VMware NSX 6.2.3 – SSL VPN Behaviour Change
NSX 6.2.3 was released a few weeks ago and brought a bunch of new stuff and fixes. I came across an undocumented change not mentioned in the release notes, which caused me some head ache, this post describes that change.
The NSX Edge Services Gateway can provide you with a SSL-VPN solution, making it possible for road-warriors to connect to the secured virtual network or make it possible for developers to connect to duplicate development environments. The SSL-VPN client is a lightweight and easy to use VPN client and you can set all kinds of policies as the VPN administrator.
I was using the SSL-VPN client to access my network remotely and kind of mis-used it a little bit. There was a client at home logged in 24×7, which I used for storage and accessed it from my laptop on remote locations. You can say I created a poor mans hub-and-spoke VPN solution with clients. Horrible for security purposes, but easy for my purposes. ;-)
With NSX 6.2.3, that doesn’t work anymore
After upgrading to NSX 6.2.3 for macOS Sierra support and upgrading the NSX Edge which was terminating my SSL-VPN, I noticed that the communication between my laptop and the storage client wasn’t working anymore. After quite a bit of troubleshooting, I decided to enable SSL-VPN on a NSX Edge which wasn’t upgraded to 6.2.3 yet.
The top ping was executed when connected to the 6.2.2 NSX Edge and the bottom ping was executed when connected to the 6.2.3 NSX Edge.
Sure enough; when I connected to the NSX Edge on 6.2.2, the communication between my laptop and the storage client worked again. When connecting back to the 6.2.3 Edge, it stopped again. So it looks like NSX 6.2.3 added an extra security measure which disables communication between SSL-VPN clients. Good for security, not so for my setup. ;-)
With over 12 years of experience in designing and deploying datacenter environments on all layers, Martijn now works as a NSX Specialist at VMware Benelux.
He is a Cisco’s CCIE Datacenter, VMware VCIX-NV, VCP-DCV, VCP-CMA, VCAP-DCA, VCAP-DCD, VSP, VTSP, VMware vExpert (2015-2017) and Cisco Champion (2015-2017).