When an IPsec VPN session or tunnel is down, an alarm is raised and the reason for the Down alarm is displayed on the Alarms dashboard or the VPN page on the NSX Manager user interface.
Solution
Use the following tables to locate the Reason message that you see on the NSX Manager user interface and review the possible cause for the Down alarm. To resolve the alarm, perform the necessary actions listed for the specific Reason message and possible cause for the Down alarm.
Reason for the IPsec VPN Session Down Alarm | Possible Cause | Necessary Actions to Resolve the Alarm Message |
---|---|---|
Authentication failed | The IKE SA establishment between the VPN gateways failed due to a failure in authentication. Authentication of the IKE SA depends on the pre-shared key, Local ID, and Remote ID values. |
|
No proposal chosen | The IKE transform configuration in both the local and peer configuration file are inconsistent. | Ensure that the following properties are configured the same for both gateways.
|
Peer sent delete | The peer gateway initiated a delete case. A DELETE payload is received for IKE SA. | To determine why the peer gateway sent a DELETE payload, examine the syslogs on the NSX Edge and on the peer gateway side. |
Peer not responding | The IKE SA negotiation timed out. |
|
Invalid syntax |
|
To debug the invalid syntax, analyze the edge syslogs. |
Invalid spi | An invalid SPI value was received in the IKE payload. | To debug the invalid SPI value, analyze the edge syslogs. |
Configuration failed | The session configuration realization failed in NSX Edge due to some constraints or certain criteria. The reason is listed in the session dump under Session_Config_Fail_Reason. | Resolve the error using the reason displayed in the session dump under Session_Config_Fail_Reason. |
Negotiation not started | The IKE SA negotiation has not started. |
|
IPsec service not enabled | Status of the VPN service used for the session is not active. | Verify if the Admin Status in the IPsec VPN service configuration is not enabled. |
Session not enabled | Admin has not enabled the session. | Enable the session to resolve this error. |
SR state is not Active | SR is in a standby state. | Verify VPN session status on the NSX Edge node where HA peer SR is in the Active state. |
Reason for the IPsec VPN Tunnel Down Alarm | Possible Cause | Necessary Actions to Resolve the Alarm Message |
---|---|---|
Peer sent delete | The peer gateway sent a DELETE payload for the IPSEC SA. | To understand why the peer gateway sent a DELETE payload, you must check the syslogs on the NSX Edge and on the peer gateway side. |
No proposal chosen | The ESP transform configuration is not consistent in the configurations for both the local and peer gateways. | Ensure that the following properties are configured the same for both gateways.
|
TS unacceptable | The IPsec SA setup has failed due to a mismatch in the policy rule definition between the gateways for the tunnel configuration. | Check the local and remote network configuration on both gateways. |
IKE SA down | The IKE SA session is down. | First, check the session down reason in the edge syslogs. Refer to the Necessary Actions column in the previous table to resolve the session down errors, and then check whether the tunnel down reason still persists. |
Invalid syntax |
|
To debug the invalid syntax, analyze the edge syslogs. |
Invalid spi | An invalid SPI value was received in the ESP payload. | To debug the invalid SPI value, analyze the edge syslogs. |
No IKE peers | All IKE peers are dead. There are no peer gateways left with whom to try to establish a connection. |
|
IPsec negotiation not started | The IPsec SA negotiation has not started. | The IKE SA is not up yet. Check the session down reason in the edge syslogs and resolve the errors. |