Knowledge Search


[J/SRX] How to troubleshoot a VPN that is up, but is not passing traffic

  [KB10093] Show Article Properties


Although the VPN tunnel status is active, several factors can prevent traffic from passing through the tunnel.  This article helps identify what might be preventing the data from passing through the VPN.

This article is part of the troubleshooting guide: KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active.


The VPN is up, but it is not passing traffic in one or both directions.


Use the following steps to troubleshoot a VPN tunnel that is active, but not passing data:

Note: If your VPN is down, then go to KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active. If your VPN is going up and down, then proceed with the following steps.

Step three Is the IPsec SA (Security Association) listed in ‘show security ipsec security-associations’?

If it is not listed, then the SA is not active or UP.

For assistance, consult: KB10090 - How do I tell if a VPN Tunnel SA (Security Association) is active?

Step two Is the VPN using the loopback Lo0 as external-interface?

root> show configuration security ike
policy ike_pol {
   proposal-set compatible;
   pre-shared-key ascii-text "$9$tMwDuIESreWX7yr4aGDkqIEhcvWbs2";
gateway gate1 {
  ike-policy ike_pol;
  external-interface lo0.0;

  • Yes - Continue with Step 3.
  • No - Jump to Step 4.

Step two  Are the egress interface, based on route to destination, and lo0 used as the VPN external-interface in the same security-zone?

Step two Is this a route-based VPN or a policy-based VPN?

For information on how to tell, consult: KB10105 - What is the difference between a policy-based VPN and a route-based VPN?.

  • Route-based VPN - Continue with Step 5.
  • Policy-based VPN - Jump to Step 8.

Step three [Route-based VPN] Does a route for the remote network exist via the st0 interface in ‘show route <remote network>’?

root@siteA > show route
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both    *[Static/5] 00:00:53
                           > via st0.0  <----------


Step three [Route-based VPN] Looking at the route located in Step 3, is the next-hop for the route pointing to the correct st0 interface? 

a. First, locate the IKE Gateway using 'show security ike'

root@siteA # show security ike
gateway gw-siteB {        <---------
     ike-policy ike-phase1-policy;
     external-interface ge-0/0/3.0;

b. Then locate the IPsec VPN for that IKE Gateway using 'show security ipsec'

root@siteA # show security ipsec
vpn ike-vpn-siteB {     
    bind-interface st0.0;
      ike {
         gateway gw-siteB;      <---------
         proxy-identity {
             service any;
          ipsec-policy ipsec-phase2-policy;
     establish-tunnels immediately;

c. Review the bind-interface located in step 4b to locate the st0 interface.
    In this example, the VPN ike-vpn-siteB is pointing to the st0.0 interface.

Step five [Route-based VPN] Is there a security policy that allows traffic from the internal zone to the st0 security zone in ‘show security policies’?

Step six [Policy-based VPN] Is there a VPN tunnel security policy to allow traffic in ‘show security policies’?

root@siteA# show security policies
from-zone trust to-zone untrust {
    policy vpn_egress {
        match {
            source-address local-net;
            destination-address remote-net;
            application any;
        then {
            permit {
                tunnel {                      <----------
                    ipsec-vpn ike-vpn-siteC;  <----------

from-zone untrust to-zone trust {
    policy vpn_ingress {
        match {
            source-address remote-net;
            destination-address local-net;
            application any;
        then {
            permit {
                tunnel {                      <----------
                    ipsec-vpn ike-vpn-siteC;  <----------


Step seven Is the traffic matching the policy identified in Step 7 or 8?

Use the operational command 'show security flow session source prefix <source address> destination prefix <destination address>' to locate the matched policy.

root@siteA> show security flow session source-prefix destination-prefix

Session ID: 5801, Policy name: AtoB/2, Timeout: 1790, Valid
In: -->;icmp, If: fe-0/0/2.0, Pkts: 59878, Bytes: 4602292
Out: -->;icmp, If: st0.0, Pkts: 52505, Bytes: 4189289


Step eight Collect logs and flow traceoptions, and open a case with your technical support representative.

Consult: KB21781 - [SRX] Data Collection Checklist. (See the IPsec VPN Policy-based or Route-based VPN sections.)

For flow traceoptions information, consult: KB16233 – How to use ‘Flow Traceoptions’ and the ‘security datapath-debug’ in SRX series.


Related Links: