SRX

Expand all | Collapse all

IKE gateway configuration lookup failed during negotiation

Jump to Best Answer
  • 1.  IKE gateway configuration lookup failed during negotiation

    Posted 04-03-2017 15:08

    Hi, I am following exactly the steps to configure redundant IKE gateway:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29211

     

    When I deactivate the active gateway, SRX-300 running 15.1 code fails to negotiate IKE with standby IKE gateway

     

    kmd[5592]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local:1.1.1.2/500, Remote: 3.3.3.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

     

    There is zero information about "KE gateway configuration lookup failed during negotiation", if I remove primary IKE gateway , the IPsec negotiation will succeed without problem, so there is no issue with configuration itself, what could be the problem?

     



  • 2.  RE: IKE gateway configuration lookup failed during negotiation
    Best Answer

     
    Posted 04-03-2017 21:31

    hello ,

     

    Can you share your configuration .  Also can you collect the following information  when you disable the primary IKE address :

     

    > show security ike sa

    > show security ipsec sa

    > show security ipsec inactive-tunnels

     

    Also Instead of deactivating the primary  IP address , can you stall the conenction to primary IP address ( like bring down the  peer primary IP address ) so that the DPD will detect it to be down and will bring up the secondary . Its possible that the DPD is not failing to switch it over to secondary IP  when we disable ( may be a bug ) .

     

    Also make sure to wait till the DPD fails .

     

     



  • 3.  RE: IKE gateway configuration lookup failed during negotiation

    Posted 04-04-2017 09:23

    Thanks, there were no IKE SAs -- because of other side VPN/IKE gateways were de-activated.

     

    You are absolutely right, once I reboot the other side, deactivate the physical interface or remove the IKE/IPsec configuration all together, IKE/IPsec SAs failed over as expected although it took far more than DPD threshold x interval.