Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to Troubleshoot a VPN that is up, but, is not Passing Traffic (KB ID: KB9276)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9276

Synopsis

Although the VPN tunnel status is up, several factors can prevent traffic from passing through the tunnel.  This article will help identify what might be preventing the data from passing across the VPN

Problem

The VPN appears to be up, but it is not passing traffic in one or both directions.

Solution

To view the flowchart for the steps listed below, select this link:  KB9276 Flowchart

Use the following steps to troubleshoot a VPN Tunnel that is Up but not passing data:

  Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Up?  For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

• The SA is active and the link status is up or the symbol " - " is displayed - Continue with Step 2
• The SA is active but, the link status is down - Consult KB9520 - How do I troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down?
• The SA is inactive - Consult KB9221 - How to Troubleshoot a VPN Tunnel that won't come up

   Is traffic failing to pass in both or one direction? 

To confirm which direction the traffic is failing, try pinging from a device on one LAN to the Trust interface of the other LAN. Example:  Using the drawing below, from device 192.168.10.10 ping 192.168.20.10:

Then do the same from a device on the other side of the tunnel; from 192.168.20.20 ping 192.168.10.10.   Note which direction, if either, is successful and continue with Step 3.   

  Is this a Route-Based VPN or a Policy-Based VPN?  For assistance, see KB4124 - Policy-Based VPN vs. Route-Based VPN.

• Route-Based VPN - Continue with Step 4
• Policy-Based VPN - Jump to Step 8

  Perform this step from the firewall that is not passing traffic. Does a route exist to the Tunnel Interface?  For assistance, see KB6723 - How to Check if an IP is Reachable from the NetScreen.

• Yes - A Route exists to the Tunnel Interface - continue with Step 5
• No  - Create the route to the Tunnel Interface and try the VPN again (assume tunnel.1 for this example). For assistance, consult: KB5352 - Route-Based VPN is up, but not passing traffic. Is a route missing?

  Is the outgoing  interface for the route the correct tunnel interface? The outgoing interface is the interface used to terminate the VPN tunnel on the local device.

• Yes - Continue with Step 6.
• No   - Change route to point to correct tunnel interface and test again.
  Example:  set vrouter trust-vr route 192.168.20.0/24 interface tunnel.1
  

  Is the Tunnel Interface bound to the correct VPN? 

• Yes - Continue with Step 7.
• No / Don't know  - Bind the tunnel interface to the AutoKey IKE for this tunnel. 
  Example: set vpn "vpn name" bind interface tunnel.1
  
  To do this through the WebUI:
  

  • Click on VPNs -> AutoKey IKE
  • Find the AutoKey IKE for the tunnel in question and click Edit.
  • Click on the Advanced button.
  • In the Bind to section, click on Tunnel Interface.
  • Use the pull down menu and select the Tunnel interface you created for this tunnel.
  • Click Return.  Click OK.

  Is there a policy that allows traffic to the zone where the tunnel interface exists?  For further assistance, see KB6551 - Is a policy needed for a Route-Based VPN? .

• Policy not required - Skip to Step 10
• Yes - A policy exists - Continue with Step 10
• No   - Create the appropriate policy and test the VPN again. See: KB9514 - How to configure a policy for a Route-Based VPN .

  For Policy-based VPN, is there a tunnel policy for the VPN?  Example: set policy from trust to untrust 192.168.10.0/24 192.168.20.0/24 Any tunnel vpn <vpn-name> permit

• Yes - A policy exists - Continue with Step 9
• No   - Create the appropriate policy and test the VPN again.
  
  • For Site-to-Site VPNs see: KB4130 - How to Create a Policy for a Policy-Based Site-to-Site VPN.
  • For Dial-up VPNs see: KB4117 - Configuring a Policy for Dial Up VPN

Is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Netscreen Traffic Log.

• Yes - Continue with Step 10
• No  - See KB9490 - How to troubleshoot a Policy that is not passing data

 Collect logs and open a case with JTAC - Juniper Technical Assistance Center.  For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic? or KB9395 - What Information Should Be Collected for a Dial-UP VPN That Won’t Come Up?

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Related Articles

Related Links

• KB9221 - How to Troubleshoot a VPN Tunnel that won't come up

Related Files