Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I have a log entry in my KMD log that says
Apr 12 14:23:02 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=126.96.36.199) p1_remote=usr@fqdn(udp:500,[0..14]=email@example.com)
The issue is, the VPN initiator (firstname.lastname@example.org) is currently turned off and is not generating IKE requests. These are coming into my SRX240 about every 30 seconds. How can I determine the IP address that is generating these rogue requests and find out who's trying to initiate a tunnel?
You could run traceoptions on your security -> ike, or on security->flow, or use packet capture with a filter for destination IP 188.8.131.52 and port 500.
[edit security ike] set traceoptions flag all?
What log file would I find it in?
I usually set a separate file for trace logs.
file ike-trace.log size 5m files 5;
The "flag general" should be enough to give you basic information about IKE events without filling up the logs with a bunch of stuff to sift through.
You can bump it up to "flag all" if you need more information, or even throw in the hidden "set level 15" if you're feeling especially adventurous.
You can view the log with "show log ike-trace.log" from operational mode.
Found him, thanks. I had to use flag all but the offending IP is 184.108.40.206
How do I delete the log file ike-trace.log?
Do the following to delete the file
file delete /var/log/ike-trace.log
Make sure that you delete or deactivate the traceoptions once fininshed