VPLEX: Unable to configure ipsec and VPN connectivity due to an error as "Mixed platform cannot decide port subnet"

           

   Article Number:     539205                                   Article Version: 3     Article Type:    Break Fix 
   

 


Product:

 

VPLEX for All Flash,VPLEX GeoSynchrony 5.5,VPLEX GeoSynchrony 5.5 Patch 1,VPLEX GeoSynchrony 5.5 Service Pack 1,VPLEX GeoSynchrony 5.5 Service Pack 1 Patch 1,VPLEX GeoSynchrony 5.5 Service Pack 2,VPLEX GeoSynchrony 5.5 Service Pack 2 Patch 1

 

Issue:

 

 

While configuring the ipsec service between clusters getting an error as "Mixed platform cannot decide port subnet"    
   
    Example of the issue:   
   
    VPlexcli:/>  security ipsec-configure -i 10.xx.xx.xx     
     
      Enter the passphrase for the host certificate that was created on this server (at least 8 characters) :     
     
      Re-enter the passphrase for the Certificate Key:     
      Non IPSecConfigureException : Mixed platform can not decide port subnet     
      security ipsec-configure:  Evaluation of <<security ipsec-configure -i 10.xxx.xxx.xx>> failed.     
      cause:                     Command execution failed.     
      cause:                     Mixed platform can not decide port subnet
   
   
   
     
                                                           

 

 

Cause:

 

 

This issue will occur when ipsec service is not running on either cluster. You will not be able to configure ipsec and establish VPN connectivity from cluster-1 to cluster-2 or vice-versa.                                                            

 

 

Resolution:

 

 

1) To check the ipsec service status run the following command from both cluster management servers.   
   
    Cluster-1   
   
    service@ManaagementServer01:~>  sudo /usr/sbin/ipsec status     
      service@ManaagementServer01:~>  
   
   
    Cluster-2     
     
      service@ManaagementServer02:~> sudo /usr/sbin/ipsec status     
      Security Associations:     
           net-net[30]: CONNECTING, 10.xx.xx.xx[%any]...10.xx.xx.xx[%any]    
   
            
    From the above output we can conclude that the ipsec service is not running on cluster-1 whereas from cluster-2 it is trying to connect to the cluster-1 IP.    
   
    2) Try to restart the ipsec service using below command:   
   
    service@ManaagementServer01:~> sudo /usr/sbin/ipsec restart    
   
    3) Check the ipsec status again and if the output is same as in step 1 proceed with step 4.   
   
    4) Restart the management server of the cluster on which the ipsec service is not running by running below command:    
   
    service@ManaagementServer01:~> sudo /sbin/shutdown -r now     
   
    Broadcast message from root (pts/1) (Tue Nov 26 08:10:26 2019):     
     
      The system is going down for reboot NOW!
   
   
    Please wait for 4-5 minutes.   
   
    5) Check ipsec service status again.   
   
    service@ManaagementServer01:~> sudo /usr/sbin/ipsec status     
      Security Associations:     
           net-net[78]: ESTABLISHED 2 minutes ago, 10.xx.xx.xx[C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKMxxxxxxxxxxx, E=support@emc.com]...10.xx.xx.xx[C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKM00170801797, E=support@emc.com]     
           net-net{3}:  INSTALLED, TUNNEL, ESP SPIs: c9f60274_i cfad7681_o     
           net-net{3}:   128.221.252.32/27 128.221.253.32/27 === 128.221.252.64/27 128.221.253.64/27     
       net-witness[79]: ESTABLISHED 114 seconds ago, 10.xx.xx.xx[C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKMxxxxxxxxxxx, E=support@emc.com]...10.xx.xx.xx[C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN CWS, E=support@emc.com]     
       net-witness{2}:  INSTALLED, TUNNEL, ESP SPIs: c9bfebf4_i ca28d90b_o     
       net-witness{2}:   128.221.252.32/27 128.221.253.32/27 === 128.221.254.3/32
   
        
    The above output shows ipsec service is running fine.   
   
    6) Configure the ipsec service using below command:   
   
    VPlexcli:/> security ipsec-configure -i 10.xx.xx.xx.xx   
   
    Enter the passphrase for the host certificate that was created on this server (at least 8 characters) :     
     
      Re-enter the passphrase for the Certificate Key:
   
   
    7) After configuring the ipsec service you should be able to establish the VPN connectivity.   
   
    8) If the issue still persists please engage Dell EMC Customer Support for further assistance with this matter. Please mention this KB article.   
   
    How to contact Dell EMC Customer Support using Live Chat:   
    To access the Dell EMC Live Chat click here, then following the steps as they are listed.