec VPN session description   : 
    # Tier 1 path                     : /infra/tier-1s/<tier-1 name>

  • Log lines similar to the below are encountered on the NSX Manager in /var/log/proton/nsxapi.log 
    <TIME> ERROR http-nio-127.0.0.1-7440-exec-31 PolicyRuntimeWorkflow 80048 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM500016" level="ERROR" reqId="######-###-####-####-#######" subcomp="manager" username="admin"] REST API /api/v1/vpn/ipsec/sessions/#####-####-####-####-#########/peer-config failed with message 500 : "{<EOL>    "module_name" : "common-services",<EOL>    "error_message" : "General error has occurred.",<EOL>    "details" : "Cannot invoke \"Object.toString()\" because the return value of \"com.vmware.nsx.management.vpn.ip
    sec.model.IPSecVpnIkeProfileConfig.getDigestAlgorithms()\" is null",<EOL>    "error_code" : 100<EOL>}<EOL>" and error {}
    org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 : "{<EOL>    "module_name" : "common-services",<EOL>    "error_message" : "General error has occurred.",<EOL>    "details" : "Cannot invoke \"Object.toString()\" because the return value of \"com.vmware.nsx.
    management.vpn.ipsec.model.IPSecVpnIkeProfileConfig.getDigestAlgorithms()\" is null",<EOL>    "error_code" : 100<EOL>}<EOL>"

Environment

VMware NSX-T Data Center 3.x
VMware NSX 4.x
VMware NSX 9.x

Cause

This issue specifically occurs when the IPSec Session is configured with an IKE Profile that uses an encryption algorithm, such as AES-GCM, where a Digest Algorithm is not configured.

Resolution

This is a known issue impacting VMware NSX.

Workaround:
Retrieve configuration via Edge CLI:
1. SSH into the NSX Edge node hosting the active VPN service.
2. Identify the session UUID: get ipsecvpn session 
3. Retrieve the configuration for the session: get ipsecvpn config session <Sesssion UUID>

or

Use an IKE Profile with Digest Algorithm set. 

Powered by Wolken Software