Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How do I tell if a VPN Tunnel SA (Security Association) is active? (KB ID: KB6134)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB6134

Synopsis

How do I interpret the status (Sta) field in the output of the get sa command?  Determining if the SA is active or not will help you determine if the tunnel is up or not.  Check status of tunnel.

Problem

How do I tell if a VPN Tunnel SA (Security Association) is active?
How do I check status of the tunnel?

Solution

Through the CLI:  Telnet into the Firewall, type the following command, and press ENTER:  get sa

  You can view the same information through the WebUI by clicking onVPNs > Monitor Status.

Here are 2 examples of the output of the get sa command:

Paris-> get sa
total configured sa: 1
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
00000001< 1.1.1.1 500  esp:3des/sha1 e37791d2 expir    unlim I/I 2 0
00000001> 1.1.1.1 500  esp:3des/sha1 883ebdb7 expir    unlim I/I 1 0

Paris-> get sa
total configured sa: 1
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
00000001< 1.1.1.1 500  esp:3des/sha1 e37791d3 3596     unlim A/- 2 0
00000001> 1.1.1.1 500  esp:3des/sha1 883ebdb8 3596     unlim A/- 1 0  

  In the case of multiple VPN Tunnels, search through the Gateway column for the IP address of the Remote Gateway of the tunnel in question. 

The Sta field shows two things: 

1. The first character displays whether the VPN tunnel is Active or Inactive.
2. The second character (after the slash) displays the Link status thru the VPN Monitor feature. 

Here are the possible values of the sta field:

• I/I:    VPN tunnel is Inactive
• A/-:  VPN tunnel is Active, and VPN Monitor is not configured
• A/U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
• A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings.  This could be happening because the device that is being pinged is down or has ping disabled.  This could also be happening if the other side of the VPN is not a NetScreen/Juniper Firewall.

 Both A/- and A/U are positive states that your tunnel is up.  Data will not pass thru a tunnel when the status is I/I or A/D.

 

If the only column headings are displayed (as shown below), no SA has been created and there are no active tunnels:

Paris-> get sa
total configured sa: 0
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys

This is typically caused by an incomplete VPN configuration.  For configuration assistance and examples consult the following link:

http://www.juniper.net/techpubs/software/screenos/

Click your ScreenOS version, then select the 'Concepts & Examples ScreenOS Reference Guide: VPNs'.   Refer to the'Site-to-Site Virtual Private Networks' section for configuration examples.

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » IP Protocols » Tunneling Protocols

Purpose

Troubleshooting

Related Articles

Related Links

• KB9221 - How to troubleshoot a Site-to-Site VPN Tunnel that won't come up.

Related Files