How to Troubleshoot a VPN Tunnel that won't come up (KB ID: KB9221)
| Article ID: | KB9221 |
|---|---|
| Former Article ID: | |
| Published: | Nov 12, 2007 |
| Last Modified: | Nov 12, 2007 |
| Visible By: | Employee, PTAC, Partner, Customer, Public |
Back to Previous Page | Knowledge Base Home
Article URL
Synopsis
This article will help determine the reason why a VPN won't become active and establish a Tunnel between two VPN devices. Follow the steps until the problem is resolved or a case needs to be opened with JTAC (Juniper Technical Assistance Center).
Problem
How to troubleshoot a VPN that won't come up?
Scenarios:
- A new LAN-to-LAN VPN tunnel between two NetScreen firewalls is not working
- A new LAN-to-LAN VPN tunnel between a NetScreen and an OEM VPN device is not working.
- An existing LAN-to-LAN VPN tunnel that was working until a change was made.
- A Dial-up VPN that won't connect
To see an overview of all VPN Resolution Guides: Firewall VPN Configuration & Troubleshooting Resolution Guides
Solution
To view the flowchart for the steps listed below, select: KB9221 Flowchart
Use the following steps to assist with resolving a VPN Tunnel that will not come active:
Is this a Site-to-Site (or LAN-to-LAN) VPN? A Site-to-Site VPN is one that is between two Juniper Firewalls or a Juniper Firewall and an OEM VPN device. It is not a VPN between the Juniper Firewall and a client device running VPN software.
- Yes - Continue with Step 2.
- No - See KB9224 - How to Troubleshoot a Dial-Up VPN that will not come active .
Is the VPN Tunnel's SA Active? For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?
- Yes, SA is Active - See KB9276 - How to Troubleshoot a VPN that is up, but, is not Passing Traffic .
- Sometimes, SA is bouncing between Active and Inactive - See KB9488 - How to troubleshoot a VPN tunnel that is going up and down.
- No, SA is Inactive - Continue with Step 3.
Are there any IKE Phase 1 or 2 messages on the Responder VPN Firewall?
Check the responder firewall for IKE Phase 1 or Phase 2 messages received from the initiating firewall. The responder is the "receiver" side of the VPN that is being pinged, receiving the tunnel set up requests, or receiving the tunneled traffic. The initiator is the side of the VPN from which the ping or traffic is generated. For assistance, see KB4426 - How do I Find the VPN Entry in the Event Log?
- Yes - Jump to Step 5.
- No - If there are no IKE Phase 1 or 2 messages in the event logs for this tunnel, go to the other VPN device (the initiator) and determine if there are any IKE Phase 1 or 2 messages in it's event logs. Continue with Step 4.
Are there any IKE Phase 1 or 2 messages in the Initiating VPN Firewall?
Are there any IKE Phase 2 error messages for this VPN Tunnel in the Event Logs?
- Yes - For assistance, see KB9231 - How to analyze IKE Phase 2 Messages in the Event Logs.
- No - continue with Step 6.
Are there any IKE Phase 1 error messages for this VPN Tunnel in the Event Logs?
- Yes - For assistance, see KB9238 - How to analyze the IKE Phase 1 messages in the Event Logs.
- No - If there are no IKE Phase 1 messages in the Event Logs or this did not resolve the problem, continue with Step 7.
Collect Site-to-Site logs from the units at both ends of the VPN and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - How to Collect Logs for a Failing Site-to-Site VPN and Open a New Case.
Category Description
By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » IP Protocols » Tunneling Protocols
By Network Technology » IP Protocols » Tunneling Protocols » IPSec
By Network Technology » IP Protocols » Tunneling Protocols » Layer 3 VPN
Purpose