Troubleshooting NSX IPSEC VPN
search cancel

Troubleshooting NSX IPSEC VPN

book

Article ID: 379731

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When troubleshooting NSX IPSEC VPNs, a specific set of data must be gathered at the time of the event. This article details what documentation is required and how to gather it prior to opening a support request with Broadcom.

Environment

VMware NSX

Cause

When it comes to troubleshooting NSX IPSEC VPNs, there are several layers of troubleshooting involved. The purpose of this troubleshooting article is to list them so as to aid such troubleshooting.

Resolution

  • IPSEC VPN is supported on both Tier 0 and Tier 1 GWs. However, they must be active/standby HA mode for IPSEC VPN.
  • IPSec VPN is NOT supported when the local endpoint IP address goes through NAT in the same logical router that the IPSec VPN session is configured.
  • Verify network connectivity between local and remote IP's
  • At what Phase is it failing?
  • If failing at phase 1, check the IKE profiles config at both sides.
  • If failing at phase 2, check the IPSEC Profiles at both sides.
  • Is it Policy or Route Based VPN?

If Policy Based:

  • DNAT is not supported on tier-0 or tier-1 gateways where policy-based IPsec VPN are configured.
  • The local and peer networks provided in the session must be configured symmetrically at both endpoints.
  • Check the edge size and max number of tunnels supported.

If Route Based:

  • BGP Only.
  • Dynamic routing for VTI is not supported on VPN that is based on Tier-1 gateways.
  • Load balancer over IPSec VPN is not supported for route-based VPN terminated on Tier-1 gateways.
  • Verify IPSEC Tunnel status from the edge UI. If the status is DOWN, validate the local endpoint and the profiles.
    • Local endpoints: Validate local and remote peer IPs.
    • Profiles: Validate the configuration of the following profiles match at both sides:
    • IKE Profiles: Select the IKE version with encryption and the digest algorithm with the DiffieHellman Group.
    • IPSec Profiles: You can enable perfect forward secrecy with encryption and digest algorithm with the Diffie-Hellman Group select.
    • DPD Profiles: You can configure the Dead Peer Detection timer.
  • CLI Validation:

get ipsecvpn session summary : Obtain the session id and review quickly the status.

get ipsecvpn session sessionid <session_id>  : Review local and remote peers and the DOWN reason. 

get ipsecvpn ikesa <session_id> : Review the algorithms config / IPSEC Phase 1:ISAKMP

get ipsecvpn sad <policy_id> || get ipsecvpn sad <UUID>  : Review the SPIs.

get ipsecvpn ipsecsa : Review IPSEC Tunnel Phase 2

get ipsecvpn ipsecsa session-id <session_id>  : Review IPSEC SA info

get ipsecvpn tunnel stats  : Review IPSEC VPN statistics

get ipsecvpn config peer-endpoint  : Review IKE config

  • Logs

        Check Edge /var/log/syslog and search for IKE

In some cases it may be helpful to decrypt IPSEC VPN traffic via these steps: Decrypting IPSEC VPN traffic

Known issues : IPsec VPN does not get established with the error “Remote ID mismatch errorCode="EDG1000028

Additional Information

If you are contacting Broadcom support about this issue, please provide the following:

  • NSX Edge log bundles for all Edges in the Edge Cluster containing the T0 or T1 where the IPSEC VPN is configured

  • Ensure log date range covers the full date of the event(s) being investigated. When in doubt, retrieve logs for all time.

  • NSX Manager log bundles

  • ESXi host log bundles for all hosts where the affected Edge VMs are running

  • Text of any error messages seen in NSX GUI or command lines pertinent to the investigation

  • The configuration and logs from the device on the other end of the IPSEC VPN

Powered by Wolken Software