NSX IPSec VPN Tunnel Down with Error "TS unacceptable" and Phase 2 Negotiation Failure
search cancel

NSX IPSec VPN Tunnel Down with Error "TS unacceptable" and Phase 2 Negotiation Failure

book

Article ID: 432000

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • In a VMware NSX environment, an IPSec VPN session fails to establish. While IKE Phase 1 may show as Up or Negotiating, Phase 2 (IPSec SA) fails to complete.

  • VPN Status: Down or Negotiating.

  • CLI output from 'get ipsecvpn session summary' may show the status as Negotiating with a "Peer not responding" or "TS unacceptable" reason.

  • The log entry in iked.log on the NSX Edge shows the error as:

    • VPN [nsx@<ID> comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : ... status: IPSEC_STATUS_DOWN, error: TS unacceptable

Environment

VMware NSX

Cause

The "TS unacceptable" (Traffic Selector unacceptable) error occurs during Phase 2 negotiation when there is a mismatch between the Local Subnets and Peer Subnets configured on the two VPN endpoints.

In Policy-Based VPNs, the Traffic Selectors must be exact mirror images:

  • Site A Local Subnets must match Site B Peer Subnets.

  • Site A Peer Subnets must match Site B Local Subnets.

Discrepancies in subnet masks (e.g., <IP>/24 vs <IP>/32), overlapping ranges, or transposed IP addresses will cause the peer to reject the security association request.

Resolution

To resolve this issue, ensure the Traffic Selectors are perfectly mirrored on both NSX Edge nodes or between the NSX Edge and the remote site.

  1. Identify the configured subnets on Site A:

    • Navigate to Networking > VPN > IPSec Sessions.

    • Select the failing session and note the Local Subnets and Peer Subnets.

  2. Identify the configured subnets on Site B:

    • Perform the same check on the remote peer.

  3. Verify the Mirror Image:

    • Ensure Site A's Local Subnet is identical to Site B's Peer Subnet.

    • Ensure Site A's Peer Subnet is identical to Site B's Local Subnet.

  4. Check for Mask Mismatches:

    • Confirm that if one side defines a host as <IP>/32, the other side does not define it as part of a larger network like <IP>/24.

  5. Update Configuration:

    • Edit the IPSec session on the side with the incorrect entry.

    • Save the configuration. The NSX Edge will automatically attempt to re-negotiate the tunnel.

  6. Verify Status:

    • Run get ipsecvpn session summary on the Edge CLI to confirm the status changes to Up.

Additional Information

Refer below KB for other down reasons for IPSec sessions:

https://knowledge.broadcom.com/external/article/377752/troubleshooting-nsx-l2-vpn.html

 

Powered by Wolken Software