Knowledge Search


×
 

[J/SRX] How to troubleshoot a VPN that is up, but is not passing traffic

  [KB10093] Show Article Properties


Summary:

Although the VPN tunnel status is active, several factors can prevent traffic from passing through the tunnel.  This article helps identify what might be preventing the data from passing through the VPN.

This article is part of the troubleshooting guide: KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active.


Symptoms:

The VPN is up, but it is not passing traffic in one or both directions.


Cause:
 
Solution:

Use the following steps to troubleshoot a VPN tunnel that is active, but not passing data:

Note: If your VPN is down, then go to KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active. If your VPN is going up and down, then proceed with the following steps.

Step three Is the IPsec SA (Security Association) listed in ‘show security ipsec security-associations’?

If it is not listed, then the SA is not active or UP.

For assistance, consult: KB10090 - How do I tell if a VPN Tunnel SA (Security Association) is active?



Step two Is this a route-based VPN or a policy-based VPN?

For information on how to tell, consult: KB10105 - What is the difference between a policy-based VPN and a route-based VPN?.

  • Route-based VPN - Continue with Step 3.
  • Policy-based VPN - Jump to Step 6.



Step three [Route-based VPN] Does a route for the remote network exist via the st0 interface in ‘show route <remote network>’?

root@siteA > show route 192.168.20.10
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.2.0/24    *[Static/5] 00:00:53
                           > via st0.0  <----------


Step three [Route-based VPN] Looking at the route located in Step 3, is the next-hop for the route pointing to the correct st0 interface? 

a. First, locate the IKE Gateway using 'show security ike'

root@siteA # show security ike
...
gateway gw-siteB {        <---------
     ike-policy ike-phase1-policy;
     address 2.2.2.2;
     external-interface ge-0/0/3.0;
}

b. Then locate the IPsec VPN for that IKE Gateway using 'show security ipsec'

root@siteA # show security ipsec
...
vpn ike-vpn-siteB {     
    bind-interface st0.0;
      ike {
         gateway gw-siteB;      <---------
         proxy-identity {
             local 192.168.2.0/24;
             remote 192.168.1.0/24;
             service any;
           }
          ipsec-policy ipsec-phase2-policy;
        }
     establish-tunnels immediately;
    }

c. Review the bind-interface located in step 4b to locate the st0 interface.
    In this example, the VPN ike-vpn-siteB is pointing to the st0.0 interface.



Step five [Route-based VPN] Is there a security policy that allows traffic from the internal zone to the st0 security zone in ‘show security policies’?


Step six [Policy-based VPN] Is there a VPN tunnel security policy to allow traffic in ‘show security policies’?

root@siteA# show security policies
...
from-zone trust to-zone untrust {
    policy vpn_egress {
        match {
            source-address local-net;
            destination-address remote-net;
            application any;
        }
        then {
            permit {
                tunnel {                      <----------
                    ipsec-vpn ike-vpn-siteC
;  <----------
                }
            }
        }
    }
 }

from-zone untrust to-zone trust {
    policy vpn_ingress {
        match {
            source-address remote-net;
            destination-address local-net;
            application any;
        }
        then {
            permit {
                tunnel {                      <----------
                    ipsec-vpn ike-vpn-siteC
;  <----------
                }
            }
        }
    }
 }


Step seven Is the traffic matching the policy identified in Step 5 or 6?

Use the operational command 'show security flow session source prefix <source address> destination prefix <destination address>' to locate the matched policy.

root@siteA> show security flow session source-prefix 192.168.2.0/24 destination-prefix 192.168.1.0/24

Session ID: 5801, Policy name: AtoB/2, Timeout: 1790, Valid
In: 192.168.2.222/1 --> 192.168.1.13/23053;icmp, If: fe-0/0/2.0, Pkts: 59878, Bytes: 4602292
Out: 192.168.1.13/23053 --> 192.168.2.222/1;icmp, If: st0.0, Pkts: 52505, Bytes: 4189289


Step eight Collect logs and flow traceoptions, and open a case with your technical support representative.

Consult: KB21781 - [SRX] Data Collection Checklist. (See the IPsec VPN Policy-based or Route-based VPN sections.)

For flow traceoptions information, consult: KB16233 – How to use ‘Flow Traceoptions’ and the ‘security datapath-debug’ in SRX series.


Related Links: