Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Unable to configure a VPN within a VSYS



Article ID: KB26847 KB Last Updated: 15 Feb 2013Version: 1.0
This article describes the issue of being unable to configure a VPN within a VSYS.
When trying to configure a new IPsec SA within a VSYS, the firewall generates the following error message:
ISG(VSYS-A)-> set vpn "LAB" gateway  "Juniper" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" "nopfs-esp-3des-sha"

vpn_add(), cannot get vpn id. vpn number might reached limit.VPN: can't be added
VPN: can't be added

Failed command - set vpn "LAB" gateway "Juniper" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" "nopfs-esp-3des-sha"

The number of VPNs per VSYS is hard coded. There is a per-Vsys limit on many features to prevent one VSYS from overcoming the rest of the firewall. Some of these limits are configurable and some are not. The number of VPNs per VSYS is one of the paramaters that cannot be configured.

The reason for the per vsys limit is to ensure that no one VSYS uses all of the available VPNs. To check the VPN limit per VSYS, use the get sys-cfg | include vpn command.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search