Tuesday, April 8, 2014
Fixing Juniper SRX VPN Issues for "KMD_INTERNAL_ERROR: Error:File exists in adding SA config for tunnel id xxxxxx spi 0"
If you have funky issues where your tunnels refuse to connect and a "show security ike security-associations" is showing DOWN with a responder cookie of 0000000000000000, check your kmd log.
If you see any entries with this obscure message: "KMD_INTERNAL_ERROR: Error:File exists in adding SA config for tunnel id 666666 spi 0" then read on...
To fix this issue, you have two options:
1) Reboot (if its in a cluster, reboot them both simultaneously) or
2) Edit the config:
Completely remove the dead/broken st0.xxx interfaces out of the config (including all references to it in the SECURITY IKE, IPSEC, and ZONES sections).
Do a "commit full", wait for it to finish.
Then rollback the config to before you removed the interfaces (in config mode, its "rollback 1").
Afterwards the VPN tunnels will miraculously come back to life on these horribly buggy firewalls.
Subscribe to:
Post Comments (Atom)
Try this command next time you see this issue "restart ipsec-key-management " see if that saves you some pain :) It might not, but we have a issue when we do massive tunnel rebuilds where the tunnels don't play nice and after hours of head pounding another engineer found this little daisy and it worked.
ReplyDeleteYour blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging.. anime torrents
ReplyDeleteI definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. setup vpn iphone
ReplyDeleteEncountered on a 12.1 cluster, an upgrade to 12.3 did not fix. Deleting the interface and commit full straightened it right out. Thanks!
ReplyDelete