Hi, I am following exactly the steps to configure redundant IKE gateway:
When I deactivate the active gateway, SRX-300 running 15.1 code fails to negotiate IKE with standby IKE gateway
kmd: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local:184.108.40.206/500, Remote: 220.127.116.11/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
There is zero information about "KE gateway configuration lookup failed during negotiation", if I remove primary IKE gateway , the IPsec negotiation will succeed without problem, so there is no issue with configuration itself, what could be the problem?
Can you share your configuration . Also can you collect the following information when you disable the primary IKE address :
> show security ike sa
> show security ipsec sa
> show security ipsec inactive-tunnels
Also Instead of deactivating the primary IP address , can you stall the conenction to primary IP address ( like bring down the peer primary IP address ) so that the DPD will detect it to be down and will bring up the secondary . Its possible that the DPD is not failing to switch it over to secondary IP when we disable ( may be a bug ) .
Also make sure to wait till the DPD fails .
Thanks, there were no IKE SAs -- because of other side VPN/IKE gateways were de-activated.
You are absolutely right, once I reboot the other side, deactivate the physical interface or remove the IKE/IPsec configuration all together, IKE/IPsec SAs failed over as expected although it took far more than DPD threshold x interval.