Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  ScreenOS VPN Tunnel id out of valid range

    Posted 03-24-2011 07:52

    After upgrading an SSG-550 from ScreenOS 5.4 to 6.1 or 6.2, one line of my VPN config is no longer working due to "tunnel ID out of range"

     

    FW01(B)-> set vpn "ABC" id 7 bind interface tunnel.11

    Tunnel id 7 is out of valid range[67108864,67125246]

    Can't create SA for VPN ABC

    Can't clone a sa for vpn ABC

    failed to create clone sa -1 (tunnel id 7)

    modify VPN binding failed.

    VPN: can't be modified

     

    what does this mean and how can I get round this ?   Another SSG running 6.1 has this line and is working fine



  • 2.  RE: ScreenOS VPN Tunnel id out of valid range

    Posted 03-24-2011 14:20

    In your config on the lines that show the tunnel you will see id id 0x5000c for example. That hex needs to be between 67108864 & 67125246 again written in hex.



  • 3.  RE: ScreenOS VPN Tunnel id out of valid range
    Best Answer

    Posted 03-24-2011 16:04

    You should be able to take the "id" field out of that statement.  I don't use it in any of my vpn configs.  It's hidden in the ScreenOS CLI now, which usually means they've deprecated it.

     

    Try just setting the vpn with:

     

     

    FW01(B)-> set vpn "ABC" bind interface tunnel.11

     

     



  • 4.  RE: ScreenOS VPN Tunnel id out of valid range

    Posted 03-28-2011 03:05

    Thanks,

    I tried again by omitting the vpn id, then it was automagically self-generated as  0x4000001

    The same for vpn id 8 - it changed to 0x8000001 in 6.2