Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to Troubleshoot a Site-to-Site VPN that won't come up and there are No Messages in the Event Logs (KB ID: KB9217)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9217

Synopsis

The article assists with troubleshooting a Site-to-Site (LAN-to-LAN) VPN that shows no IKE messages in the Event logs. 

Problem

Symptoms & Errors:

• The VPN tunnel does not come up
• The SA (Security Association) is not active
• The VPN is not passing data. 
• There are no Phase 1 or Phase 2 IKE messages in the Event logs.

Solution

To view the flowchart for the steps listed below, select this link:  KB9217 Flowchart

Use the following steps to resolve the problem where the VPN Tunnel is not coming active and there are no Phase 1 or Phase 2 messages in the event logs.  All steps should be performed on the initiating firewall unless otherwise specified.  (The initiating firewall is the side of the VPN that the traffic is being generated from.)

 Depending on the VPN configuration, you may have to initiate traffic through the tunnel before it will come active. 

 Is this a Policy-Based or Route-Based VPN?   For further assistance, see - KB4124 - Policy Based VPN vs. Route Based VPN. Which one do I have configured?

• Policy-Based - Continue with Step 2
• Route-Based - Jump to Step 4.

 Are the VPN Tunnel policies in the correct policy order?  For further assistance, see - KB6629 - How to change the order of the policies and why that is important?. 

• Yes - Continue with Step 3
• No   - Try placing the VPN policies at the top of each zone list and then ping across the tunnel or try the VPN connection again. 

 Is the VPN Gateway configured to use the correct outgoing interface?  For further assistance, see KB4409 - How Do I Ensure That the Outgoing VPN Interface Configured in Phase 1 Matches? .

• Yes - Jump to Step 8.
• No   - The IKE Gateway's outgoing interface cannot be changed.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it is using the new gateway.

 Does a route exist for the tunnel interface?  For further assistance, see KB6723 - How to check if an IP is reachable from the NetScreen?

• Yes - Continue with Step 5.
• No   - A static route needs to be created that routes traffic for the remote network to the Tunnel interface.  For further assistance, see
  
  • KB5352 - Route-Based VPN is up, but, not passing traffic.

 Is the tunnel interface bound to the AutoKey IKE for this VPN?  An interface bound to more than one VPN, could cause this symptom too. 

• Yes - Continue with Step 6
• No   - Bind the tunnel interface to the AutoKey IKE for this tunnel.  To do this through the WebUI:
  

  • Click on VPNs -> AutoKey IKE
  • Find the AutoKey IKE for the tunnel in question and click Edit.
  • Click on the Advanced button.
  • In the Bind to section, click on Tunnel Interface.
  • Use the pull down menu and select the Tunnel interface you created for this tunnel.
  • Click Return.  Click OK.

 Is the VPN Gateway configured to use the correct outgoing interface?  For further assistance, see KB4409 - How Do I Ensure That the Outgoing VPN Interface Configured in Phase 1 Matches? .

• Yes - Continue with Step 7
• No   - The IKE Gateway's outgoing interface cannot be changed.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it is using the new gateway.

 Is there a policy that allows traffic to the zone where the tunnel interface exists? 

• Yes - Continue with Step 8
• No   - For assistance on configuring a policy, consult:
  • KB6551 - Is a policy needed for a Route-Based VPN

Once the data has been collected, open a case by either calling in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) or login to the Case Management tool via the Juniper support site at: Case Management and click on the "Create a Case" link.   For assistance with collecting information, see KB9229 - What information should I collect for a Site-to-Site VPN that won’t come up?.

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Related Articles

Related Links

• KB9221 - How to Troubleshoot a Site-to-Site VPN Tunnel that won't come up

Related Files