How do I tell if a VPN Tunnel SA (Security Association) is active?
Knowledge Base ID: KB6134
Version: 5.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . Firewall/IPSec_VPN
. Tunneling Protocols
. ScreenOS

Summary:
How do I interpret the status (Sta) field in the output of the get sa command?  Determining if the SA is active or not will help you determine if the tunnel is up or not.  Check status of tunnel.

Problem or Goal:
How do I tell if a VPN Tunnel SA (Security Association) is active?
How do I check status of the tunnel?

Solution:

Through the CLI:  Telnet into the Firewall, type the following command, and press ENTER:  get sa

Note:  You can view the same information through the WebUI by clicking onVPNs > Monitor Status.

Here are 2 examples of the output of the get sa command:

Paris-> get sa
total configured sa: 1
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
00000001< 1.1.1.1 500  esp:3des/sha1 e37791d2 expir    unlim I/I 2 0
00000001> 1.1.1.1 500  esp:3des/sha1 883ebdb7 expir    unlim I/I 1 0

Paris-> get sa
total configured sa: 1
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
00000001< 1.1.1.1 500  esp:3des/sha1 e37791d3 3596     unlim A/- 2 0
00000001> 1.1.1.1 500  esp:3des/sha1 883ebdb8 3596     unlim A/- 1 0 
 

Note:  In the case of multiple VPN Tunnels, search through the Gateway column for the IP address of the Remote Gateway of the tunnel in question. 

The Sta field shows two things: 

  1. The first character displays whether the VPN tunnel is Active or Inactive.
  2. The second character (after the slash) displays the Link status thru the VPN Monitor feature. 

Here are the possible values of the sta field:

  • I/I:    VPN tunnel is Inactive
  • A/-:  VPN tunnel is Active, and VPN Monitor is not configured
  • A/U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
  • A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings.  This could be happening because the device that is being pinged is down or has ping disabled.  This could also be happening if the other side of the VPN is not a NetScreen/Juniper Firewall.

Note: Both A/- and A/U are positive states that your tunnel is up.  Data will not pass thru a tunnel when the status is I/I or A/D.

 

If the only column headings are displayed (as shown below), no SA has been created and there are no active tunnels:

Paris-> get sa
total configured sa: 0
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys

This is typically caused by an incomplete VPN configuration.  For configuration assistance and examples consult the following link:

http://www.juniper.net/techpubs/software/screenos/

Click your ScreenOS version, then select the 'Concepts & Examples ScreenOS Reference Guide: VPNs'.   Refer to the'Site-to-Site Virtual Private Networks' section for configuration examples.

Purpose:
Troubleshooting