Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How do I troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down? (KB ID: KB9520)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9520

Synopsis

How do troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down.  Traffic does not pass through the tunnel.

Problem

Symptoms & Errors:

• Traffic is not passing through the tunnel.
• The tunnel's SA is Active, but the status is Down.

Solution

To view the flowchart for the steps listed below, select this link:  KB9520 Flowchart

Use the following steps to troubleshoot a VPN Tunnel in which the SA is Active but the status is Down:

  Is this a Site-to-Site (or LAN-to-LAN) VPN?  A Site-to-Site VPN is one that is between two Juniper Firewalls or a Juniper Firewall and an OEM VPN device.  It is not a VPN between the Juniper Firewall and a client device running VPN software. 

• Yes - Continue with Step 2.
• No   - See KB9224 - How to Troubleshoot a Dial-Up VPN that will not come active .

   Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Down?  For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

• The SA is active and the link status is Down - Continue with Step 3
• The SA is active and the link status is Up or the symbol " - " is displayed - Consult KB9276 - How to Troubleshoot a VPN that is up, but, is not Passing Traffic

  Is the VPN Monitor 'Optimized' feature enabled for this VPN?  For assistance, see KB9522 - How do you enable the Optimized feature of VPN Monitor and what does it do?.

• Yes - Continue with Step 4.
• No   - Enable the VPN Monitor 'Optimize' setting and test the VPN connection again.  

  Temporarily disable VPN Monitor to further troubleshoot the issue. (From the WebUI, uncheck the VPN Monitor box, or from the CLI, unset the vpn monitor command for the VPN in question, i.e. unset vpn <vpn> monitor.).  Continue with Step 5.

With VPN Monitor disabled, is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Netscreen Traffic Log.

• Yes - Continue with Step 6
• No  - See KB9490 - How to troubleshoot a Policy that is not passing data

  Is the remote VPN connection a non-Juniper Firewall device or is the remote VPN device configured to block ICMP Echo Requests?

• Yes - Re-enable VPN Monitor and reconfigure VPN Monitor to use the Source interface and Destination IP options.  For assistance, see KB9503 - Configuring the Source Interface and Destination IP options of VPN Monitor.  
• No   - Continue with Step 7.

  Collect logs and open a case with JTAC - Juniper Technical Assistance Center.  For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic?

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Troubleshooting

Related Articles

Related Links

• KB9276 - How to troubleshoot a VPN that is up, but is not passing traffic

Related Files