NSX-T Data Center: Tier 0 Router not showing up in VPN Service dropdown

Hi everyone,

In this post, I want to highlight an issue I had.

I wanted to create a VPN Service, connected to a Tier 0 gateway. But none of my tier 0 gateways would show up. I couldn’t find any information on this, not even in the documentation (it’s well hidden and unless you know what to look for, it’s not easily found).

I attempted to make an API call, and this is when I found the solution to my issue. I made a PUT request to:

{base-url}/policy/api/v1/infra/tier-0s/:tier-0-id/locale-services/:locale-service-id/ipsec-vpn-services/:service-id

For example:

nsxt-manager.mwz.lab/policy/api/v1/infra/tier-0s/T0-Pub/locale-services/default/ipsec-vpn-services/default

With the following data as JSON in the body:

{
  "resource_type" : "IPSecVpnService",
  "ike_log_level" : "ERROR",
  "enabled" : true,
  "_revision" : 2
}

This gave the following response:

{
    "httpStatus": "BAD_REQUEST",
    "error_code": 500060,
    "module_name": "Policy",
    "error_message": "Found errors in the request. Please refer to the related Errors for details.",
    "related_errors": [
        {
            "httpStatus": "BAD_REQUEST",
            "error_code": 501321,
            "module_name": "Policy",
            "error_message": "VPN is supported only on Tier-0 with ACTIVE-STANDBY HA mode."
        }
    ]
}

As you can see, the error_message shows that a Tier 0 has to be in ACTIVE-STANDBY for the HA mode, not ACTIVE-ACTIVE. This was the solution, but unless you happen to know that, then it can be hard to find. At least it was for me.

Hopefully this will help someone who may face the same issue. Even if it is not the ACTIVE-ACTIVE problem, then it may shed some light by giving an actual error message, instead of it just not showing up at all.

Have a great day!

Category: NSX-T | VMware