When an IPSec VPN tunnel becomes unstable, gather the NSX Data Center for vSphere product logs to start with basic troubleshooting. You can set up packet capture sessions on the data path, and run some NSX Edge CLI commands to determine the causes of tunnel instability.
Use the following procedure to troubleshoot the causes of IPSec VPN tunnel instability.
Prerequisites
Before setting up packet capture sessions on the data path, ensure that the following requirements are met:
- Packets can be sent and received on the UDP ports 500 and 4500.
- Firewall rules permit data traffic to pass through ports 500 and 4500.
- Firewall rules permit Encapsulating Security Payload (ESP) packets.
- Local subnet routing over the IPSec interface is correctly configured.
- Check MTU configuration for fragmentation issues by sending a small ping payload and then a larger ping payload to the IP at the end of the tunnel.