Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How do I tell if a VPN Tunnel SA (Security Association) is active

0

0

Article ID: KB10090 KB Last Updated: 26 Feb 2021Version: 9.0
Summary:
 

Determining if a Security Association (SA) is active will help you discover whether the tunnel is up or down.

This article describes how to verify if VPN has been established by verifying the output of show security ike security-associations and show security ipsec security-associations.

 

Symptoms:
 

Verify if a VPN SA is active by reviewing the output of the commands show security ike security-associations and show security ipsec security-associations.

 

Solution:
 

To determine if the SA is active and whether the tunnel is up or down, check the status of IKE Phase I and IKE Phase 2 by using the show security ike security-associations and show security ipsec security-associations commands as follows:

  1. First, check the status of IKE Phase 1: 

show security ike security-associations
user@CORPORATE> show security ike security-associations 
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
1       2.2.2.2         UP     744a594d957dd513  1e1307db82f58387  Main
2       3.3.3.3         UP     744a594d957dd513  1e1307db82f58387  Main

Locate the entry for the Remote Address of the VPN in question and verify that the State is UP. The State field shows the status of the Phase 1 SA and will show the state as UP or DOWN. For more information about the show security ike security-associations command output, refer to show security ike security-associations.

If the Remote Address is not displayed, refer to KB10100 - [SRX] Resolution Guide - How to Troubleshoot Problem Scenarios in VPN Tunnels to investigate the cause of the VPN establishment issue.

What is the State of IKE Phase 1?

 
  1. If IKE Phase 1 is UP, then check the status of IKE Phase 2 (SA):

show security ipsec security-associations
user@CORPORATE> show security ipsec security-associations  
  total configured sa: 2
  ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <32785 2.2.2.2         1398  ESP:3des/sha1   29e26eba 28735/unlim   -   0
  >32785 2.2.2.2         1398  ESP:3des/sha1   6d4e790b 28735/unlim   -   0 
  total configured sa: 2
  ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   U   0
  >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   U   0 

Locate the entry for the Remote Address of the VPN in question.

If the remote gateway is not displayed, then VPN Phase 2 has not established and is currently DOWN. Refer to KB10100 - [SRX] Resolution Guide - How to Troubleshoot Problem Scenarios in VPN Tunnels to investigate the cause of the VPN establishment issue.

If the VPN gateway is listed, the tunnel has established and is UP. The output will display two lines for each VPN tunnel, displaying the SPI information for each direction of traffic.

The "MON" field is used by VPN Monitoring to reflect the status of the tunnel and will have one of the following values:

  • - (hyphen): The VPN tunnel is Active, and the VPN Monitor optional feature is not configured.

  • U (UP): The VPN tunnel is Active, and the link (detected through the VPN Monitor) is UP.

  • D (DOWN): The VPN tunnel is Active, and the link (detected through the VPN Monitor) is DOWN. 

For more information about the show security ipsec security-associations command output, refer to show security ipsec security-associations.

 
 

Tips

  • Use the command show security ipsec statistics to check traffic flow through the VPN:

user@CORPORATE> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:                0
  Encrypted packets:              0
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
  • Specify the SA index to display statistics for the specific VPN.

user@CORPORATE> show security ipsec statistics index 32785
ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:                0
  Encrypted packets:              0
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

Modification History:
 
  • 2021-02-26: Article updated to reflect current information; minor, non-technical edits made; article accurate

  • 2020-06-27: Article reviewed for accuracy; no changes required

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search