Invalid IP range format error when creating a VPN endpoint using certificates.
search cancel

Invalid IP range format error when creating a VPN endpoint using certificates.

book

Article ID: 431853

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Local endpoints are being modified or created to include a site certificate using multi-hyphenated FQDNs in CN or SAN field.
    • vpn-test.com certificate ia able to be applied to the endpoint and the GUI shows it as successfully realised.
    • vpn-test-2.com certificate does not work.

  • VPN Local Endpoint status remains in a "Failed" or "Error" state during realization.
  • The following error message appears in the NSX UI  (when clicking the failed state) or API response: Invalid IP range format. IP range string provided [FQDN-With-Double-Hyphen]

  • Log lines similar to the below are encountered on the NSX Manager in /var/log/syslog .

9824:2026-02-23T14:00:02.795Z <Manager Name> NSX 124518 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] IPSecVpnLocalEndpoint /infra/tier-1s/<Tier1>/ipsec-vpn-services/<IPsec VPN Name>/local-endpoints/<Endpoint Name> Realization failed Error com.vmware.nsx.management.common.ip.utils.InvalidIPRangeFormatException: Invalid IP range format. IP range string provided <FQDN involved in Cert>

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

 VMware NSX

Cause

This issue is due to a defect in the product code where the validation engine incorrectly identifies FQDNs with multiple hyphens as malformed IP ranges.

Resolution

This is a known issue impacting VMware NSX.

Additional Information

Add Local Endpoints - TechDocs

Subscribe to this knowledge article to get updates on this issue.