You can troubleshoot IPSec VPN tunnel connectivity issues by running IPSec configuration commands from the NSX Edge CLI. You can also use the vSphere Web Client and the NSX Data Center for vSphere REST APIs to determine the causes of tunnel failure and view the tunnel failure messages.
Use the following procedure to troubleshoot the tunnel creation and connectivity issues.
Procedure
- Gather the support logs from both the sites.
- To collect diagnostic information for NSX Data Center for vSphere, see the VMware knowledge base article http://kb.vmware.com/kb/2074678.
- To collect diagnostic information for NSX Edge, see the VMware knowledge base article http://kb.vmware.com/kb/2079380.
Important: Due to limited disk space on the NSX Edge appliance, you must redirect logs to a Syslog server. For more information, see the "Configure Remote Syslog Servers" section in the NSX Data Center for vSphere Administration Guide. - Gather logs from the third-party VPN solutions.
- Check the IPSec configuration on both sides of the edge by running the following command on the NSX Edge CLI:
show config ipsecTip:
You might find it easier to review and capture the output of the NSX Edge commands by using SSH. For more information about enabling SSH on the NSX Edge, see the "Logging In and Out of the CLI" topic in the NSX Command Line Interface Reference Guide.
- On the NSX Edge, record the real-time status when the issue is occurring. Run the following commands and records the results.
Command Purpose show service ipsec Check the status of IPSec VPN service. show service ipsec sp Check the status of Security Policy. show service ipsec sa Check the status of Security Association (SA). - While the issue is still occurring, capture the IPSec-related logs and output on the third-party VPN solution.
- Review the IPSec-related logs and output for determining issues. Verify that the IPSec VPN service is running, security polices are created, and security associations between the devices are configured.
Common issues that you can spot from the logs are as follows:
- Invalid ID: INVALID_ID_INFORMATION or PAYLOAD_MALFORMED
- No trusted CA: INVALID_KEY_INFORMATION or a more specific error. For example, no RSA public key known for 'C=CN, ST=BJ, O=VMWare, OU=CINS, CN=left‘, or PAYLOAD_MALFORMED.
- Proposed proxy-id is not found: INVALID_ID_INFORMATION or PAYLOAD_MALFORMED.
- DPD no response from peer. For example, DPD: No response from peer - declaring peer dead.
- Check the tunnel failure message either in the vSphere Web Client, or the NSX Edge CLI , or by running the NSX Data Center for vSphere REST APIs.
For example, to view the failure message in the vSphere Web Client, double-click the NSX Edge, navigate to the IPSec VPN page, and do these steps:
- Click Show IPSec Statistics.
- Select the IPSec channel that is down.
- For the selected channel, select the tunnel that is down (disabled), and view the details of the tunnel failure.
- In NSX 6.4.6 and later, click Disabled in the Tunnel State column.
- In NSX 6.4.5 and earlier, click View Details in the Tunnel State column.
The following table lists the possible causes for the IPSec tunnel connectivity issues, and the failure message that is associated with each of them.
Causes Failure message IKEv1 peer is not reachable. Version-IKEv1 Retransmitting IKE Message as no response from Peer. Mismatch in IKEv1 Phase 1 proposal. Version-IKEv1 No Proposal Chosen. Check configured Encryption/Authentication/DH/IKE-Version. Mismatch in any one of the following: - IKEv1 PSK
- IKEv1 ID
- IKEv1 certificate
Version-IKEv1 Authentication Failed. Check the configured secret or local/peer ID configuration. Mismatch in IKEv1 Phase 2 proposal. IPSec-SA Proposals or Traffic Selectors did not match. IKEv2 peer is not reachable. Version-IKEv2 Retransmitting IKE Message as no response from Peer. Mismatch in IKEv2 IKE SA proposal. Version-IKEv2 No Proposal Chosen. Check configured Encrypt/Authentication/DH/IKEversion. Mismatch in IKEv2 IPSec SA proposal. IPSec-SA Proposals or Traffic Selectors did not match. Mismatch in IKEv2 IPSec SA traffic selectors. Traffic selectors did not match. Check left/right subnet configuration. Mismatch in any one of the following: - IKEv2 PSK
- IKEv2 ID
- IKEv2 certificate
Version-IKEv2 Authentication Failed. Check the configured secret or local/peer ID configuration. - Set up packet capture on the NSX Edge for IKE packets, or ESP packets, or both.
See the following figure. Determine at which point the packet transfer failed or got dropped:
- Set up packet capture at points 1 and 2.
- Ping from VM 1 to host 2.
- Ping from host 2 to VM 1.
See the "Packet Capture for a Successful Negotiation" topic in the NSX Troubleshooting Guide for a working example of a packet capture session between an NSX Edge and a Cisco device.
- Review all the data and analyze them. The packet capture data helps you to determine where the problem exists.
For example, you can determine following problems:
- IKEv1 channel and tunnel errors.
- IKEv2 channel and tunnel errors.
- Data path errors.
- IPSec VPN tunnel-down error.
- The direction in which the IPSec VPN tunnel is down.