• Local endpoints are being modified or created to include a site certificate using multi-hyphenated FQDNs in CN or SAN field.
  • vpn-test.com certificate is able to be applied to the endpoint and the GUI shows it as successfully realised.
  • vpn-test-2.com certificate does not work.
    
    
• VPN Local Endpoint status remains in a "Failed" or "Error" state during realization.
• The following error message appears in the NSX UI  (when clicking the failed state) or API response: Invalid IP range format. IP range string provided [FQDN-With-Double-Hyphen]
  
  
• Log lines similar to the below are encountered on the NSX Manager in /var/log/syslog .

2026-02-23T14:00:02.795Z <Manager Name> NSX 124518 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] IPSecVpnLocalEndpoint /infra/tier-1s/<Tier1>/ipsec-vpn-services/<IPsec VPN Name>/local-endpoints/<Endpoint Name> Realization failed Error com.vmware.nsx.management.common.ip.utils.InvalidIPRangeFormatException: Invalid IP range format. IP range string provided <FQDN involved in Cert>

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.