BugZero | VMware BugID 87857 - SASE SD-WAN | Static tunnels from the VMware SD-W...

VMware - Defect ID: 87857

SASE SD-WAN | Static tunnels from the VMware SD-WAN Spoke Edge to a Hub Edge might not form when Spoke tunnel count exceeds device capacity

VMware - Defect ID: 87857

SASE SD-WAN | Static tunnels from the VMware SD-WAN Spoke Edge to a Hub Edge might not form when Spoke tunnel count exceeds device capacity

Last updated on March 16th, 2022

BugZero Risk Score
8.3 High

Overall: N/A

Severity: N/A

Community: N/A

Lifecycle: N/A

What is the BugZero Risk Score?

VMware Integration

Learn more about where this data comes from

VMware Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 21

Description

Symptoms

A Spoke Edge, that is exceeding tunnel capacity based on the Orchestrator (VCO) events, might not be able to form a static tunnel with the Hub Edge. This is an example of the Edge Tunnel CAP warning event that informs the Edge CAP has been reached:

Purpose

This KB article documents the issue encountered under internal ticket #78003.The expected behavior for a Spoke Edge with Dynamic Branch to Branch configuration in a Hub/Spoke topology is to permit the creation of static tunnels to the Hub even when the tunnel capacity count is exceeded. Typically, the Spoke Edge will drop new Dynamic Branch to Branch tunnels when overcapacity, but should continue to allow the formation of static tunnels to the Gateway and Hubs. Without the fix for issue #78003 the static tunnels to the Hub may fail to come up.

Cause

The maximum tunnel count check is hit on the Spoke for the static tunnel. This check prevents static tunnel formation from the Spoke to the Hub.

Impact / Risks

This may result in critical services that are hosted behind the Hub Edge becoming unreachable while the tunnel remains down.

Resolution

Software issue #78003 has been addressed and resolved in the 4.2.2 and 5.0.0.0 releases. Please refer to the release notes for specific versions that contain the fix for this issue: https://docs.vmware.com/en/VMware-SD-WAN/4.2.2/rn/VMware-SD-WAN-422-Release-Notes.html

Workaround

As a workaround, you can limit the Dynamic Branch to Branch tunnels by configuring profile isolation to restrict the tunnel formation to Edges within the same profile. You may use this configuration guide for reference on how to enable it: Enable Dynamic Branch to Branch VPN Isolation by Profile.If unable to restrict the Dynamic tunnel count, a software upgrade is suggested to avoid issues related to Static tunnel formation.

Related Information

This document refers to Edge tunnel capacity issues for Spoke Edges only. The impact of exceeding tunnel capacity at the Hub Edge might be different, please refer to this KB article for additional details: https://kb.vmware.com/s/article/80315

Change history

Top VMware Defects

No bugs this month

VMware Integration

Learn more about where this data comes from

VMware Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

VMware - Defect ID: 87857

SASE SD-WAN | Static tunnels from the VMware SD-WAN Spoke Edge to a Hub Edge might not form when Spoke tunnel count exceeds device capacity

VMware - Defect ID: 87857

SASE SD-WAN | Static tunnels from the VMware SD-WAN Spoke Edge to a Hub Edge might not form when Spoke tunnel count exceeds device capacity

Last updated on March 16th, 2022

BugZero Risk Score8.3 High

Bug Details

Symptoms

Purpose

Cause

Impact / Risks

Resolution

Workaround

Related Information

Links

Top VMware Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
8.3 High