Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Includes video] How to configure syslog to display VPN status messages



Article ID: KB10097 KB Last Updated: 05 May 2020Version: 9.0

This article provides a video and text instructions on how to configure a log file, called kmd-logs, that only contains VPN status (KMD) messages.  This is helpful for troubleshooting a VPN that is down or not active.


VPN is not active.  How do I capture VPN daemon (KMD) messages in order to troubleshoot the problem faster?


Go to the KBTV video or text instructions below:

Video format:

Text format:

A VPN issue can be resolved faster by capturing and reviewing the logs on the responder VPN device. The responder is the "receiver" side of the VPN that is receiving the tunnel set up requests. The initiator is the side of the VPN from which the initial IKE session is generated.  In the case of a Remote Access IPsec VPN (which is a VPN between a Juniper VPN device and a PC client running IPsec software), the initiator is always the PC and the responder is the Juniper VPN device.

On the responder VPN device, perform either of the instructions below, depending on your Junos OS version:

Junos 11.4R3 and above

In Junos 11.4R3 and above, VPN status messages are written to the daemon facility at the 'info' level.  If your configuration is using the default system syslog configuration which is 'critical', the 'info' VPN status messages will not be captured and viewable with 'show system syslog'.

Therefore, perform these steps on the responder side to capture the 'info' VPN status messages.

1.  First, configure a new syslog file kmd-logs which matches on the uppercase text:  KMD

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit

Note: The filename is kmd-logs; it is important that you do not name the file kmd, as the IKE debugs are written to the file kmd.

2.  Then attempt to bring the VPN tunnel up again (so that the VPN status messages are logged to kmd-logs).

3.  View the VPN status messages with the command: 

> show log kmd-logs

The file kmd-logs in written to the /var/log directory. 

Example VPN status message:
Jul 10 16:14:00  210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=, p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=] for local ip:, remote peer ip:

Junos 11.4R2 and below


Note:  The video does not include these instructions.

For Junos 11.4R2 and below, perform these steps on the responder side:



Run the command:  show log kmd
To display information for a specific VPN, use the pipe ( | ) and match or find commands to include the IP address of the VPN Peer Gateway (the initiator’s IP address). For example: 

> show log kmd | match  or  show log kmd | find 

Where is the VPN Peer Gateway IP Address.



1.  To display the VPN Events (Status Messages) via J-Web, navigate to the following location:

   Monitor> Events and Alarms > View Events


2.  Enter the Peer Gateway's IP address in the Text in Event Description box to help narrow down the event log to only messages related to the VPN peer. 

Then click OK to view the results.

For information on how to analyze these messages, refer to:

KB10101 - How to analyze IKE Phase 1 VPN status messages
KB10099 - How to analyze IKE Phase 2 VPN status messages


Modification History:

2020-03-20: Article reviewed for accuracy; no changes required.
2020-05-05: fixed broken link.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search