Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to troubleshoot a Policy that is not passing data. (KB ID: KB9490)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9490

Synopsis

The VPN is up, but the policy isn't passing data. What could be wrong?

Problem

The policy isn't passing data.

Solution

To view the flowchart for the steps listed below, select this link:  KB9490 Flowchart

Use the following steps to troubleshoot a policy for a Site-to-Site VPN that is not passing data:

Does the Policy Log show bytes sent? For information on how to check the policy log, consult: KB4260 - Viewing Policy Reports .  If Logging is not enabled, consult: KB4214 - Configuring the NetScreen Traffic Log

• Yes - Continue with Step 2
• No   - Skip to Step 3

 Are the Source and/or Destination Address translations correct? For assistance, see KB9542 - How to Determine if the Source and Destination Address Translation is Correct.

• Yes - Continue with Step 3
• No   - Correct the addresse(s) and try to send data through the tunnel again

Is the Policy order correct? For assistance, consult: KB6629 - How to change the order of the Policies and why it is important?

• Yes - Continue with Step 4
• No   - Correct the policy issue and try the VPN tunnel again

 Are the addresses in the policy correct?  Verify that the addresses are correct and that they have the correct subnet mask.  If you are using Address Book entries, see KB4130 - How to configure a Policy for a VPN .

• Yes - Continue with Step 5
• No   - Correct the addresse(s) and try to send data through the tunnel again

Is the policy Permitting the service(s)? For assistance in configuring either Pre-defined or Custom services in a policy , consult: KB4271 - Creating a Policy Using a Custom Service

• Yes - Continue with Step 6
• No   - Correct the policy issue and try the VPN tunnel again

Is the Address Book entry used in the policy correct? For assistance, consult: KB9501 - How to Confirm the Address Book Entry is Correct

• Yes - Continue with Step 7
• No   - Correct the address issue and try the VPN tunnel again

Is the traffic reaching the Firewall device? For assistance, consult: KB6723 - How to check if an IP is reachable from the NetScreen? or use the trace-route CLI command (consult CLI Reference guide for more information).

• Yes - Continue with Step 8
• No   - Correct the network issue and try the VPN tunnel again

Collect logs and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic?

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Troubleshooting

Related Articles

Related Links

• KB9276 - How to troubleshoot a Site-to-Site VPN that is up, but, is not Passing Traffic.
• KB9520 - How do I troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down?

Related Files