KNX Secure: Tunnel connection could not be established

Crashman · November 14, 2022, 10:58am

Hi!

I had a working KNX integration but now I want to switch to a KNX secure connection.

I am using an MDT IP Interface with 4 tunnels. Therefore I tried two ways: Manual configuration and automatic configuration using knxkeys-file from tunnel 4.

I don’t know what’s wrong, but I keep getting an error message: tunnel connection could not be established.

BTW: Tunnel connection using ETS is working fine. Should be a general problem.

What can I do? Thx for your help!

Crashman · November 14, 2022, 11:08am

Okay, got it working, but there seems to be a problem with tunnel 2, 3 and 4.
The MDT IP Interface supplies 4 IP tunnels.

While I had ETS connected and blocking tunnel 1, no connection was possible. When disconnecting ETS and using tunnel 1 for HA, I got it working fine.

I cannot connect a different tunnel than 1 (userid: 2).

farmio · November 14, 2022, 11:09am

Hi !
With manual config or via knxkeys file?

Crashman · November 14, 2022, 11:40am

On tunnel 1 both ways are working fine, on tunnel 4 I could not establish a connection, neither manual nor via knxkeys file.

Interestingly, HA KNX integration now connects as tunnel 2 (based on ETS group monitor) - I never configured tunnel 2.

farmio · November 14, 2022, 11:48am

I don’t have such an interface to test with.
The routers I have (different manufacturers) worked fine for any tunnel, but I’ll try to test that again.
Do you have any log errors of your failed connection attempts?

Crashman · November 14, 2022, 11:50am

Tell me where to find or how to activate the specific logging and I will give you error logs.

farmio · November 14, 2022, 11:52am

Have a look here: https://www.home-assistant.io/integrations/knx/#logs-for-the-knx-integration
You can contact me on Discord if you like to send files via DM. Find me on xknx or HA server farmio#5918

farmio · November 14, 2022, 8:53pm

So I did some testing and found a bug 🪲😬
Once you upload a knxkeys file this is always used, even if you choose manual config later.
If you want to have manual config you’d need to remove the lines

          "knxkeys_filename": ...,
          "knxkeys_password": ...,

from your .storage/core.config_entries file manually.

There also seems to be a problem when your knxkeys file contains keys from multiple tunnelling servers.

I’ll try to do a fix for that for the next release.

farmio · November 28, 2022, 6:47am

So that bug (and the multiple Tunnel server bug) is fixed with xknx 2.0.0 coming with HA 2022.12.

For the other way around (manual to keyfile) I’m confident that the fix will be merged in time as well.

github.com/home-assistant/core

Fix KNX secure config switching from manual to keyfile

home-assistant:dev ← farmio:knx_flow_entry_cleanup

opened 08:19AM - 26 Nov 22 UTC

farmio

+111 -8

## Proposed change  - Clean up the config entry to not have previous `user_id`, `user_password` and `device_authentication` when setting to use knxkeys file. If user_id and user_password are set these would take precendence over reading the keyfile in xknx so the keyfile wouldn't be used - even worse, if a different gateway was selected it would not be able to connect since the credentials are wrong. - Remove directory prefix from default filename if there is one already set. ## Type of change  - [ ] Dependency upgrade - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New integration (thank you!) - [ ] New feature (which adds functionality to an existing integration) - [ ] Deprecation (breaking change to happen in the future) - [ ] Breaking change (fix/feature causing existing functionality to break) - [ ] Code quality improvements to existing code or addition of tests ## Additional information  - This PR fixes or closes issue: fixes # - This PR is related to issue: - Link to documentation pull request: ## Checklist  - [x] The code change is tested and works locally. - [x] Local tests pass. **Your PR cannot be merged unless tests pass** - [x] There is no commented out code in this PR. - [x] I have followed the [development checklist][dev-checklist] - [x] The code has been formatted using Black (`black --fast homeassistant tests`) - [ ] Tests have been added to verify that the new code works. If user exposed functionality or configuration variables are added/changed: - [ ] Documentation added/updated for [www.home-assistant.io][docs-repository] If the code communicates with devices, web services, or third-party tools: - [ ] The [manifest file][manifest-docs] has all fields filled out correctly. Updated and included derived files by running: `python3 -m script.hassfest`. - [ ] New or updated dependencies have been added to `requirements_all.txt`. Updated by running `python3 -m script.gen_requirements_all`. - [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description. - [ ] Untested files have been added to `.coveragerc`.  To help with the load of incoming pull requests: - [ ] I have reviewed two other [open pull requests][prs] in this repository. [prs]: https://github.com/home-assistant/core/pulls?q=is%3Aopen+is%3Apr+-author%3A%40me+-draft%3Atrue+-label%3Awaiting-for-upstream+sort%3Acreated-desc+review%3Anone+-status%3Afailure  [dev-checklist]: https://developers.home-assistant.io/docs/en/development_checklist.html [manifest-docs]: https://developers.home-assistant.io/docs/en/creating_integration_manifest.html [quality-scale]: https://developers.home-assistant.io/docs/en/next/integration_quality_scale_index.html [docs-repository]: https://github.com/home-assistant/home-assistant.io

Thanks for reporting

dworks · January 26, 2023, 12:31pm

I can confim this bug and only got it working by manually setting Tunnel 1 and have no ETS connection open. All other tunnels do not work.

farmio · January 26, 2023, 12:41pm

Just to be sure: did you set the appropriate password for the different tunnels? Every tunnel (user_id) has its own password.

dworks · February 1, 2023, 2:49pm

Just in case someone is searching here:
Referred to MDT Secure tunnelling ErrorCode.E_NO_MORE_CONNECTIONS · Issue #86655 · home-assistant/core · GitHub

Got another reply from MDT that they think it is related to the ETS keyring with referencing to https://knx-user-forum.de/forum/öffentlicher-bereich/knx-eib-forum/diy-do-it-yourself/1836390-falcon-sdk-6-0-2-und-knx-secure-ip-tunnel-user-login-failed (sorry, it´s in German)

Their developers will have a look into it and might provide an update in the future if necessary.

For now we would need to use non-secure or bind to tunnel 1 to get it working.

Update 2023-11-28: Please see further down for the fixed MDT versions.

MrFaul · February 21, 2023, 2:09pm

Well thx, and here was I seething with rage at the myriad of breaking points in my setup.
So it is MDTs fault then.

Usually they are reliable and fix it relatively fast I’ll have to wait then.

dworks · November 28, 2023, 7:35pm

A headsup on this topic. The issue seemed to be resolved with the latest knxprod V2.3 from 08/23. Also make sure to have firmware V3.06 in place.
https://www.mdt.de/produkte/produktdetail/systemkomponenten/systemgeraete/ip-router.html#downloads

The downside is that there is no upgrade path, so the IP router and Email client need to be removed and re-added with the new version. Make sure to have the QR codes at hand if you are using secure connection.

Vitruvius · October 7, 2024, 7:38pm

For what it’s worth: I have an MDT SCN-IP100.03 IP router. The KNX Secure instructions show a ‘Description’ field containing the User ID, but it’s empty on my IP router (no idea if it’s supposed to be preset by default). Since the instructions say to increment by 1, I set user ID to ‘2’ in the KNX HA integration, which seems to have gotten me the second tunnel (x.x.254) it seems (the first was .255). Latest knxprod V2.3 and firmware V3.06.

Either way, can confirm it works .

Edit: double checked the user passwords associated with the available tunnels, the password I entered is matched to .255 but the address Home Assistant reports is x.x.254. So weird stuff, but hey, it works.

marimbadane · October 19, 2025, 8:35pm

hi, am completely new to HomeAssistant and so far I am only working wit KNX on ETS 6 - but have no knowledge concerning tunnelling, etc. I got everything runnig to the point, that the KNX-Integration in Home Assistant cannot “fetch gateway info to 10.0.0.10:3671”.

After trying all the “fields” i could find in ETS6 of my MDT SCN-IP 100.03 IP Router I am at a loss na don’t know how i can connect my IP-Router in KNX with my HomeAssistant Setup. can anybody help?! Thanks so much in advance!

farmio · October 20, 2025, 4:20am

Hi !

When exactly are you running into this error?
Do you have some firewall rules or something alike, disabilng UDP communication?
Can you share your configuration and logs?

As a heads-up: MDT Gateways still have some Secure related bugs. They just don’t seem to test or even care at all

marimbadane · October 20, 2025, 6:15pm

hi, thanks for taking the time!! I use a Unifi Cloud Key für my setup but am a total beginner and don’t know a lot about the network - details. so i don’t have any knowloedge concerning, wher to ad (or disable) a firewall or disable UDP. I am pretty sure, that there is nofirewall though.

The problem occurs at the very beginning when trying to connect HA with KNX - the simply cannot be a connection.

farmio · October 21, 2025, 10:15am

Are you running HA on a dedicated device using HA OS? Otherwise, maybe have a look at the host system configuration.

If the issue persists, we’d probably need more detailed logs and infos about the system and its exact configuration to help further. (See Troubleshooting your configuration - Home Assistant)