Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to Troubleshoot a Dial-Up VPN that will not come active in JUNOS-ES (KB ID: KB10089)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB10089

Synopsis

This article will help determine the cause when a Dial-Up VPN does not come up.  A Dial-Up VPN is one between a PC using the NetScreen-Remote (NSR) Client software and a Juniper router/security device running JUNOS Enhanced Services (JUNOS-ES) software. 

Problem

A Dial-Up VPN is configured between a remote client, using the NetScreen Remote software, and a Juniper Firewall, but the tunnel is not coming up.   Use the steps listed below to troubleshoot the issue.

For assistance with installing a remote client VPN, consult: KB10137 - How do I remotely connect into my corporate/business office JUNOS-ES device?

Solution

To view the flowchart for the steps listed below, select this link:  KB10089 Flowchart

To view the Application Note for JUNOS-ES, select this link:  Dialup VPN with Xauth Configuration and Troubleshooting

Use the following steps to assist with resolving the Dial-Up VPN Tunnel issue:

 Is the VPN Tunnel a Dial-Up VPN?  A Dial-Up VPN is between a Juniper Firewall and a client PC that is running the Juniper VPN client software. A Site-to-Site VPN is one that is between two Juniper Firewalls or a Juniper Firewall and an OEM VPN device.  

• Yes - Continue with Step 2.
• No   - See KB10100 - How to Troubleshoot a Site-to-Site VPN Tunnel that will not come up in JUNOS-ES.

 Is the VPN Tunnel's SA active?  For assistance, see: KB10090 - How do I tell if a VPN Tunnel SA (Security Association) is active?.

• Yes - See Step 8 of : KB10093 - How to Troubleshoot a VPN that is up, but, is not Passing Traffic .
• No   - Continue with Step 3 

 Are there any IKE Phase 1 or 2 for this VPN Tunnel in the Kmd Logs?  For assistance,see: KB10097 - How Do I Find the VPN Entries in the Kmd Log?.

• Yes - Jump to Step 5
• No   - Continue with Step 4

 Are there any messages in the NetScreen-Remote VPN Client Log Viewer? For assistance, see KB9396 - How to View and Analyze the Messages in the NetScreen-Remote VPN Client Log Viewer.

• Yes - Jump to Step 6.
• No  - See KB10102 - How to troubleshoot a Dial-Up VPN that won't come up and there are no messages in the Kmd log.

  Are there IKE Phase 2 error messages in the Event Logs in the Firewall?

• Yes - See: KB10099 - How to Analyze IKE Phase 2 Error Messages in the Kmd Log. 
• No  - Continue with Step 6

 Are there IKE Phase 1 error messages in the Event Logs in the Firewall?

• Yes - See: KB10103 - How to Analyze IKE Phase 1 Messages in the Kmd Log.
• No  - Continue with Step 7.

 Collect NetScreen Remote and JUNOS-ES Firewall logs then open a case with Juniper Technical Support.  Refer to the following link for information on how to gather logs and the necessary documentation required for Juniper Technical Support to resolve this issue: KB10103 - What Information Should I collect for a Dial-Up VPN That Won't Come Up?.

Category Description

By Product » Software » Network Operating Systems » JUNOS-ES Software
By Product » Hardware » Routers » J-series » J2350
By Product » Hardware » Routers » J-series » J2320
By Product » Hardware » Routers » J-series » J6350
By Product » Hardware » Routers » J-series » J4350

Purpose

Troubleshooting

Related Articles

Related Links

Related Files