KNX Secure: Tunnel connection could not be established


I had a working KNX integration but now I want to switch to a KNX secure connection.

I am using an MDT IP Interface with 4 tunnels. Therefore I tried two ways: Manual configuration and automatic configuration using knxkeys-file from tunnel 4.

I don’t know what’s wrong, but I keep getting an error message: tunnel connection could not be established.

BTW: Tunnel connection using ETS is working fine. Should be a general problem.

What can I do? Thx for your help!

Okay, got it working, but there seems to be a problem with tunnel 2, 3 and 4.
The MDT IP Interface supplies 4 IP tunnels.

While I had ETS connected and blocking tunnel 1, no connection was possible. When disconnecting ETS and using tunnel 1 for HA, I got it working fine.

I cannot connect a different tunnel than 1 (userid: 2).

Hi :wave:!
With manual config or via knxkeys file?

On tunnel 1 both ways are working fine, on tunnel 4 I could not establish a connection, neither manual nor via knxkeys file.

Interestingly, HA KNX integration now connects as tunnel 2 (based on ETS group monitor) - I never configured tunnel 2.

I don’t have such an interface to test with.
The routers I have (different manufacturers) worked fine for any tunnel, but I’ll try to test that again.
Do you have any log errors of your failed connection attempts?

Tell me where to find or how to activate the specific logging and I will give you error logs.

Have a look here:
You can contact me on Discord if you like to send files via DM. Find me on xknx or HA server farmio#5918

So I did some testing and found a bug 🪲😬
Once you upload a knxkeys file this is always used, even if you choose manual config later.
If you want to have manual config you’d need to remove the lines

          "knxkeys_filename": ...,
          "knxkeys_password": ...,

from your .storage/core.config_entries file manually.

There also seems to be a problem when your knxkeys file contains keys from multiple tunnelling servers.

I’ll try to do a fix for that for the next release.

1 Like

So that bug (and the multiple Tunnel server bug) is fixed with xknx 2.0.0 coming with HA 2022.12.

For the other way around (manual to keyfile) I’m confident that the fix will be merged in time as well.

Thanks for reporting :+1:

I can confim this bug and only got it working by manually setting Tunnel 1 and have no ETS connection open. All other tunnels do not work.

Just to be sure: did you set the appropriate password for the different tunnels? Every tunnel (user_id) has its own password.

Just in case someone is searching here:
Referred to MDT Secure tunnelling ErrorCode.E_NO_MORE_CONNECTIONS · Issue #86655 · home-assistant/core · GitHub

Got another reply from MDT that they think it is related to the ETS keyring with referencing toöffentlicher-bereich/knx-eib-forum/diy-do-it-yourself/1836390-falcon-sdk-6-0-2-und-knx-secure-ip-tunnel-user-login-failed (sorry, it´s in German)

Their developers will have a look into it and might provide an update in the future if necessary.

For now we would need to use non-secure or bind to tunnel 1 to get it working.

Update 2023-11-28: Please see further down for the fixed MDT versions.

1 Like

Well thx, and here was I seething with rage at the myriad of breaking points in my setup.
So it is MDTs fault then.

Usually they are reliable and fix it relatively fast I’ll have to wait then.

A headsup on this topic. The issue seemed to be resolved with the latest knxprod V2.3 from 08/23. Also make sure to have firmware V3.06 in place.

The downside is that there is no upgrade path, so the IP router and Email client need to be removed and re-added with the new version. Make sure to have the QR codes at hand if you are using secure connection.